Condon v. Canada was notable for being one of the first class actions to be certified in Ontario based on the tort of “intrusion upon seclusion” as well as one of the largest class actions in Canada involving a digital privacy breach. The case sought to extend the reach of the privacy tort by claiming that institutions are liable when their actions either directly or indirectly compromise the personal information of their stakeholders.
On March 17, 2014, the Federal Court certified the class action related to the 2013 loss of a portable hard drive that contained the dates of birth, addresses, student loan balances, and Social Insurance Numbers of approximately 583,000 borrowers enrolled in the Canada Student Loans Program borrowers from 2000 to 2006.
Privacy Tort of Intrusion upon Seclusion
In order to certify and proceed with the class action, the case sought to push the current boundaries of the tort of intrusion upon seclusion. The tort was first recognized by the Court of Appeal in 2012 in Jones v. Tsige. In its judgment, the Court of Appeal outlined the following three elements of the tort:
- there is an intentional or reckless intrusion on a person’s private affairs;
- there is no lawful justification for the intrusion; and
- viewed objectively, the intrusion was highly offensive or causing distress, humiliation or anguish.
In Condon v. Canada, the Federal Court assessed the government’s responsibility for allegedly reckless behaviour by its employees, leading to the data breach. The plaintiffs claimed that the federal government failed to comply with both encryption and information storage policies and the Treasury Secretariat and Privacy Commissioner’s recommendation to disclose the loss of sensitive data as soon as possible. On the basis of these allegations, the Court found that “it is not plain and obvious that an action based on the tort of intrusion upon seclusion would fail,” and certified the class action on common questions, including those pertaining to the federal government’s alleged tort of intrusion upon seclusion. The Court also found that the frustration and anxiety experienced by individuals subject to such a data breach could potentially meet the threshold of “distress” required for a privacy breach claim.
However, the Court found that there was no evidence to indicate the individuals affected by the hard drive loss were at increased risk of identity theft. As such, the plaintiffs’ claim for compensable damages was dismissed, leaving them to pursue nominal damages for any infringement.
PRIVACY Class Action Settlement
As with many class action lawsuits, the case has now settled, before the Federal Court could decide on the merits of the case whether the federal government would be found liable for the privacy tort and what those nominal damages would be. The settlement is indicative of how, even if settled for less than 10% of the initial claim, settlement amounts can be extremely onerous for large classes of claimants.
The federal government announced late December 2017 that it will pay at least $17.5 million to settle the Condon v. Canada class action lawsuit – the class action law firms involved and federal lawyers have agreed to the settlement, subject to court approval in February.
The notice of settlement posted online says that every student who signed up for the class action will receive $60 due to the inconvenience associated with the loss of their personal information. They will also receive payments to cover any actual losses directly related to the privacy breach, which could push the overall cost to the government even higher.
Be it public institutions (where settlements come from taxpayers dollars) or private companies that could very well teeter on the brink of bankruptcy in the context of such a settlement, organizations should thoroughly review data security policies and practices to ensure that personal information is well protected in the face of what appears to be a growing trend in privacy class actions.
For assistance with your privacy and data security management program or breach management strategies, contact PRIVATECH.