The New Wave of Privacy Class Actions

Canadian privacy class actions are undergoing a transformation. What began mainly as data breach litigation—typically arising from third-party cyberattacks—has evolved into a more complex and, in many respects, more uncertain landscape. The emerging trend is clear: while plaintiffs continue to pursue traditional data breach claims, plaintiffs are increasingly pivoting toward data misuse claims alleging that organizations themselves misused personal information in breach of class members’ privacy rights. This shift has implications for both the scope of potential liability and the extent of potential damages.

From Data Breach Claims to Data Misuse Claims

The first wave of privacy class actions in Canada generally involved data breach claims, mainly alleging that third-party hackers accessed personal information without authorization. But in some provinces such as Ontario and Alberta, these actions encountered challenges. For example, in 2022, the Ontario Court of Appeal dismissed a trilogy of data breach claims, reasoning that if a third party accesses personal information without authorization, the privacy intrusion is committed by the third party, not the data custodian (Owsianik v Equifax Canada Co, 2022 ONCA 813; Obodo v Trans Union of Canada, Inc, 2022 ONCA 814; Winder v Marriot International, Inc, 2022 ONCA 815).

This approach left data breach claimants in some provinces increasingly reliant on the tort of negligence—which, unlike the statutory tort of invasion of privacy or the common law tort of intrusion upon seclusion, requires proof of actual compensable loss, typically pecuniary in nature. This introduced significant evidentiary and certification challenges, dampening the momentum of traditional data breach class actions.

British Columbia remains somewhat of an outlier. While the common law tort of intrusion upon seclusion is not recognized here, the statutory tort of invasion of privacy under the Privacy Act provides a potential alternative. Notably, the statute does not require proof of any compensable loss, leaving open the possibility of certification even in the absence of demonstrable loss. And the B.C. Court of Appeal has expressly declined to follow Ontario law holding that data custodians cannot generally be held liable for third-party hacking (GD v South Coast British Columbia Transportation Authority, 2024 BCCA 252; Campbell v Capital One Financial Corporation, 2024 BCCA 253). This divergence in the law underscores the continued importance of forum in privacy class action litigation.

Recent Developments in Data Misuse Claims

As certification has become more difficult in data breach cases in some jurisdictions, plaintiffs have adapted. Across Canada, plaintiffs are increasingly alleging that organizations themselves have misused personal information—collecting, using, or disclosing it without meaningful consent or in ways that exceed the scope of that consent.

These data misuse claims present a fundamentally different theory of liability. Rather than focusing on a failure to safeguard data from external threats, they target the organization’s own conduct. This distinction has obvious legal implications: Where the defendant is alleged to have directly engaged in the privacy violation, causes of action such as intrusion upon seclusion (in provinces where it remains available) may be revived.

The case law in this area is still developing. Some courts have demonstrated a willingness to scrutinize these claims carefully at the certification stage, particularly where the pleadings lack material facts or fail to articulate a viable cause of action, or where the record provides no basis in fact for the allegations pleaded (see, e.g., Lam v Flo Health Inc, 2024 BCSC 391; Cleaver v The Cadillac Fairview Corporation Limited, 2025 BCSC 910).

At the same time, some appellate decisions suggest a more permissive approach. For example, some courts have accepted that allegations of potential unauthorized data use for internal purposes may meet the standard for certification, even absent clear evidence of disclosure to third parties (see, e.g., Situmorang v Google, LLC, 2024 BCCA 9).

Damages

At the same time, the case law on damages in privacy class actions remains underdeveloped. Appellate authority in British Columbia has confirmed that under the Privacy Act, damages are not restricted to nominal damages, even where no pecuniary harm is established. For example, in Insurance Corporation of British Columbia v Ari, 2025 BCCA 131, the BC Court of Appeal held that the Privacy Act creates a tort actionable without proof of damages and does not restrict the court to nominal damages where consequential loss has not been established by the plaintiff, and it upheld a staggering $15,000 per class member damages award—a high water mark for privacy class actions in Canada. That said, Ari involved egregious misconduct with serious consequences, including arson and shooting attacks, and in that sense may constitute an outlier in the privacy class action damages landscape.

Looking Ahead

This new wave of privacy class actions in Canada is defined less by data breaches and more by data practices. As organizations continue to collect, use, and disclose personal information for various purposes, the legal scrutiny of those practices is intensifying.

• Several trends are likely to shape the future landscape:
• Continued innovation by plaintiffs’ counsel in framing data misuse claims
• Divergence in the law in different provinces
• Increased judicial scrutiny at certification, especially for novel claims

As the case law in this area continues to evolve, one thing is certain: privacy class actions in Canada are entering a new and more complex phase.