Blog

B.C. Court of Appeal Finds that Allegedly Reckless Database Custodians may be Liable for "Wilful Violations" of Privacy Under the Privacy Act

July 16, 2024

Close

Written By Katherine Booth and Edward Hulshof

In a pair of decisions released on July 5, 2024, the B.C. Court of Appeal (BCCA) found that an alleged reckless failure to safeguard personal information may be sufficient to make out Privacy Act claims of "wilful violation" of privacy against database defendants who are victims of data hacks. In doing so, the BCCA interpreted statutory Privacy Act claims to be potentially broader than the common law tort of intrusion upon seclusion, which the Ontario Court of Appeal in its 2022 "trilogy" of decisions in Owsianik, Obodo and Winder limited to claims against the hacker who committed the "intrusion", not the database defendant who allegedly failed to prevent it.

In G.D. v South Coast British Columbia Transportation Authority, 2024 BCCA 252 [South Coast], the BCCA overturned the chambers judge’s finding that the plaintiff's claims under B.C.'s Privacy Act were bound to fail at the pleadings stage. In Campbell v Capital One Financial Corporation, 2024 BCCA 253 [Capital One], the same Division of the BCCA upheld the chambers judge's finding that claims under the British Columbia, Saskatchewan and Newfoundland Privacy Acts were not bound to fail.

In both decisions, the BCCA held it was at least arguable that an alleged "reckless" failure on the part of a database defendant to safeguard putative class members' private information could amount to a “wilful violation” of privacy under the Privacy Act. The Court commented that, while jurisprudence interpreting common law "intrusion" upon seclusion may ultimately be useful in interpreting the scope of a “wilful violation" of privacy under the Privacy Act, statutory Privacy Act claims and common law claims were not identical, and the common law jurisprudence did not make the Privacy Act claims bound to fail at the pleadings stage.

The BCCA also made broad statements expressing views on the policy goals of privacy claims and how they should evolve. In Capital One, the BCCA commented that "[a] purposive reading of the Privacy Acts may militate in favour of including data custodians within the statutory tort as society and technology evolve". In South Coast, the BCCA commented: "… I see the floodgates argument differently, and that is as a flood of unprotected personal information flowing out of the control of the persons whose information it is, and into the hands of bad actors, unless the law responds adequately."

Have time to read more?

Authors

Related Links



View Full Mobile Experience