On July 4, 2024, the B.C. Court of Appeal issued a duo of class action appeal decisions considering the potential scope of statutory and common law privacy claims against data custodians that fall victim to cyberattacks in data breach cases. In both G.D. v. South Coast British Columbia Transportation Authority (G.D.) and Campbell v. Capital One Financial Corporation (Campbell), the B.C. Court of Appeal affirmed that numerous causes of action may arguably be available even against data custodians innocent of any intentional wrongdoing, including the statutory tort of violation of privacy pursuant to the B.C. Privacy Act. These decisions follow the B.C. Court of Appeal’s decision earlier this year in Situmorang v. Google, LLC, in which the court left open the question of whether the tort of intrusion upon seclusion exists in B.C., in addition to the statutory tort of violation of privacy.

G.D. v. Translink

In G.D., the B.C. Supreme Court dismissed an application to certify a proposed class action against the South Coast British Columbia Transportation Authority (Translink) arising from a cyberattack in which the personal information of Translink’s employees and other third parties was allegedly compromised. Among other things, the B.C. Supreme Court found that the proposed class members did not have statutory claims against Translink for violation of privacy pursuant to the B.C. Privacy Act because their privacy was “wilfully” violated by third-party cyberattackers, not by Translink. The Court held that it was “clear” that the target of the statutory tort in a data breach case can only be the cyberattacker, not the data custodian.

On appeal, the B.C. Court of Appeal set aside the chambers judge’s decision on whether there was a viable cause of action under the B.C. Privacy Act. In doing so, the B.C. Court of Appeal stated that “it is at least arguable to claim against a data custodian who has collected plaintiffs’ private information but failed to safeguard it from an unrelated cyberattacker, that the data custodian has committed the statutory tort of wilful violation of privacy.” Without purporting to define the theoretical limits of the statutory tort, the B.C. Court of Appeal stated that it is “at least arguable” that the willfulness requirement “could include the mental state … of reckless failure to safeguard a person’s private information in the defendant’s possession, thereby enabling the information to be disclosed to other persons.” The B.C. Court of Appeal partially justified these conclusions by noting the quasi-constitutional status of privacy interests, the B.C. Privacy Act’s purpose of protecting these constitutionally recognized interests, the rapid growth of information collection and the potential for misuse.

Campbell v. Capital One

In Campbell, the B.C. Supreme Court granted an application to certify a proposed class action against Capital One, which also arose from a cyberattack in which the personal information of credit card applicants was allegedly compromised. Among other things, the B.C. Supreme Court held that 1) a negligent data custodian may be jointly and severally liable with a cyberattacker for the tort of intrusion upon seclusion, 2) breach of confidence was not sufficiently pleaded because the element of alleged misuse was missing, and 3) it has jurisdiction to adjudicate claims under other provinces’ privacy legislation.

On appeal, the B.C. Court of Appeal affirmed the chambers judge’s decision to certify the class proceeding. In doing so, it rejected the availability of joint and several liability between a negligent data custodian and a cyberattacker for moral damages, but declined to consider whether it might be available for compensatory damages. The Court rejected a cause of action for breach of confidence because no link was pleaded between the alleged misuse of data by the custodian (ongoing retention of confidential information) and the alleged harm to the proposed class members (conduct of the cyberattackers), and it also found that B.C. has subject matter jurisdiction over claims under other provinces’ privacy legislation.