The British Columbia Court of Appeal has held that negligence claims for compensation arising from breaches of personal information are “at least arguable” in the recent decision of G.D. v. South Coast British Columbia Transportation Authority, 2024 BCCA 252
In G.D., personal employee information held by TransLink was compromised after a cyberattack perpetrated by a third party. The appellants were former employees of Translink, who sought to be appointed as the proposed representative plaintiffs in a class proceeding against TransLink on their behalf and on behalf of all other persons whose personal information was impacted as a result of the data breach.
The British Columbia Supreme Court had held that it was “plain and obvious” that the claim of the employees would fail under both the Privacy Act , R.S.B.C. 1996, c. 373, and in negligence. The Court of Appeal disagreed, finding, with respect to a claim pursuant to the Privacy Act, that it was “is at least arguable that an entity’s failure to take reasonable measures to safeguard private information that it collects, leading to an independent party’s intrusion, is itself a violation of a person’s privacy”.
With respect to the claim in negligence against Translink, the Court of Appeal found that the duty set out in the Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165 (“FIPPA”) did not displace a common law duty of care. In other words, there need not be a breach of FIPPA for individuals to pursue civil actions in negligence arising from breach of privacy or careless storage of information. The Court of Appeal further found that there was a sufficient proximity between employer and employee to potentially give rise to a duty of care, and “a real risk of significant harm” arising from a breach of this duty.
The Court of Appeal set aside the decision of the Supreme Court and remitted the application for certification to the trial court.