The Ontario Court of Appeal shut down the claim that a hack of database constitutes intrusion upon seclusion by the database operator, along with shutting down various other causes of action at the certification stage of a proposed class action.
In Del Giudice v. Thompson, 2024 ONCA 70, the appellants appealed a decision made by the motion judge dismissing their motion to certify their claim as a class action against Capital One (“Capital One”) and Amazon Web Services (“Amazon Web”).
The appellants’ claim alleged various torts against Capital One and Amazon Web for data misappropriation and data misuse, including intrusion upon seclusion, intentional or reckless misappropriation of personality, breaches of various privacy statutes and breaches of confidence, trust and fiduciary duty.
In terms of the factual background, Capital One required personal financial information on an application form for a credit card. This information included names, addresses, dates of birth, social insurance numbers, bank account numbers and credit histories. Capital One would retain the information from each application received. It would subsequently aggregate the data to generate inferences for marketing purposes. The data was then sold to third parties.
Amazon Web was contracted to store the personal financial information. The appellants alleged that one of the respondents, a former employee of Amazon Web, hacked the database and leaked the personal financial information and other confidential information of 106 million credit card applicants.
The appellants proposed a class action suit with respect to the data breach and filed a motion to certify the action as a class proceeding. The motion judge determined that the motion would be heard in phases.
In the first phase, the motion judge would determine whether the cause of action met the criterion set out in subsection 5(1)(a) of the Class Proceedings Act, effectively turning that phase into a pleadings motion regarding whether or not the claim disclosed a cause of action. During this first phase, the respondents would have the opportunity to challenge the statement of claim, but the respondents were directed not to deliver responding materials.
The respondent Capital One did however file a brief containing four documents, including the Capital One Privacy Policy, Ms. Del Giudice’s Application for Credit, a Credit Card Agreement, and a document entitled “Important Card Information.” The documents were pivotal in the motion judge’s analysis of the viability of some of the appellants’ substantive claims.
The Court of Appeal upheld the finding of the motion judge that the four documents were properly filed for the purposes of the s. 5(1)(a) hearing and the motion judge made no error in referencing them as though they were included in the pleadings.
With respect to the causes of action themselves, the appellants had separated them into two groups: data misuse claims and data breach claims.
The data misuse claims were comprised of intrusion upon seclusion, misappropriation of personality, conversion and breach of confidence, trust and fiduciary duty. The data breach claims were allegations of negligence and failure of a duty to warn, strict liability, negligent breach of contract and breach of statutory causes of action. The Court of Appeal shut down each and every one of them, upholding the decision of the motion judge that the claim was defective and should be struck without leave to amend.
With respect to intrusion on seclusion specifically, the motion judge had found it plain and obvious that there was no viable claim for intrusion upon seclusion since:
- The failure to prevent the intrusion could not itself be an intrusion;
- Even if the failure to prevent an intrusion could be considered an intrusion, then the intrusion was authorized by the terms of the application form, credit agreement and privacy policy, which were incorporated by reference into the pleading;
- The alleged misconduct of Capital One and Amazon Web was neither intentional nor reckless; and
- Capital One and Amazon Web’s alleged mistakes in safeguarding the appellants’ data did not give rise to the requisite degree of offense.
The Court of Appeal acknowledged its judgments in Owsianik, Obodo and Winder, which established that a hack of a database by a third party does not constitute intrusion upon seclusion by a database operator, since those judgments had been released after the motion was decided in this case.
However, on appeal the appellants were attempting to distinguish the above referenced trilogy on the basis that their claim was not based in negligent custodianship, but regarding the improper retention and misuse of data, which includes its improper aggregation and ultimate migration to a third-party platform.
The Court of Appeal held that, regardless, the claim could not succeed, as whether the alleged misdeeds of Capital One and Amazon are characterized as mistakes in safeguarding information or improper retention and misuse of that information, neither characterization satisfies a key element of intrusion on seclusion, namely that the conduct be of a highly offensive nature causing distress, humiliation or anguish to a reasonable person.
The Court of Appeal’s analysis on the remaining causes of action similarly upholds the reasoning of the motion judge, and the Court of Appeal deferred to the motion judge’s decision not to grant the appellants leave to amend the claim. With respect to the claim for negligence/duty to warn, the Court of Appeal held that the motion judge made no error in striking the claim on the principal basis that the appellants had not succeeded in pleading a compensable loss.
On the issue of leave, the Court specifically stated that it was no use to the appellants that the motion judge entertained the thought that the appellants could have pleaded a straightforward claim for breach of contract against Capital One, as not only were those straightforward claims not advanced, but they would have also hampered the claims the appellants chose to advance. They found that the motions judge correctly found that there was no purpose to be served in allowing the appellants another opportunity to recast the theory of liability.
A full copy of the reasons of the Ontario Court of Appeal in Del Giudice v. Thompson, 2024 ONCA 70 can be located here, including the substantive analysis on each of the proposed causes of action.
Key takeaways
- As referenced in the decision at paragraph 28, on a pleadings motion, what is in the pleadings and what is not in the pleadings matters. This case reinforces the importance of a well-crafted pleading where multiple causes of action are plead, and the consideration of how those causes of action interact.
- Similarly, the Court’s ruling that documents can be incorporated by reference to the pleading is notable. The documents incorporated by reference were relied on heavily by the motion judge in the analysis as to why the claim should be dismissed, even though the appellants argued that these documents were evidence and should not be considered on a pleadings motion.
- Despite the outcome, Del Giudice v. Thompson also offers yet another recent example of attempts to bring privacy/data breach claims grounded in tort by way of class action. All organizations should be reviewing policies and procedures regularly to ensure compliance with applicable legislation, to ensure they have appropriate security safeguards in place and proper processes in the event of a data breach.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.