Written By Ranjan Agarwal, Keely Cameron, Sébastien Gittens and Justin Lambert
The Court of Queen's Bench of Alberta, in Setoguchi v Uber B.V., 2021 ABQB 18, recently dismissed an application for certification of a proposed class action resulting from a data breach because there was no evidence of harm or loss.
This class action followed a hacking event, in which the hackers obtained Uber users’ names, phone numbers, and email addresses from the cloud. Uber did not initially reveal the data breach to class members, regulators, or police. In the three years following the incident, there was no evidence of fraud, identity theft, or any other economic loss. Rather, the evidence showed that the loss or harm was “wholly non-existent”. In considering the harm or loss issues, the Court had regard for the nature of the personal information, noting that the applicable duty and standard of care will vary with the sensitivity of that information. Here, Uber successfully argued that the information that had been released was already in the public domain.
To succeed in certifying a privacy class action, the plaintiffs must provide some evidence of loss or damages. All that is required is some “basis in fact” before certification is granted. On the facts before the Court here, there was no evidence that any of the data had been released beyond the hackers. To the extent that the plaintiffs were arguing future harm as a result of future misuse, the Court noted that should the hacked data somehow be used in the future and real evidence of harm or damage could be shown, that could support a new cause of action.
In reviewing other cases involving proposed class actions resulting from data breaches, the Court noted that certifications have been granted where breaches are directly linked to individual harm. On the other hand, certification has been denied when the breach simply required a password to be changed or embarrassment from spam emails sent to friends.
The Court also noted that any assessment of damages, if the case was certified, would have required individual trials given that any claim would be tied to whether the released information had been held as private by the individual and the harm associated with that relief. In that event, the Court found that a class action might not be the preferable procedure. The Court also perceived individual trials, given the nominal damages, would be a valuable gatekeeper function, in that the Court believed it would deter individual plaintiffs from pursuing inefficient claims.
This decision follows other recent decisions highlighting the court's important gatekeeper function of ensuring judicial economy when considering class proceedings.
If you would like more information about the issues discussed here or other matters pertaining to Canadian class proceedings or privacy matters, please contact a member of our Class Action Litigation group or our Privacy & Data Protection group.