Privacy class actions 2021: More misuse-of-information claims, certification used as screening tool

What lawyers saw in privacy class actions over the last year

Privacy class actions 2021: More misuse-of-information claims, certification used as screening tool
Kirsten Thompson, Robert Carson

An uptick in misuse-of-information claims and recognition by courts that certification is a meaningful screening device, are among the trends lawyers saw in privacy class actions in 2021.

The proliferation of data breaches has coincided with the rise of the internet and digital technology. But in a number of decisions in 2021, judges have acknowledged that a privacy class action should not automatically follow from a data incident, says Robert Carson, a litigator at Osler. He adds that courts have also emphasized that evidence of harm to class members – “beyond speculation of possible harm or general inconvenience or frustration” – is a requirement for class actions.

While privacy class actions used to be composed primarily of privacy breaches, Kirsten Thompson says there has been a rise of claims around misuse of information. These claims are brought when a company collects personal information for one purpose, then uses it for another. This leads to allegations of inadequate consent and improper use and disclosure, says Thompson, who is national lead of the Transformative Technologies and Data Strategy group at Dentons.

“Companies are having to have a robust information governance practice: mapping out and understanding where personal information is coming from, going, and how it will be used and with whom it will be shared,” she says.

Along with class actions, individual privacy litigation is also on the rise, says Thompson. Enacted in 2021, Quebec’s Bill 64 includes a private right of action, “which will almost certainly result in more litigation,” she says.

Among the proposed class actions dismissed at the certification stage was Simpson v. Facebook, Inc., out of the Ontario Superior Court. The plaintiff had been granted carriage on behalf of Canadians who had their Facebook accounts shared with Cambridge Analytica. But Justice Edward Belobaba dismissed the certification motion, finding there was “no evidence on the record” that any Canadian had personal data shared with the data analytics firm.

“The dismissal of this certification motion is simply a reminder to class counsel that while certification remains a low hurdle it is nonetheless a hurdle,” said Justice Belobaba.

“Again, reinforcing the point that certification is meant to be a meaningful screening device,” says Carson, whose practice is focussed on corporate and securities litigation and class action defence.

Also stemming from the Cambridge Analytica scandal was Kish v. Facebook, Inc., in which Saskatchewan Court of Queen’s Bench Justice Timothy Keene denied the certification motion. In Québec, Facebook successfully defended a class action alleging its tools “illegally excluded certain users from employment and housing opportunities,” rejected as “hypothetical and speculative” by the court, said Osler’s Class Actions Legal Year in Review. Osler acted for Facebook in all three cases.

Two other decisions demonstrated how plaintiffs must present evidence of “actual harm” to be certified, said Osler’s article. At the Court of Queen’s Bench of Alberta, the proposed class action in Setoguchi v. Uber targeted the ride-hailing company because of a data breach. As there was no evidence the hacker had used anyone’s personal information, Associate Chief Justice John Rooke found there was no tangible harm, merely speculation that there might be loss or harm in the future.

In Setoguchi v. Uber, Justice Rooke described the “gatekeeping function of certification and the need to weed out unmeritorious and de minimis claims at the certification stage,” says Carson. He points to Justice Rooke’s statement in the decision: “I believe that there must be some evidence or basis in fact, in support of real, not de minimis compensable harm or loss, leading to a claim that is at least arguable and that certification must not be allowed without it. Otherwise, a class proceeding could be a mere fishing trip, based on speculation, without any evidence of fish being present.”

Lamoureux v. IIROC, from the Québec Superior Court, which dealt with an inspector who had lost a laptop containing information about thousands of Canadians, was similarly dismissed. No laptop was ever found and the class members “fears and worries” about the possible identity theft were deemed not to be injuries which rose above “general inconveniences,” said Osler’s article.

*with files from Elizabeth Raymer