Certification After the Trilogy: What Still Works in Privacy Litigation

In a trilogy of cases in 2022, the Ontario Court of Appeal reshaped the landscape for privacy and data breach class actions (the “Trilogy”).[1] Each of those three cases involved privacy class actions against defendants who collected and stored the personal information of putative class members in their databases following large-scale data breaches by third-party hackers. The Court sharply limited the availability of the tort of intrusion upon seclusion in such cases involving third-party hackers, emphasizing that the tort requires deliberate and wrongful intrusion by the defendant itself.

Two recent Ontario Superior Court of Justice decisions demonstrate that, while the Trilogy raised the bar, it did not shut the door. In Trueman v. Rogers Communications Canada Inc., 2025 ONSC 5972, the court certified a class action alleging breach of contract, breach of confidence, intrusion upon seclusion, and breaches of Quebec privacy statutes arising from Rogers Bank’s repeated “soft” credit checks on Rogers Communications customers. The defendants argued that the Trilogy foreclosed intrusion upon seclusion claims absent hacking or misuse by outsiders.

The court rejected that framing. While acknowledging the Court of Appeal’s guidance,[2] the court drew a critical factual distinction: the alleged intrusion was not the result of a third-party cyberattack, but rather intentional and repeated access to customer credit information by the defendants themselves, without meaningful consent.[3] Because the claim involved deliberate conduct by the defendants, the intrusion upon seclusion claim was allowed to proceed.

The court also rejected the defendants’ argument that regulatory processes to the Office of the Privacy Commissioner (“OPC”) and the Federal Consumer Agency of Canada offered a preferable alternative to a class action.[4] A prior FCAC decision was irrelevant, as it involved different conduct and pre-dated the impugned soft-pull practices. The ongoing OPC investigation required closer attention, but its limitations of not being able to award damages, resolve contract claims, and provide no mechanism for collective redress made it not preferable to a class proceeding. Each class member would be forced into a separate complaint, recreating the very access-to-justice barriers class actions are designed to overcome. Given the four-year delay in the plaintiff’s own OPC complaint, and the understandable reluctance of consumers to lodge complaints against their ongoing service providers, the OPC regime was not a realistic alternative.

Equally important, the court in Trueman accepted that privacy harms need not always take the form of financial loss. The court accepted that loss of privacy and autonomy over personal information may support general damages for breach of contract.[5] This finding was particularly significant in the context of the contracts at issue, which were standard-form contracts of adhesion, where consumers have no ability to negotiate the terms governing how their financial information may be accessed or used. In doing so, the decision reinforces that where defendants themselves appear to misuse personal information, the Trilogy does not pose an insurmountable barrier.

Litvin et al v. Mackenzie Financial Corporation et al, 2025 ONSC 6138 illustrates a different, but equally important, post-Trilogy pathway that addresses the limits the Trilogy placed on privacy torts in cases involving third-party cyberattacks. Unlike Trueman, which was a more direct claim against the named defendants, Litvin arose from a cyberattack in which criminals exploited a vulnerability in third-party file transfer software used by the defendant, InvestorCOM, exposing highly sensitive personal and financial information belonging to the clients of another defendant, Mackenzie Financial Corporation. The court expressly acknowledged the Trilogy’s requirement that intrusion upon seclusion involves intentional and nefarious conduct, and declined to certify claims under privacy regimes requiring willful invasion.[6]

Instead of forcing the facts into an intrusion upon seclusion framework that the Trilogy demonstrated was no longer viable for many cyberattack cases, the plaintiff did not advance the tort at all. Rather, the court focused on the viability of the causes of action pleaded, namely whether a plausible claim could proceed in negligence, breach of contract, and potentially breach of fiduciary duty and concluded that it could. The question was whether the defendants’ alleged failure to safeguard extremely sensitive data, together with the well-recognized foreseeability of cyberattacks and the resulting need for affected clients to take ongoing protective measures, provided a plausible theory of harm at the certification stage. The court concluded that it did.[7]

There was also a further issue raised by the plaintiff’s attempt to claim remedies under privacy statutes of other provinces. The court rejected those claims, holding that while the content of other provincial legislation could be treated as a material fact and used to frame the broader privacy context, the Court could not administer or grant remedies under statutory schemes that confer jurisdiction on courts in other provinces because it was bound by jurisprudence to the contrary.[8] Importantly, the court emphasized that this was not a finding that Ontario lacked jurisdiction over residents of those provinces, but a recognition that the statutes themselves did not authorize Ontario courts to award remedies under them. As a result, the plaintiff could certify a national class, but could not pursue stand-alone statutory remedies from other jurisdictions within this proceeding.

Interestingly, both of these cases share one important feature: they involve the handling of financial information, a category of personal data that Ontario courts have long considered highly sensitive. The history of the tort of intrusion upon seclusion demonstrate that financial records have formed part of the tort’s origin story,[9] shaping how courts think about reasonable expectations of privacy and the offensiveness of unauthorized access. This contextual sensitivity seems to continue to provide a foundation, even in the post-Trilogy environment, for privacy claims grounded in the misuse or mishandling of financial information to continue to gain traction at certification.

Together, these cases demonstrate that while the Trilogy narrowed the scope of privacy class actions in Ontario, it did not necessarily close the door. Claims alleging direct and intentional misuse of personal information by defendants themselves remain capable of supporting intrusion upon seclusion, provided the pleadings clearly articulate who accessed the data and for what purpose. Where third-party hackers are involved, plaintiffs should continue to ground their cases in negligence and contract, with careful attention to pleading duty of care, foreseeability, and a credible pathway to compensable harm. These decisions also underscore the importance of tailoring causes of action to the factual matrix rather than relying on generalized privacy theories. In the post-Trilogy landscape, strong certification records will be built on disciplined pleadings, clear factual distinctions, and early strategic decisions about which privacy claims can realistically survive judicial scrutiny. The message for counsel is clear: privacy class actions are no longer formulaic, but with precision, discipline, and the right theory of harm, certification remains very much achievable.

Any article or other information or content expressed or made available in this Section is that of the respective author(s) and not of the OBA.