Case Summary: Del Giudice v. Thompson

Overview

On January 31, 2024, the Ontario Court of Appeal (“ONCA”) upheld Justice Perell’s decision in Del Giudice v. Thompson, 2024 ONCA 70, maintaining the stringent approach established in recent years for “hacker” data breach cases.

Plaintiffs who intend to pursue these types of class actions against institutional defendants are reminded by the ONCA that they must state their facts in support of the typical causes of action pleaded, such as misappropriation of personality and statutory causes of action.

In addition, plaintiffs who intend to plead intrusion upon seclusion must plead facts which show that the conduct of institutional defendants is of a “highly offensive nature causing distress, humiliation or anguish to a reasonable person” (at para. 35) as set out in Jones v. Tsige, 2012 ONCA 32, and as confirmed by the trilogy judgements by the ONCA in Owsianik v. Equifax Canada Co., 2022 ONCA 813, Obodo v. Trans Union of Canada Inc., 2022 ONCA 814, and Winder v. Marriott International Inc., 2022 ONCA 815.

Lastly, in refusing to interfere with the motion judge’s decision to strike the claims without granting leave to amend, the ONCA is clear that when parties are provided with repeated opportunities to amend their claim and still fail to plead their cases appropriately, they may be “out of runway” by the time they reach their appeal.  

This article will focus on the three different heads of privacy law causes of action analyzed in Del Giudice v. Thompson: intrusion upon seclusion, misappropriation of personality, and statutory causes of action.

Background

The Defendant Capital One collected data from people applying for Capital One credit cards. Capital One stored its data on the co-Defendant’s servers, Amazon Web Services. Amazon Web Services was subsequently hacked by one of its employees (Thompson), and consequently the personal and confidential information provided to Capital One was exposed or became vulnerable to exposure to the public. The putative representative Plaintiffs (the “Plaintiffs”) alleged that the hack exposed the information of 106 million applicants, including six million Canadians.

The Plaintiffs, Ms. Del Giudice and Mr. Wood, sought to certify a class action against Capital One and Amazon Web for various torts related to data breach and misuse. The parties agreed to have the cause of action criterion under s.5(1)(a) of the Class Proceedings Act, 1992, S.O. 1992, c. 6, heard as a preliminary motion.

The Plaintiffs’ causes of action included two categories of claims: data misuse and data breach. The claims for data misuse involved (i) intrusion upon seclusion; (ii) misappropriation of personality; (iii) conversion; and (iv) breach of confidence, trust, and fiduciary duty. The claims for data breach involved (i) negligence and failure of a duty to warn; (ii) strict liability; (iii) negligent breach of contract; and (iv) breach of statutory causes of action.

Despite several amendments to the Plaintiffs’ statement of claim, the motion judge concluded that the Plaintiffs failed to plead viable causes of action against Capital One and Amazon Web.[1] The motion judge dismissed the motion to certify, ruling that their case was "doomed to fail" and struck their pleadings without leave to amend.

On appeal, three main issues were advanced. The Plaintiffs argued that the motion judge erred in (1) determining that the pleadings did not support any valid cause of action; (2) relying on unsworn and unauthenticated documents; and (3) striking out 78 paragraphs of the statement of claim without leave to amend. The following summary will address the first and last issues on appeal.

Intrusion upon seclusion

After the motion in Del Giudice was decided, the ONCA released its judgements in Owsianik, Obodo, and Winder, which established that a hack of a database by a third party does not constitute intrusion upon seclusion by the database operator.

On appeal, the appellant Plaintiffs attempted to distinguish the trilogy on the basis that their claim was not based in negligent custodianship, but rather concerned the improper retention and misuse of data, which included its improper aggregation and ultimate migration to a third-party platform.

The ONCA rejected this argument, adopting the motion judge’s reasons and confirming that whether the alleged misdeeds of Capital One and Amazon Web Services are characterized as mistakes in safeguarding information or improper retention and misuse of that information, neither characterization would satisfy a key element of intrusion on seclusion: that the conduct be of a highly offensive nature causing distress, humiliation, or anguish to a reasonable person. In the specific circumstances of this case, the aggregation and sale of the financial information obtained by Capital One – even on the generous assumption that the appellants could succeed on the argument that they did not consent to its use – was not highly offensive and could not be considered humiliating by a reasonable person.

Misappropriation of personality

The motion judge held that it was not appropriate to extend the tort of misappropriation of personality to the circumstances alleged. In Ontario, the tort of misappropriation of personality protects against the usurpation of a plaintiff’s right to control or market their personality for commercial purposes. In agreeing with the motion judge, the ONCA confirmed that in this case, no party was alleged to have lost any commercial interests in the exploitation of their own personality as a result of the alleged data misuse. What the Plaintiffs proposed was not a principled extension to an existing tort, but rather the creation of an entirely new cause of action with entirely different elements, and the motion judge was justified in not allowing the claim to proceed.

Statutory causes of action

The appellants also argued that the motion judge erred in dismissing their claims brought under various privacy and consumer protection statutes. The ONCA found that the judge had made no error. The Plaintiffs in this case had “done little more than set out an extensive list of statutes and advance the bald claim that Capital One and Amazon Web have infringed them” (at para. 60). No explanation was provided as to which sections had been infringed or how. Although some statutes listed did provide a cause of action, most required that the defendant “wilfully… violate the privacy of another”[2] and nowhere was this pleaded by the Plaintiffs.

“Out of runway”

In deferring to the motion judge’s decision not to grant leave to amend the claim, the ONCA noted the appellants were provided with repeated opportunities to amend the statement of claim, by which they only compounded their problems. It noted that the motion judge did not believe that there were any facts that could be pleaded that would support the causes of action that the appellants wished to advance. At this stage of the proceeding, the motion judge saw no purpose to be served in allowing the appellants another opportunity to recast its theory of liability.

Concluding remarks

“Hacker” cases will continue to be difficult to certify, and plaintiffs should read the trilogy decisions and the recent ONCA Del Giudice decision closely when crafting their pleadings. While intrusion upon seclusion remains a viable cause of action against a direct perpetrator defendant, plaintiffs will need facts to show that the conduct of an institutional defendant is “highly offensive nature causing distress, humiliation, or anguish to a reasonable person” if they intend to successfully pursue this cause of action. The same can be said of statutory causes of action, which also require particular facts where it can be shown that a defendant “willfully” violated the privacy of the class.

Any article or other information or content expressed or made available in this Section is that of the respective author(s) and not of the OBA.