On June 10, 2019, in a decision rendered by Justice Chantale Tremblay, the Superior Court of Québec refused to authorize Plaintiff Brigitte Bourbonnière's application for authorization to institute a class action. In a 16-page judgment, the Court reaffirmed that plaintiffs have the burden of establishing a prima facie case for the existence of tangible injury and recoverable damages when they apply for authorization of a class action.

On January 31, 2017, an application for authorization to bring a class action against Yahoo! Inc. and Yahoo! Canada Co. (collectively "Yahoo!") was filed on behalf of all persons residing in Québec whose personal and/or financial information was lost by and/or stolen from Yahoo! as a result of data breaches that occurred between January 1, 2013 to the present and all other persons who suffered damages or incurred expenses as a result of these data breaches.

Context

In 2016, Yahoo! announced that sensitive personal account information associated with at least 500 million user accounts had been stolen. On December 16, 2016, a Notice of Action was filed by Natalia Karasik in Ontario. Then, on January 31, 2017, an application for authorization to institute a class action was filed in Québec by Michel Demers. On September 19, 2017, the Québec Superior Court dismissed an Application to Stay the class proceedings due to the existence of the Ontario action on the grounds that the proposed class members were not identical due to the inclusion of collateral victims in the Québec proceedings.

On March 16, 2018, Demers was substituted by Brigitte Bourbonnière by way of an Amended Application for Authorization to Institute a Class Action and to Appoint a Representative Plaintiff.

Imprecise and Excessively Broad Class

Justice Tremblay pointed out that a class description must be based on objective criteria that are rational and not imprecise. It must allow a person to know whether or not he or she is a class member. As the proposed class period did not include an end date, it defeated this purpose. Justice Tremblay therefore ruled that the authorization judgment would provide an end date for the class period. She also found that the proposed class was excessively broad, and that no demonstration had been made that collateral victims existed who had suffered damage or incurred expenses as a result of the data breaches. The proposed subclass was therefore removed from the class description.

Compensable Injury and Recoverable Damages

As part of her analysis of the authorization criteria set out in the Code of Civil Procedure (CCP), Justice Tremblay considered the requirement of article 575 (2) that the alleged facts must appear to justify the conclusions sought. In this respect, the Plaintiff had alleged that her Yahoo! account was compromised as a result of the 2013 data breach and that Yahoo! was negligent by failing to protect her personal and financial information.

Relying on Sofio v. OCRCVM,1 Justice Tremblay reiterated that the demonstration of an alleged fault does not presuppose the existence of prejudice. Ultimately, the Plaintiff failed to demonstrate that she had incurred a compensable injury as a result of the 2013 data breach. As a matter of fact, the Plaintiff's discovery demonstrated that she had no reason to believe that she had been the victim of identity theft or fraud, as she had not identified any suspicious charges on either her debit or credit cards. She continued using her Yahoo! account and admitted not having purchased any identity protection services.

As such, the only prejudice suffered by the Plaintiff related to the inconvenience of having to change her passwords with respect to all of the accounts associated with her Yahoo! email address and the alleged embarrassment suffered as a result of spam emails that were sent to her friends. The Court was of the view that such prejudice was insufficient to justify a class action.

Justice Tremblay took guidance from the Supreme Court precedent in Mustapha2 that compensable injury must be "serious and prolonged" and must rise above ordinary annoyances, anxieties and fears. She then again cited Sofio, regarding the arguments that he had to monitor his bank accounts, credit card statements and email accounts for irregularities. In that case, the Court of Appeal found these to be the usual actions of taken by reasonable person seeking to protect their assets.

Proper Representation of the Class Members

The Court found that having failed to meet the requirement of 575 (2) CCP, the Plaintiff did not meet that of 575 (4) either. Having incurred no compensable injury as a result of the data breach, the Plaintiff did not meet the arguable case requirement, and also lacked the required interest to adequately represent the proposed class.

The Court refused to authorize the proposed class action because the criteria of articles 575 (2) and (4) CCP were not met.

Conclusion

Bourbonnière v. Yahoo! Inc. reaffirms the Court of Appeal's view in Sofio that a prima facie demonstration that a security breach occurred is not in and of itself enough to permit authorization of a class action in Québec. Demonstrating an arguable case must also demonstrate the existence of tangible harm and recoverable damages. Embarrassment, inconveniences or mental distress do not constitute prejudice under Québec civil law while class actions are an ordinary remedy whose purpose is to promote social justice, in order to be authorized to proceed in this basis an applicant must at a minimum be able to demonstrate that he or she has suffered a prejudice which is compensable under Québec civil law.3

Footnotes

[1] 2015 QCCA 1820 [Sofio].

[2] 2008 SCC 27.

[3] L'Oratoire Saint-Joseph du Mont-Royal v. J.J., 2019 SCC 35, para. 8.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.