Where Does Québec Stand in Terms of Privacy Class Actions?

Although the existing case law remains limited, privacy class actions in Québec are on the upswing. Major data breaches that have occurred over the course of 2019 have each given rise to applications for authorization (certification).

Furthermore, the existing case law imposes a relatively modest burden at the authorization stage: that of alleging that the cyberattack, data breach or communication of personal information complained of constituted a fault (or infringement) that caused the applicant to suffer compensable harm.

The Scope of Privacy Rights

In Québec, the right to privacy is explicitly recognized in article 5 of the Charter of Human Rights and Freedoms (“Québec Charter”).¹ The Civil Code of Québec (“C.C.Q.”) also provides at article 3 that every person has “the right to the respect of his name, reputation and privacy.”² The rights to reputation and privacy are further described at articles 35 to 41 of the C.C.Q.

Section 10 of Québec’s Act respecting the protection of personal information in the private sector (the “Private Sector Act”) states that “[a] person carrying on an enterprise must take the security measures necessary to ensure the protection of the personal information collected, used, communicated, kept or destroyed.”³

Section 63.1 of the Act respecting access to documents held by public bodies and the protection of personal information is substantially similar.⁴

Although these statutes do not provide a personal right of action to claim damages in the event of a statutory infringement, such an infringement could be invoked in the context of an extra-contractual claim brought under the general liability regime set out in article 1457 of the C.C.Q.

The Seven Principles Drawn by Québec Courts

Alleged infringements involving large numbers of people, such as a cyberattack, a major data breach or the unauthorized communication of personal information, can – and usually will – result in a class action brought pursuant to the Québec Code of Civil Procedure (“C.C.P.”).⁵

Québec courts adopt a flexible approach to the authorization of class actions. In Infineon Technologies AG v. Option consommateurs, the Supreme Court stated that “[w]hen undertaking an analysis with respect to the authorization of a class action, it is essential not to conflate or confound the authorization process with the trial of an authorized action on its merits. Each of these stages serves a different purpose [...].”⁶

Québec courts have ruled on a number of authorization applications from which important principles can be drawn.⁷

• The fact that an organization has sent a notice to clients regarding a breach of privacy can be used by an applicant to demonstrate an appearance of fault. In Larose v. National Bank of Canada, for instance, three portable computers were stolen from the Montreal headquarters of the National Bank of Canada. Shortly thereafter, the bank published a press release, which was followed by a letter to affected clients informing them of the theft and advising them to keep alert. The Superior Court of Québec noted that while the letter from the respondent did not necessarily constitute an admission in law, it did suggest that the proposed class action had a “good colour of right” that invited further analysis.⁸
  
  However, failure to inform its consumers or customers of a breach of their personal information could also justify the authorization of a class action, especially if the plaintiff is able to demonstrate that the breach had the effect of increasing the damage suffered or incurring additional damage.
• Allegations that personal information has been put at unnecessary risk can also be enough to demonstrate an appearance of fault. In Mazzonna v. DaimlerChrysler Financial Services Canada Inc. and Belley v. TD Auto Finance Services Inc./ Services de financement auto TD inc., which were based on the same incident, the Superior Court in both cases found that the applicants had demonstrated an appearance of fault by making a prima facie demonstration that the respondents did not meet their obligations to safely store and transfer personal information.⁹
• An organization’s failure to meet its own internal security requirements can also be used to demonstrate an appearance of a fault. In Sofio v. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), the respondent admitted in a notice sent to the individuals concerned that the lost portable computer containing personal information on approximately 50,000 clients of brokerage firms was only guarded by one level of protection, even though their internal policies prescribed two levels of protection. The Superior Court, while it did not comment on this fact, found that the low burden of demonstration of an appearance of fault had been met.¹⁰
• Although allegations of actual identity theft and/or fraud stemming from the loss of personal information are not essential to demonstrating compensable harm, they often play an important role. For example, in Larose it was alleged that the identity of applicant Larose had been used by an unauthorized third party to obtain a loan and a number of credit cards.
  
  Likewise, in Belley, the applicant alleged that he was the victim of identity theft and that four vehicles had been purchased by a fraudster using a “void” cheque from his bank account remitted to a Chrysler dealer. In both cases, the Superior Court found that the applicant had successfully demonstrated an appearance of harm.¹¹
• Allegations of actual moral damages, absent allegations of identity theft or fraud, can also be sufficient to demonstrate compensable harm. But it is imperative that the allegations be sufficiently detailed. In Sofio CA, the Québec Court of Appeal noted that the applicant alleged three forms of harm: (i) stress; (ii) time spent monitoring his bank accounts, credit card statements, and mail more carefully; and (iii) time spent obtaining credit monitoring services from Equifax and TransUnion (paid for by the respondent). According to the Superior Court, these did not constitute sufficiently detailed allegations of harm.¹²
  
  More recently, in July of 2019, the Superior Court dismissed a data breach class action in Bourbonnière v. Yahoo! Inc.¹³  In this case, the applicant sought “to institute a class action on behalf of all persons residing in Québec whose personal and/or financial information was stolen from the Defendants as a result of cyberattacks which occurred after January 1, 2013.”¹⁴ The applicant also wanted “to represent all other persons, businesses, entities, corporations, financial institutions or banks who suffered damages or incurred expenses as a result of the data security incidents.”¹⁵ The Court refused to authorize the class action since the applicant failed to demonstrate having suffered any compensable harm and therefore the existence of an arguable case as “The law does not recognize upset, disgust, anxiety, agitation or other mental states that fall short of injury.”¹⁶
• Mere allegations of potential harm are not sufficient to justify the authorization of a class action. In Mazzonna, the applicant alleged that the respondent’s negligence caused her injuries, including “anxiety, inconvenience, pain, suffering and/or fear due to the loss of their personal information. Referring to the decision in Larose,¹⁷ the Superior Court underlined that the applicant’s allegations of potential harm should not be taken into consideration when assessing the prima facie existence of injury at the authorization stage.¹⁸
• The period of time that elapses between the loss of personal information and identity theft and/or fraud can be taken into consideration when assessing causation. In Belley, even though some facts pointed to a cause other than the loss of data for the identity theft alleged, the Superior Court decided that the very short space of time between the loss of the data and the incidence of identity theft was sufficient to establish “an arguable case for the [applicant]” at authorization.¹⁹

The costs and uncertainties of class action litigation – not to mention the legal disclosures, slumping stock price, and tarnished reputation which can follow in its wake – underscore the importance of proactive institutional planning when it comes to the collection, storage, communication, and securing of sensitive data and personal information.

BCF has specialized teams dedicated to Privacy and Data Protection and Class Action Defence that can advise you on these issues regardless of your industry or the legal circumstances in which find yourself. 

The authors are currently writing a book on privacy class actions in Canada for Thomson Reuters.

 

¹CQLR, c. C-12.
²C.C.Q., art. 3 [Emphasis added.].
³QPA, s. 10 [Emphasis added.].
⁴RLRQ, c A-2.1.
⁵CQLR, c. C-25.01
⁶[2013] 3 SCR 600, para. 58.
⁷Larose c. Banque Nationale du Canada, 2010 QCCS 5385 (Que. S.C.), per Beaugé J.C.S. (authorization granted); Mazzonna v. DaimlerChrysler Financial Services Canada Inc., 2012 QCCS 958 (Que. S.C.), per Lacoursière J.S.C. (authorization dismissed); Sofio c. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2014 QCCS 4061 (Que. S.C.), per Prévost J.C.S. (authorization dismissed), 2015 QCCA 1820 (Que. C.A.), per Bich, Savard and Schrager J.C.A. (dismissal of authorization confirmed by the Court of Appeal); Belley v. TD Auto Finance Services Inc./ Services de financement auto TD inc., 2015 QCCS 168 (Que. S.C.), per Lacoursière J.S.C. (authorization granted), leave to appeal refused, 2015 QCCA 1255 (Que. C.A.).
⁸2010 QCCS 5385 at para. 26 (Que. S.C.), per Beaugé J.C.S. [hereinafter “Larose”].
⁹2012 QCCS 958 at paras. 24-30 (Que. S.C.), per Lacoursière J.S.C. [hereinafter “Mazzonna”]; 2015 QCCS 168 at paras. 54-55 (Que. S.C.), per Lacoursière J.S.C., leave to appeal refused, 2015 QCCA 1255 (Que. C.A.) [hereinafter “Belley”].
¹⁰2014 QCCS 4061 at para. 34 (Que. S.C.), per Prévost, J.C.S. [hereinafter “Sofio CS”].
¹¹Larose, at para. 26; Belley, at para. 66.
¹²Ibid., at para. 18.
¹³2019 QCCS 2624 [hereinafter “Bourbonnière”].
¹⁴Ibid, at para.1.
¹⁵Ibid.
¹⁶Ibid at para. 38, citing Mustapha v. Culligan of Canada Ltd., [2008] 2 SCR 114.
¹⁷Larose, at para. 27 [Emphasis added].
¹⁸Mazzonna, at para. 66.
¹⁹Belley at para. 61.