BC Court of Appeal Rules PIPEDA is not a “Comprehensive Code”
September 2020 Charity & NFP Law Update
Published on September 30, 2020

By Esther Shainblum


On August 31, 2020, the British Columbia Court of Appeal released its decision in Tucci v Peoples Trust Company.  The decision concerned the certification of a class action against the defendant financial services provider, Peoples Trust Company (“PTC”), which in 2013 suffered a data breach compromising the personal information of its customers. The clients affected by this breach initiated the class action seeking compensation for harm caused by the dissemination of their personal information.

By way of background, PTC maintained on its webserver an unencrypted copy of a database containing a considerable amount of personal information pertaining to its online customers, including names, addresses, email addresses, telephone numbers, dates of birth, social insurance numbers, occupations, and, in the case of credit card applicants, their mothers’ birth names. PTC failed to apply adequate cyber-security safeguards, including patches and software updates, leaving its database vulnerable to bad actors.

In the lower court’s decision, the judge accepted that there were arguable claims for breach of contract and for negligence and held that an arguable claim for breach of privacy or intrusion upon seclusion could be advanced under federal common law.

PTC appealed the lower court’s decision with regard to the certification of claims framed in breach of contract and negligence, and from certification of claims under federal common law. PTC argued that the terms of use set out on its website clearly exclude liability for data breaches, an issue which the lower court judge did not address in its decision. PTC also argued that the Personal Information Protection and Electronic Documents Act (“PIPEDA”) constitutes a complete code that comprehensively regulates all aspects of personal information collection, retention, and disclosure in the federally-regulated private sector, and that therefore no action, other than an application to the Federal Court as contemplated by PIPEDA, can be brought in respect of a data breach.

On appeal, the court found no error in the lower court’s certification of the class proceedings for breach of contract and negligence. The court rejected PTC’s argument that PIPEDA was intended to be a complete code and held that it does not displace common law remedies.  The court pointed out that caution should be exercised in concluding that PIPEDA was intended to abolish existing private law rights, particularly because it applies to the private sector and not to public bodies exercising a statutory mandate. 

The court noted that this case involved private law relations between private citizens and a commercial enterprise and found nothing in PIPEDA to suggest that it was intended to prevent aggrieved parties from pursing common law causes of action. The court stated that it was “unfortunate” that there had been no appeal of the lower court’s ruling that no cause of action for breach of privacy or intrusion upon seclusion exists in British Columbia.  Going further, the court stated that the time may have come for it to revisit its jurisprudence on the tort of breach of privacy, pointing to the Court of Appeal for Ontario’s 2012 decision in Jones v Tsige, discussed in Charity Law Bulletin No. 277, which recognized the common law tort of intrusion upon seclusion, and stating that “a failure to recognize at least some limited tort of breach of privacy may be seen by some to be anachronistic.” The court further stated that “the interesting question of whether the law needs to be rethought will have to await a different appeal.”

The court pointed out that the division of powers between the federal and provincial levels of government is not “watertight” and that there are areas in which either level of government can properly introduce legislation. The court rejected the lower court’s finding that there is a “federal common law”, holding that there is neither a “federal” nor “provincial” common law, but rather a single common law covering matters within federal and provincial jurisdiction. The court therefore set aside the lower court’s certification of claims under federal common law.   

This decision is a reminder that claims for breach of privacy and negligence are an ever-present risk faced by all types of organizations, including charities and not-for-profits, and that appropriate data security measures must be taken to protect personal information under an organization’s control.


Read the September 2020 Charity & NFP Law Update