Privacy rights at the frontier of the burden of proof of injury

Background

On March 26, 2021, the Superior Court ruled on Lamoureux c. Investment Industry Regulatory Organization of Canada (IIROC), 2021 QCCS 1093,^[1] a landmark loss of personal information decision in which the Court dismissed the class action brought by plaintiff Danny Lamoureux. This decision is the first judgment in Canada on the merits of a class action concerning a loss of personal information. The action focuses on the right to privacy and the duty of companies and public bodies to take appropriate security measures to ensure the protection of personal information.

The triggering event occurred in 2013, when an inspector with the Investment Industry Regulatory Organization of Canada (“IIROC”)^[2] forgot his unencrypted computer on the train; this computer contained the personal information of a large number of investors. Despite IIROC’s best efforts, the computer was never found.

A class action was first filed in 2015 by Paul Sofio, one of the professionals whose clients were affected by the incident. His action was dismissed at the authorization stage.^[3] The Superior Court found that the proposed action did not demonstrate any actual injury. The Court of Appeal upheld the judgment.^[4]

Shortly thereafter, Lamoureux brought a new class action, which was allowed. Unlike Sofio, Lamoureux pleaded unlawful use of his personal information in addition to damages for stress and inconvenience following notification of the loss. The class members are also seeking punitive damages.

The wrongful loss of the computer and the failure to encrypt it in accordance with internal policies were not disputed. Rather, it was at the stage of proof of injury that the action was dismissed. In short, the Court was of the opinion that the minimum threshold of compensable injury was not met.

Decision

The seriousness of the inconvenience of losing personal information

First, the Court found that the alleged stress of losing personal data, taken alone and without evidence of any overriding harm or identity theft, was not sufficient in itself to justify an action for damages.^[5]

While it is not necessary for class members to have been victims of identity theft to support their claim, the Court reasoned that it is necessary to show that the damage goes beyond the normal inconveniences of everyday life.^[6]

In this case, the testimonial evidence did not present sufficient “details, concrete facts or significant demonstrations of the psychological state” of the persons affected to convince the Court of suffering that would warrant compensation.

The Superior Court pointed out that to be compensable, the moral damage “must be serious and long-lasting” and must rise above the ordinary “annoyances, anxieties and fears that people living in society routinely, if sometimes reluctantly, accept.”^[7]

The Court explained that in the absence of medical or other documentary evidence, the task of demonstrating the magnitude of this suffering can be difficult.

In this sense, the monitoring of credit card statements to ensure that no fraudulent activity has taken place, as well as the time spent verifying one’s identity with credit agencies, are ordinary inconveniences that do not warrant compensation.^[8]

Moreover, the Court compared the inconvenience caused by the protective measures put in place following the loss of personal information to the inconvenience alleged in Fortin v. Mazda Canada Inc., in which the Court of Appeal found that the inconvenience of traveling to the dealership for the owners of defective cars requiring repairs was a normal part of everyday life.^[9]

Evidence of unlawful use of personal information

Second, the Court found that the causal link necessary to hold IIROC liable was not established.

Indeed, Lamoureux failed to convince the Court by a preponderance of the evidence that his personal information stored on the lost computer was in fact used unlawfully. Nor did the evidence convince the Court that the computer and the information it contained were in the wrong hands.^[10] On the contrary, the Court emphasized that a distinction must be made between the disappearance of the lost computer and its alleged theft.^[11]

Instead, the Court accepted the expert evidence submitted by IIROC, which showed no link between the loss of the computer and any unlawful use of Lamoureux’s personal information.

Unintentional fault and diligent conduct preclude punitive damages

Finally, the Court declined to award punitive damages on the basis that IIROC had “responded diligently, in accordance with the standards expected in similar circumstances.”^[12] In the Court’s view, the incident was not intentional and IIROC took the steps required in such circumstances, as demonstrated by the expert evidence.

The Court rejected the class members’ argument that IIROC’s response to the data loss was too slow and that the services it offered to protect class members’ information were inadequate. Instead, the Court pointed to IIROC’s initiatives following the data loss, which included identifying the loss, taking steps to assess the extent of the breach and notifying affected parties, including investors, relevant regulatory bodies and any affected organizations. In particular, the Court identified the following initiatives as appropriate conduct on the part of an organization in the circumstances:

• informing the Commission d’accès à l’information;
• setting up TransUnion and Equifax security measures for affected individuals for the next several years;
• informing affected class members of the loss of their personal information as soon as possible;
• retaining the services of experts to conduct an analysis of the nature of the information in question as soon as possible; and
• setting up a telephone hotline to answer questions from affected individuals.

Commentary

The key takeaways from the Lamoureux decision are as follows:

1. In a privacy law class action, proof of actual compensable harm is necessary to advance a successful claim; and
2. Companies and public bodies must be diligent in responding to a breach of confidentiality and put in place measures to minimize the risk of unlawful use for the individuals affected in order to reduce the legal consequences that may arise from such situations.

On the one hand, the Lamoureux decision is in line with a trend in privacy jurisprudence that requires plaintiffs to demonstrate a sufficiently serious harm in order to obtain compensation.

The right to damages lies in the demonstration of a real and compensable harm suffered by class members; there is no presumption that a lost computer will end up in the wrong hands. This analysis will depend on the factual circumstances of each case and will require evidence of a specific injury.

Consequently, the loss of personal information and the apprehension of a future, but not yet realized, injury are not in themselves sufficient to justify compensation.

A distinction is therefore drawn between the loss of privacy principle, which identifies the point at which a person loses his or her privacy, and the invasion of privacy principle, which identifies the point at which a person is actually harmed by that loss. In Lamoureux, the Court relied on the latter principle to decide the issues in dispute.

The Court’s more subjective approach to assessing the harm resulting from the loss of personal information may be problematic in cases where the damage does not materialize until much later, making the causation test difficult to meet.

On the other hand, proactive and reactive measures undertaken by companies and public bodies can significantly reduce the legal risks and the consequences that may arise from privacy breaches – and can even eliminate potential deficiencies in their preventive measures, such as failing to encrypt a computer that contains the personal information of others.

Finally, the Lamoureux decision demonstrates the limitations of the class action vehicle, which requires the demonstration of a common injury. In contrast, the analysis of moral damages resulting from an invasion of privacy requires consideration of the specific, individual circumstances of the class members.^[13]

---

Cynthia Chassigneux (partner), Caroline Deschênes (partner), Justine Brien and Marie-Laurence Goyette are lawyers at Langlois Lawyers and members of Langlois’ privacy and data security team.