The Court of Appeal of Quebec upholds dismissal of class action on the merits for loss of personal information

In its recent ruling in Lamoureux c. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2022 QCCA 685, the Court of Appeal confirms the dismissal of the class action brought by the class members for the loss of their personal information. With this new ruling on the merits, the conditions for establishing an organization’s liability in the context of such an action are becoming clearer. This recent ruling confirms that even when a class action is authorized, the criteria for general civil liability must still be demonstrated, notably the existence of injury serious enough to qualify for compensation.

Highlights of the Superior Court and Court of Appeal decision on the merits

The March 2021 first instance decision in Lamoureux c. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2021 QCCS 1093 was the country’s first decision on the merits in a class action relating to loss of personal information. The Honourable Florence Lucas, j.c.s., dismissed the class action brought by the plaintiff, Danny Lamoureux (Lamoureux) against the Investment Industry Regulatory Organization of Canada (IIROC) following the loss, by one of the IIROC’s inspectors, of a laptop containing the personal information of more than 50,000 investors. The IIROC took various actions in response to this incident; among other things, it notified the investors of the loss of the laptop, hired a call centre to answer their questions, and offered them free credit alert services for six years. Despite these actions, the IIROC admitted to having committed a fault in relation to the loss of the laptop and failing to ensure the maximum protection of personal information, having not encrypted the lost laptop as required by its policies. Therefore, the dispute concerned the existence of a compensable injury suffered by the members of the group.

Non-Compensable Nature of the Damages Claimed

In the Superior Court, Lamoureux claimed, on behalf of the investors, compensatory damages which the Court divided in four categories: (1) anxiety, anger, and stress related to the loss of personal information; (2) the requirement for investors to monitor their accounts; (3) the inconvenience and waste of time dealing with the credit agencies the IIROC has made available to them; and (4) the shame and delays caused by identity verification for their credit applications. After analyzing the evidence, the Judge concluded that the threshold for compensable damages was not reached in this case. Based on the principles established by the Supreme Court of Canada in Mustapha v. Culligan du Canada Ltd., 2008 CSC 27, and applied by the Superior Court in Li c. Equifax inc., 2019 QCCS 4340, she pointed out that the fears and inconveniences experienced by the class members in connection with the loss of their personal information are normal inconveniences that anyone living in society should be required to accept.

Absence of Causal Relation

Moreover, some class members were seeking damages for unlawful use of personal information, such as identity theft, which allegedly occurred after the loss of the laptop. However, the IIROC had provided expert evidence that the alleged unlawful uses could not have been made from the limited information on the lost laptop. In the absence of further expertise or evidence opposing the conclusions of the IIROC expert, the Superior Court concluded that there is no causal relation between the loss of the laptop and the unlawful uses alleged by the class members.

Absence of Award of Punitive Damages

The Court also found that the criteria for awarding punitive damages were not met. In particular, the Court considered that the IIROC followed best practices in its response to the incident.

On appeal, the judges pointed out from the outset that the role of a Court of Appeal was not to reassess evidence and reach a conclusion different from that drawn at first instance. The Court of Appeal reviewed the conclusions and main reasons of the Superior Court and concluded that the appeal must fail, seeing no manifest and overriding error subject to review therein.

Conclusion

By analyzing the damages claimed as well as the causal relation between them and the IIROC’s fault, both decisions provide several insights into the conditions of existence of liability for loss of personal information. In particular, it is understood that proof of a response in accordance with best practices to such an incident can limit the organization’s liability. In the event of a dispute, it is also apparent that strong expert evidence will generally be required to establish or sever the causal relation between the organization’s fault and the subsequent unlawful use of personal information.

The measures that will be taken by an organization following a privacy incident involving personal information are therefore crucial to mitigate the risks resulting from a possible class action, namely:

• Retain the services of a cybersecurity expert as soon as a security incident is discovered to identify the source and impact of the incident;
• Correct vulnerabilities to block and/or prevent the spread of the security incident;
• Notify the individuals affected by a privacy incident in case of “serious injury” risk and provide credit monitoring and identity theft protection services; and
• Report the privacy incident to the authorities if there is a risk of “serious injury.”

However, these are not the only risks an organization will face. In fact, with the coming into force of the provisions of the Act to modernize legislative provisions as regards the protection of personal information (Bill 25), an organization that fails to meet its obligations with regard to the protection of personal information could also be subject to monetary administrative penalties of up to $10,000,000 or an amount corresponding to 2% of its global turnover in the previous fiscal year if the latter amount is higher (sections 90.1 and 90.12). Quebec’s Commission d’accès à l’information will develop a general application framework detailing the objectives of these monetary administrative penalties, as well as the criteria to guide the decision to impose them and the amount of the penalty. It is known, however, that failure to report a privacy incident to the Commission or to the individuals involved, as well as failure to take appropriate security measures to ensure the protection of personal information in accordance with the law are among the circumstances that may give rise to the imposition of such penalties (section 90.1).

Certain breaches may also constitute criminal offences for which the penalties will now be between $15,000 and $25,000,000 or the amount corresponding to 4% of the global turnover in the previous fiscal year if the latter amount is higher (section 91). Finally, Bill 25 provides for the possibility of claiming punitive damages of at least $1,000 when an unlawful infringement of a right conferred by the law or by sections 35 to 40 of the Civil Code of Quebec causes injury (section 93.1) and this infringement is intentional or the result of gross negligence.