Bill C-11 (the Digital Charter Implementation Act) was introduced on November 17, 2020, proposing the new Consumer Privacy Protection Act (“CPPA“) as a replacement for the existing Personal Information Protection and Electronic Documents Act (“PIPEDA“), the federal legislation regulating privacy in the private sector.
This is the ninth in a series of articles addressing specific issues raised by the proposed CPPA. This article addresses the new right in the CPPA for people affected by certain contraventions or offences to bring lawsuits.
Click here for a more general discussion of the changes introduced by the Bill; scroll to the bottom for links to other posts in the CPPA: In Depth series.
When does a private right of action arise under the CPPA?
The CPPA will contribute to Canada’s burgeoning privacy jurisprudence by introducing a private right of action for individuals affected by an organization’s conduct that is found to be in breach of the statute. The private right of action would allow individuals to seek financial relief from the court for various violations of the CPPA, if the Office of the Privacy Commissioner of Canada has first made a finding that the organization has contravened a provision of the CPPA.
Under PIPEDA, no such right currently exists. However, under section 14(1) of PIPEDA, a complainant may, after receiving the Commissioner’s report (or being notified by the OPC that the investigation of the complaint has been discontinued), apply to the Federal Court for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner’s report, provided the matter is referred to in the list of clauses that are enumerated. The Court may make an order and/or award damages to the complainant, including damages for any humiliation that the complainant has suffered. Damages awarded to individuals under this provision have typically been nominal. However, class actions may be possible under this section, and can make even nominal damages awards significant in the aggregate.
How can a claim be brought?
There are two ways in which an individual would be able to bring a civil claim under the CPPA. The first is set out in section 106(1), which grants an individual a private right of action for damages for loss or injury that an individual has suffered as a result of an organization’s contravention of the CPPA. The individual must be “affected by” the act or omission of the organization which means the right is not limited to the complainant in an inquiry. For example, a class action could be commenced by a representative plaintiff other than the complainant under this provision of the statute.
Section 106(1)(a) further limits the timing on when the cause of action may be brought until after the Commission has made a finding in an inquiry that the organization has contravened the CPPA. The finding must not have been appealed (and the time limit for an appeal must have expired) or the Tribunal has made a final decision on an appeal.
The second way an individual may commence a claim is set out in section 106(2) where an individual may claim against an organization that has been convicted of a listed offence under the CPPA (such as for failing to report a breach, failing to maintain records, or failing to retain personal information). As with the previous section, the individual commencing a claim must have been “affected by” the conduct giving rise to the conviction.
These statutory causes of action would arise only after there has been a finding by the Commission of a contravention or offence and the appeal period has expired. This allows companies to focus on responding to an inquiry by the Commission before turning to a defence of a civil claim if a breach of the CPPA is found to have occurred. However, it means organizations should be very careful about the materials and information they provide to the OPC during the investigation, as plaintiff’s counsel in a subsequent action may be able to obtain copies via an Access to Information Act request.
When may such an action be brought?
In addition to setting out the grounds for the private right of action, the CPPA also sets out when and where the action may be brought. The applicable limitation period is two years after the day on which the individual “becomes aware” of, under section 106(1), the Commissioner’s finding, or the Tribunal’s decision under section 106(2) of the conviction. This language could be interpreted to mean the actual knowledge of the individual asserting the claim rather than when the individual “knew or ought to have known” of the claim as set out in Canadian common law limitation statutes.
The plaintiff may decide which court to commence the CPPA claim, whether that is Federal Court or a provincial superior court. This does not, however, prohibit an organization from asserting a lack of jurisdiction argument that may be raised based on the parties involved and the nature of the underlying conduct.
There is no guidance provided on the type or quantum of damages that an individual may seek from an organization for a breach of the CPPA. The onus is on the plaintiff to prove that they have suffered some form of “loss or injury” as a result of the conduct of the organization. As under PIPEDA, what constitutes a compensable “loss or injury” in the context of a privacy breach is a topic of much debate.
How is this different from common law breach of privacy torts?
The CPPA private right of action would join a nascent body of jurisprudence in privacy litigation. Privacy torts, including intrusion upon seclusion and publicly placing a person in a false light, have been recognized by the Ontario Court of Appeal within the last decade. Consideration and application of these torts within Ontario and across common law provinces has gradually developed mainly in the area of privacy class actions.
There are some key differences between the statutory cause of action and the common law invasion of privacy torts. The first is that an individual asserting a private right of action may rely on the fact that the organization’s conduct has already been found to be a breach of the CPPA through an investigation and inquiry by the OPC.
In contrast, a plaintiff asserting a common law breach of privacy tort does not have regulatory findings of fact to rely on but instead must prove the alleged acts or omissions occurred. For the tort of intrusion upon seclusion, the plaintiff must demonstrate that there was an unauthorized intrusion and that the intrusion was “highly offensive” to the reasonable person. Whether or not the intrusion was highly offensive will depend in part on the ability of the plaintiff to establish the defendant’s motivations and objectives for engaging in the alleged conduct. Similarly, for the tort of placing a person in a false light, the plaintiff must establish the defendant had knowledge of, or acted in reckless disregard as to, the false light in which the plaintiff was placed. Proving these elements of the privacy tort will likely be more difficult than simply relying on a breach of the CPPA.
Another difference between the CPPA cause of action and privacy torts is the timing of when the claim may be commenced. The CPPA under section 106(1) would require an individual to wait to bring a claim until the OPC has made a finding of a contravention following an inquiry, or the Tribunal has made a finding of a contravention following an appeal. Similarly, under section 106(2), the organization must have been convicted of an offence under the CPPA before an individual can assert a cause of action arising from an organization’s underlying conduct. Regulators are not known for the speed in which they operate and there is no reason to expect the OPC will be any different under the CPPA. This means an individual may wait years before an inquiry is complete and the appeals processes have run their course before they can commence a claim under the CPPA.
An individual asserting a claim for a common law privacy tort is not circumscribed by the same timing constraints. Oftentimes a privacy class action is commenced after a putative class member receives notice of a breach from an organization. At that stage, the organization has often not completed any internal investigations into the scope of the breach and the OPC, if it has been notified, has often not completed an investigation or made any findings regarding contraventions. Class counsel may be motivated to file a claim first to assist with a potential carriage motion or other jurisdiction challenges.
Plaintiffs can be expected to bring claims both in privacy torts and private rights of action under the CPPA arising from an underlying breach. The findings by the OPC following an inquiry will likely form the basis for the facts asserted in such claims. However, it is likely that plaintiff’s counsel, and class counsel in particular, will commence an action based on the information contained in a breach notification and amend the claim at a later date once the regulatory process is complete and a contravention or conviction has been found. On the other hand, if no such finding is made it may be difficult for the action to continue without findings of fact by a regulator made against the organization.
How is this different than statutory torts in provincial Privacy Acts?
Private rights of action have existed in Canadian law long before the proposed CPPA. Statutory torts for breach of privacy are set out in Privacy Acts in British Columbia, Manitoba, Saskatchewan and Newfoundland and Labrador. The Privacy Acts of these provinces contain a significant amount of parallel language. In general, it is a tort to violate a person’s privacy “wilfully and without claim of right”; “proof of damages” is not a required element of the tort; and defences include consent, authorization by law, conduct in defence of person or property, and acts by journalists that are otherwise lawful.
The main point of departure between the CPPA private right of action and the Privacy Act torts is that the provincial Privacy Acts do not require the plaintiff to prove harm. In contrast section 106(1) of the CPPA requires an individual to have suffered damages for loss or injury “as a result of” the contravention or the conviction. This provision may lend itself to certification as a common issue of a class action as each class member may not have to prove individual harm arising from the privacy breach. Whereas the requirement to prove harm may be a hurdle for potential class actions seeking to demonstrate common issues at the certification stage.
Another difference is that under the Privacy Acts, the defendants may rely on the defence of consent, either express or implied, to the alleged breach. In a CPPA private right of action claim, the issue of consent will have been canvassed (and proven unsuccessful) at the inquiry or appeal stage leading to a finding of a breach. Instead an organization will likely defend the claim by asserting that the individual was too far removed from the underlying acts or omissions and that even if the individual proves they were affected by the contravention, they have failed to demonstrate resulting damage or loss.
In a typical data breach situation, it may also be difficult for plaintiff’s counsel to meet the “wilfulness” requirement in the Privacy Acts. Where a bad actor deliberately directly breaches the privacy of an individual, the application of the Privacy Acts is clear. However, in most data breach matters, the organization itself is a victim of the bad actor, and it may be challenging to demonstrate that the organization and not the bad actor “wilfully” invaded the privacy of an individual.
Finally, a recent development in British Columbia may impact how privacy actions are commenced in the province. The Courts in British Columbia had consistently interpreted the Privacy Act to mean that because a statutory tort exists (and creates an exhaustive code relating to breaches of privacy) there is no common law tort for invasion of privacy recognized in the province. However, in the recent Tucci v. Peoples Trust Company decision, the BC Court of Appeal noted that there have been significant changes in the world, including the critical role that data has come to assume in people’s lives. The Court concluded that it may be time to reconsider the issue of whether a common law tort of breach of privacy exists in conjunction with the statutory tort. However, no definitive ruling was made as the issue was not directly before the Court.
The CPPA private right of action is a statutory right of action, not a tort, and would likely not be seen to be in conflict with the common law or statutory torts for breach of privacy in the province. The impact however is that in certain provinces that have Privacy Acts, including British Columbia, an individual may choose to bring three claims arising from the same incident, including a common law tort, statutory tort, and assuming a finding by the Commission, a private right of action under the CPPA. An organization will need to be prepared to address this litigation risk from an early stage following any privacy related incident.
The new rights in section 106 of the CPPA would give plaintiffs more options to sue when they think their privacy rights have been infringed. In addition to the existing common law and provincial Privacy Act claims, individuals “affected” by a breach of the CPPA or an offence under the CPPA would be able to sue.
The likely outcome is that more companies will find themselves the targets of more complex lawsuits. For instance, instead of a lawsuit that only claims under the common law torts, plaintiffs are more likely to sue for the common law torts as well as under the CPPA and, if applicable, the provincial Privacy Acts. Because each of these claims has slightly different elements, this gives plaintiffs more options – and makes it more complicated for companies to defend the lawsuits.
In addition, under the CPPA, the risk of a lawsuit is heightened as the CPPA would impose new and/or more stringent privacy requirements on organizations, meaning an increased likelihood of non-compliance that could trigger an investigation and potential claim under the CPPA.
Companies that are under investigation by the Commission will also need to be prepared for an even longer timeline to the end of lawsuits than is currently the case. Currently, plaintiffs (or class counsel) often start a lawsuit as soon as there is notification of a breach, and in many provinces they must start them within two years of notification. Investigations may happen in parallel to the litigation.
Under section 106 of the CPPA, lawsuits can be started up to two years after the investigation ends. Investigations themselves can take a number of years and so companies may find themselves waiting many years to know if any lawsuits will be brought.
Other posts in the CPPA: In Depth series:
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, and training in respect of personal information. Subscribe and stay updated.