Companies often require individuals to provide access to their personal data in order to access products and services. In some circumstances, an individual’s digital footprint and data might be shared with a third party either intentionally or unintentionally. These situations can lead to allegations that a personal data breach has occurred giving rise to a potential class action. Which in turn, may trigger a data breach or cyber security insurance policy.
In determining whether to certify an alleged privacy breach as a class action, the courts may be required to determine whether the claim can proceed where there is insufficient evidence to prove that a company, without the authorization of the end-user, intentionally or recklessly breached and invaded the end-user’s privacy. In Simpson v. Facebook, Inc., 2022 ONSC 1284, the Divisional Court considered this issue in relation to a proposed class action alleging the personal data of Canadian Facebook users was improperly shared with Cambridge Analytica.
The certification was dismissed by Justice Belobaba of the Ontario Superior Court for failure to satisfy the common issues requirements of the Class Proceedings Act, 1992. In particular, the requirement that “some evidence” was required to demonstrate that a Canadian user’s personal data was shared with Cambridge Analytica:
It follows that there is no basis in fact for any of the proposed common issues that ask whether the defendants invaded any class member’s privacy, whether at common law under the tort of intrusion upon seclusion or in breach of provincial privacy statutes. None of these PCIs can be certified. Absent common issues, there is no justification for a class proceeding.
Justice Belobaba reiterated the importance of protecting the privacy of individuals and their personal data, while at the same time acknowledging the court’s role as a gatekeeper for allowing class actions to proceed.
The plaintiff appealed the decision of Justice Belobaba to the Ontario Divisional Court, which upheld the decision refusing to certify the class action.
In its analysis, the Divisional Court acknowledged that the motion judge is entitled to substantial deference. The court held the motion judge correctly applied the certification test and held that it was not an error to focus of the s.5 (1)(c) common issues requirement, as failure to meet one of the requirements is fatal.
The court held that the motion judge applied the legal principals and was consistent with case law with respect to certification motions. Moreover, the court held the motions judge did not require the appellant to show an actual breach of privacy, but found that as there was no basis in fact for the core allegation on which the claim and common issues depended the certification had to be dismissed.
The appeal was dismissed with costs to the respondents.
The Divisional Court’s decision demonstrates that even though there is a low bar for the certification of a class action, it is a hurdle that still must be overcome in order to successfully advance a claim. Moreover, the decision is consistent with trends from Canadian courts to act as gatekeepers where class actions are commenced on speculative grounds, where there is insufficient evidence to support the cause of action, or damages are difficult to quantify.
Businesses involved in the collection or commercialization of personal information should ensure they have clear policies in place to protect against data breaches and bring to the attention of the end users how their data might be used in order to mitigate against future risks involving potential privacy breaches.
 There is no recognized common law tort for breach of privacy, including intrusion upon seclusion in British Columbia. Tucci v. Peoples Trust Company, 2020 BCCA 246.
 Simson v. Facebook, supra at para 45.