BC Court of Appeal upholds class action certification in Capital One data breach case

The claims of intrusion upon seclusion and breach of confidence were not actionable: court

BC Court of Appeal upholds class action certification in Capital One data breach case

The BC Court of Appeal dismissed both an appeal and cross-appeal regarding a class action certification for a data breach, affirming the trial judge's decision on multiple claims and jurisdictional issues.

The case involves a former Capital One customer seeking to sue the financial corporation for a data breach executed by hacker Paige Thompson in 2019. The court's decision reaffirmed the class action's original certification while addressing multiple claims and procedural contentions.

In 2019, Paige Thompson hacked into Capital One's database, accessing the personal and financial information of approximately six million Canadians and 100 million Americans. Duncan Campbell, a former customer of Capital One, initiated a class action lawsuit against the company, alleging negligence, breach of contract, and various privacy and consumer protection statute violations. He sought certification under the Class Proceedings Act, which the trial judge granted while dismissing certain claims such as intrusion upon seclusion and breach of confidence as bound to fail.

Campbell appealed the dismissal of these claims, while Capital One cross-appealed the certification of privacy-related claims and other aspects of the judge’s decision. Capital One argued that the trial judge erred in certifying privacy claims, asserting that British Columbia courts lacked jurisdiction over claims under privacy statutes from Manitoba and Newfoundland and Labrador. They also contended that the trial judge's finding of compensable loss for the class members was speculative and not supported by evidence.

The appeal court rejected Campbell's appeal, agreeing with the lower court that the claims of intrusion upon seclusion and breach of confidence were not actionable. The court noted that existing Canadian case law does not extend the tort of intrusion upon seclusion to data custodians like Capital One, who did not invade privacy by themselves but allegedly failed to protect data.

On the cross-appeal, the court upheld the trial judge’s decision that British Columbia courts have jurisdiction to hear claims under the privacy statutes of Manitoba, Newfoundland and Labrador. The court also found some basis, in fact, to conclude that class members had suffered compensable loss, particularly in relation to additional credit monitoring services obtained following the data breach.

The court emphasized that the “some basis in fact” requirement at the certification stage is not an assessment of the merits but rather a threshold to determine whether a class action is the preferable procedure. Given the evidence presented, including expert testimony and affidavits from affected individuals, the court found sufficient grounds to support the certification.

Recent articles & video

Vote for Canadian Lawyer's Top Regional Ontario firms

Privacy and access authorities gather in Toronto to address emerging issues

Federal Court limits trademark to dining services, excludes sit-down and take-out offerings

Ontario Court of Appeal denies mother's bid to prevent child's return to Bangladesh

PEI Court of Appeal affirms property transfer to heir did not require subdivision approval

NS Court of Appeal affirms doctors' right to judicial review in dispute with health authority

Most Read Articles

Federal Court overturns study permit denial, citing unreasonable focus on applicant’s career plans

Ontario court rejects child protection agency’s ‘speculation and gossip’, orders child’s return

Pre-hearing request to review law firm's fees in personal injury case is premature: BC Supreme Court

SK Court of King’s Bench dismisses personal injury claim due to inordinate delay