In an era where data has become increasingly valuable, the protection of confidential personal data and cybersecurity has risen to the forefront for many corporations. The pace of data growth has been exponential, with current estimates suggesting that there are over 40-trillion gigabytes (40 zetabytes) of data. With the growing risk of cyber threats, courts have grappled with the appropriate remedy for large scale data breaches.

Plaintiffs have increasingly attempted to use class actions as the vehicle to resolve claims for privacy breaches. However, in a number of those cases, the courts have denied certification of the potential class action (see our Blakes Bulletin: Proposed Privacy Class Action "Collapses in its Entirety" on Commonality). In the recent decision in Setoguchi v Uber CV, 2021 ABQB 18 (Setoguchi), the Associate Chief Justice of the Alberta Court of Queen's Bench denied certification of a putative privacy breach class action. In doing so, the court emphasized its important gatekeeping role in weeding out unmeritorious claims at an early stage. In particular, the court emphasized the need for meaningful evidence of harm or damages arising from the alleged privacy breach.

While it is anticipated that putative privacy class actions will remain commonplace in Canada for the foreseeable future to address claimed privacy breaches, the decision in Setoguchi emphasizes the increasing willingness of the courts to scrutinize plaintiffs' claims to determine if class actions are the appropriate forum to resolve large scale data breaches.

THE DECISION

The proposed representative plaintiff and members of the proposed national class were users or drivers who used the Uber platform and therefore had some of their data stored with various Uber companies.

The real issue in the case was whether, even assuming otherwise provable causes of action liability existed (in contract, negligence, breach of statute, etc.), there was "some evidence" or "some basis in fact" for any real resulting harm, loss or damage from the claimed common law or statutory breaches. While Uber acknowledged that a breach of a claimed standard of care may establish liability, Uber argued that there must be proof of harm or loss for such claims to be successful.

In assessing the information that was hacked, Associate Chief Justice Rooke noted that while the information that was accessed was private, it was not necessarily confidential as it included information that would have been accessible in a "typical telephone directory" of the past.

More importantly, however, the court found that not only was there an absence of any evidence of harm or loss, but the opposite was true, namely, that the record revealed that there was no harm nor loss to the putative class. That finding ultimately proved fatal in the attempted certification of the proposed class action. As noted by the court, "there must be some evidence or basis in fact for loss or damage...the Representative Plaintiff must demonstrate at least some meaningful substance to the case before certification should be granted". Otherwise, the court observed, the bar would be set so low that virtually any corporation that suffered a data breach could be subject to class action without the need for the plaintiffs to prove harm.

The court engaged in an extensive review of the established jurisprudence related to data breaches and relied upon a number of well-settled principles in denying certification. In addition, the court addressed and incorporated the principle of proportionality that was articulated by the Supreme Court of Canada in Hryniak v Mauldin, 2014 SCC 7 (Hryniak) to find that a class action would not be the preferable procedure. Hryniak and its progeny emphasize the importance of the court's gatekeeping function in weeding out unmeritorious claims at an early stage. Relying on Hryniak, the court declared that "it is time for the Court to take its gate keeping function seriously, and end this litigation as a class proceeding now...".

THE KEY TAKEAWAYS

The decision in Setoguchi emphasizes the gatekeeping role of the courts in assessing putative class actions and lends a more rigorous analysis to such claims at an early stage. In particular, the decision incorporates the sentiments behind Hryniak, including the need to weed out unmeritorious and de minimis claims early on. Further, the decision requires that sufficient evidence be tendered to demonstrate compensable harm or loss for any claimed breach to support certification of a class action.

Given the high stakes of cybersecurity and the growing risks associated with data breaches, the courts' approach to class actions has become an issue of increasing importance. The approach of the court in Setoguchi suggests that plaintiffs may face increased scrutiny in their attempts to have their claims certified as class actions.

For permission to reprint articles, please contact the Blakes Marketing Department.

© 2020 Blake, Cassels & Graydon LLP.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.