Why did the Ontario Superior Court of Justice refuse to certify the Casino Rama privacy breach class action, but then certified the Bell Mobility class action less than a week later? This piece briefly explores that question. I write ‘briefly’ because there are a myriad of issues involved when certifying class proceedings. However, I am going to limit this piece to a comparison of one of the main reasons why I think one privacy breach class action failed and one succeeded (at least at the certification stage).
I want to start by summarizing the Casino Rama class action. In November 2016, a hacker accessed Casino Rama’s computer systems and stole personal information of customers, employees and suppliers. The hacker’s ransom demands were not met, so the hacker posted stolen data of over 10,000 individuals online. Casino Rama contacted appropriate authorities, took steps to shut down the websites that contained the stolen information, notified the individuals affected by the breach, and offered many of them free credit monitoring services for one year. The Information and Privacy Commissioner found that Casino Rama did not have reasonable security measures in place at the time, but has since taken steps to address those gaps. There was no evidence that anyone actually experienced fraud or identity theft as a result of the breach. A class action was filed shortly after the breach. On May 7, 2019, the Ontario Superior Court denied certification of the class action. The primary reason being that the court did not believe that there were common issues for each class member. The court was of the view that common issues proposed required too much of an individualized assessment.
On the other hand, the court (a different judge, albeit) certified the class action against Bell Mobility on May 13, 2019. This class action alleges that Bell breached the privacy rights of the class members by using their personal information for marketing purposes without their consent. The class members are Bell Mobility’s data customers. The impugned program at issue is Bell’s marketing initiative entitled the Relevant Advertising Program (RAP). The class was based on the Office of the Privacy Commissioner’s (OPC) findings that RAP had violated Bell’s customer’s privacy. RAP tracked Bell customer’s online activities and provided that information to third-party advertisers. RAP was discontinued in 2015 and Bell says that it was never launched. The OPC found that Bell had not obtained its customer’s consent, and should have established an opt-in procedure for doing so. Unlike the Casino Rama case, the court in Bell Mobility found, among other reasons, that there was sufficient commonality in the liability issues relating to the class to justify certifying the class action.
There are a number of reasons why the Casino Rama class action was not certified. There are also a number of reasons why the Bell Mobility class action was. If I may, I would like to point out one salient distinction between the two cases that I have observed.