Add a bookmark to get started

7 de março de 20236 minute read

Alberta Court of Appeal confirms: No certification for proposed data breach class action

In Setoguchi v. Uber BV,  the Alberta Court of Appeal refused to certify a proposed class action against Uber BV (“Uber”), as the negligence claim disclosed no compensable loss or harm to the claimants.  In so doing, it rejected a novel “first loss” theory of damages. Further, the Court reaffirmed that a risk of future harm or risk of increased harm is generally insufficient to constitute compensable harm in Canadian tort law.

This decision also confirms a variety of factors may be considered in the “preferability” analysis under section 5(1)(d) of the Class Proceedings Act, SA 2003, c. C-16.5 (“CPA”), including negative news coverage, regulatory penalties, and other external factors that may already be sufficient to modify a defendant’s behaviour. In such cases, a class proceeding may provide no additional behavioural modification benefits, thereby rendering another procedure more appropriate for a fair and efficient resolution of the action.

Background

In October 2016, hackers illegally accessed Uber’s electronic user and driver data, which was stored on a third-party cloud service. The data included the names, phone numbers, and email addresses of 57 million Uber drivers and users worldwide.‎1‎ Upon receiving a ransom demand, Uber paid $100,000 USD to the hackers, in return for an assurance the hackers would “destroy and not disseminate” the data. Over the following six years, there was no indication any users or drivers suffered fraud or identity theft.

The proposed representative plaintiff, Dione Setoguchi (the “Plaintiff”), sued Uber in breach of contract and negligence, alleging Uber (1) failed to protect its collection of personal information, and (2) failed to notify users of the data breach.

The Alberta Court of Queen’s Bench dismissed the Plaintiff’s certification application, finding both no evidence of any actual harm or loss and no actual harm or loss. Additionally, the Court of Queen’s Bench found the Plaintiff failed to establish a class proceeding was the preferable procedure under section 5(1)(d) of the CPA.

Court of Appeal decision

In addition to confirming the lower court’s refusal to certify under section 5(1)(d), the Alberta Court of Appeal found the Plaintiff failed to meet the section 5(1)(a) requirement of the certification test.

Section 5(1)(a) - Cause of action: Analysis of the plaintiff’s negligence claim

Under section 5(1)(a), the pleadings must disclose a cause of action. In considering the lower court’s analysis of the Plaintiff’s negligence claim, the Alberta Court of Appeal rejected the suggestion that the Plaintiff was required to provide evidence of loss or harm.  However, the Court of Appeal found the Plaintiff’s action, as pleaded, failed to disclose a cause of action in negligence, as the tort of negligence requires harm, loss, or injury resulting from a defendant’s wrongful act.

In this case, the only “class-wide harm” pleaded was the Plaintiff’s novel “first loss” claim. This novel claim theorized that, as personal information has inherent value, the theft of personal information is a compensable loss common to all class members. However, the Alberta Court of Appeal rejected the “first loss” argument, finding the argument “attempt[ed] to maneuver around [the Plaintiff’s] inability to demonstrate actual harm or loss from the data breach, by advancing a theory of damages not recognized in law.” Instead, the Court found the Plaintiff had “no hope” of establishing the simple loss of publicly available information (such as names, phone numbers, and email addresses) amounted to compensable injury or loss.

The Plaintiff further argued that the data, aggregated and in the hands of criminals, made the proposed class members more susceptible to fraud in the future (especially phishing scams). However, the Court likewise rejected this argument, as Canadian tort law has generally refused to recognize damages for risk of future harm or risk of increased harm. Moreover, there must be a substantial risk of future identity theft for a compensable harm to be recognized. No such “substantial risk” was present in this case, so no compensable harm could be recognized.

Section 5(1)(d) - Preferability: Analysis of the plaintiff’s breach of contract claim

In reviewing the lower court’s preferability analysis, the Alberta Court of Appeal confirmed a class proceeding was not the preferable procedure for the “fair and efficient resolution” of the common issues. Specifically, given that class-wide harm could not be clearly established, determining damages could require individual assessments for each class member. Further, certification would result in no additional behaviour modification, as significant regulatory penalties had already been imposed against Uber following the data breach.‎2‎ These penalties, together with the negative press coverage, were sufficient to alter the behaviour of Uber and others in its position. No additional behaviour modification would result from a class proceeding.

Take-away

In assessing a proposed class action under section 5(1)(a) of the CPA, courts will carefully consider whether the proposed representative plaintiff(s) have pleaded each element of a cause of action. Where an essential requirement of a cause of action is absent (as in this case, where the negligence claim lacked the essential element of compensable harm), the court will deny certification.

This decision is consistent with the recent Ontario Court of Appeal (“ONCA”) pronouncements in Owsianik v. Equifax Canada Co., 2022 ONCA 813 (“Equifax,” as cited in Uber), in which the ONCA heard a trilogy of class action appeals. In Equifax, the plaintiffs unsuccessfully argued the “tort of intrusion upon seclusion” should be expanded beyond the hackers in data breach cases, to find “Database Defendants”— those who collect and store personal information for commercial purposes— liable. In refusing certification and dismissing the appeals, the ONCA likewise exercised its gatekeeping function under section 5(1)(a)‎3‎, finding the appellants’ novel claim disclosed no cause of action: “[t]here is no reason to think evidence adduced at the trial would have any effect on the determination of whether, as a matter of law, the tort could apply to Database Defendants whose failure to properly protect the data permits independent hackers to access the data.”

Additionally, Uber affirms that a variety of factors may be considered in the “preferability” analysis under section 5(1)(d), including negative news coverage, regulatory penalties, and other external factors that may already be sufficient to modify a defendant’s behaviour. In such circumstances, class proceedings may not result in additional behaviour modification and may not, therefore, be the “preferable procedure” for a fair and efficient resolution of the action.

 

DLA Piper (Canada) LLP’s leading Class Actions Group represents clients in a variety of class proceedings, including high-profile and multi-billion dollar actions. As part of a global law firm, the Canadian Class Actions Group is a division of one of the largest class actions teams in the world, offering international reach on class action defence services for leading Canadian and multinational businesses worldwide.



[1] The data also included driver’s license numbers for 600,000 drivers in the United States‎.‎‎

[2] ‎Significant regulatory penalties, including approximately $194 million in fines in the United States, United Kingdom, and the Netherlands, were imposed on Uber following this data breach.

[3] ‎Equifax was decided under section 5(1)(a) of Ontario’s similarly-worded Class Proceedings Act, which reads: “The pleadings or the notice of application discloses a cause of action."

Print