Data Breach Class Actions – Key Developments and Emerging Risks: 2026 Privacy Breach Insights – Part 2

This article is part of our 2026 Data Breach Insights series, designed to help companies navigate the evolving data breach landscape. Explore the full series.

Introduction

A pendulum has swung in Canadian data breach class actions. From that swing, new trends have emerged.

Initially, Canadian courts generally applied a broad and liberal approach to certifying proposed data breach class actions. A wide range of data breach incidents, such as third-party hacking, resulted in class proceedings. But as breaches became more commonplace, courts began to apply a more rigorous approach. As a result, plaintiffs now face significant certification hurdles, particularly in Ontario and Alberta, while British Columbia’s courts have indicated that they might not follow the pendulum swing – or at least not swing as far.

In response, enterprising class counsel are focusing on more novel claims against companies. In particular, we are seeing more cases alleging that the companies themselves (not third-party hackers) are collecting and using their customers’ personal information in a way that breaches their customers’ privacy rights.

This shift in focus away from data breach cases and toward data misuse cases, alongside an evolving privacy regulatory environment, may influence the types of class actions we can expect to see in the future. As the legal trends and frameworks continue to evolve, it is crucial for companies to stay informed and proactively guard against potential litigation risks.

The Historical Approach to Data Breach Class Actions in Canada

Historically, data breach class actions were so commonplace in part because, in some provinces, plaintiffs could rely on a privacy tort called “intrusion upon seclusion”. Intrusion upon seclusion was a preferred tool for plaintiffs because it does not require them to prove they suffered any harm to establish liability and obtain damages.^[1] This made certification easier: courts could certify class actions even without evidence of widespread – or any – financial harm to class members.

But that changed in 2022 when the Ontario Court of Appeal released a trilogy of decisions confirming that intrusion upon seclusion was not available in cases where a third party unlawfully accessed a company’s database of customer information.^[2] The Court found the company defendants were not the ones who “invaded or intruded” on their customers’ privacy – it was the third-party hackers who had done so. The Alberta Court of Appeal followed suit.^[3]

With these decisions removing intrusion upon seclusion as a viable cause of action, class action plaintiffs in Ontario and Alberta are left with claiming negligence, which requires showing that proposed class members suffered “real pecuniary damages”.^[4] Alleged emotional distress from being the victim of a cyber-crime is not in itself sufficient to ground a claim.^[5] This vastly limits the number of data breach class actions and, in turn, has curbed the appetite of class counsel to pursue these types of cases.

However, even as courts have narrowed the scope of viable causes of action in data breach class actions, plaintiffs continue to bring claims in negligence, sometimes relying on novel duties. For example, in Litvin v. Mackenzie Financial Corporation, the Ontario Superior Court accepted that the obligation to protect confidential data entrusted to a defendant, even for a limited purpose, may be recognized as a duty. Although the duty may be novel, it is not doomed to fail and is therefore capable of supporting certification.^[6] Consistent with the Court of Appeal’s trilogy, in Litvin, the court also declined to certify claims for intrusion upon seclusion.^[7]

British Columbia Leaves Some Room for Data Breach Class Actions

The BC Court of Appeal appears to have taken a somewhat different stance from courts in Ontario and Alberta. While the BC Court of Appeal has agreed that intrusion upon seclusion is not available against company defendants who had been unlawfully hacked (or at all in British Columbia), it has held that companies whose databases were hacked by third parties might still be liable for statutory breach of privacy torts under the BC Privacy Act.^[8]

The BC Court of Appeal has held that, like intrusion upon seclusion, the Privacy Act does not appear to require proof of harm to establish liability and damages. Accordingly, BC courts may be willing to continue to certify data breach class actions against these company defendants, even absent any proof of harm to the proposed class.

Data Misuse Cases

As more and more data breach class actions fail certification, enterprising class counsel have shifted their focus to other types of claims against companies that hold a significant amount of user data. In some provinces, class actions alleging data misuse are becoming more commonplace. These cases tend to allege that the company defendants collect and use personal information in a manner inconsistent with (or entirely without) user consent.

The case law on alleged data misuse class actions remains in development. Some courts have affirmed their important gatekeeping role at the certification stage and have weeded out some of these unmeritorious claims. For example, some courts have refused to certify data misuse cases where there is no evidence that a rights violation occurred or that class members suffered compensable harm.^[9] And some courts have refused to certify data misuse claims where the pleadings failed to disclose a reasonable claim for breach of contract in relation to the alleged misuse.^[10]

On the other hand, some courts appear to be taking a more permissive approach to these kinds of cases at certification. For instance, in a recent proposed class action against Google in B.C., the plaintiff alleged that Google used its facial recognition technology to collect and store users’ personal information and made it accessible to third parties.^[11] The lower court refused to certify the case, finding (among other things) that the privacy claims were not viable because there were no material facts to support the allegation that Google disclosed customers’ data to a third party. But the Court of Appeal reversed that decision. It held that the plaintiff’s claim that Google used the data for its own competitive advantage, and that Google could share its customers’ data with third parties if it wanted to do so, was sufficient to ground a privacy claim for class members under the Privacy Act and in tort.

Conversely, in a similar class action brought against Cadillac Fairview Corporation, the plaintiffs alleged that the defendants secretly collected facial images of shopping mall visitors and converted them into numerical data in breach of the mall visitors’ privacy rights. The plaintiffs brought claims for intrusion upon seclusion, breach of provincial privacy statutes, negligence, and breaches of Quebec law. At the first stage of certification, the court struck the claim for intrusion upon seclusion in BC, but not in Ontario or Manitoba, and struck the claim for negligence on the basis that the plaintiffs pleaded only psychological disturbances that did not constitute a compensable personal injury.^[12] Although statutory privacy claims relating to the BC and Manitoba privacy acts were properly pleaded, the court ultimately refused certification, finding there was no identifiable class, the proposed common issues were not amendable to class-wide determination, and a class proceeding was not the preferable procedure.^[13]

Moreover, intrusion upon seclusion may remain available in Ontario, but only in circumstances of data misuse that do not involve third-party hackers. This would include where a defendant is alleged to have intentionally accessed private information and the invasion of privacy is considered highly offensive, causing distress, humiliation, or anguish to a reasonable person. For example, in Trueman v. Rogers Communications Canada Inc., the court declined to dismiss a proposed data breach class action alleging intrusion upon seclusion. Unlike cases involving unauthorized access by third-party hackers, the plaintiff alleged the defendants themselves unlawfully accessed customers’ confidential information for marketing purposes, and that this conduct caused distress to the plaintiff.^[14]

It is still too early to determine how these trends will unfold. We continue to monitor how the courts will apply the certification test to these types of claims.

Damages for privacy breaches

Recent appellate authority has also clarified the scope of damages potentially available for statutory privacy breaches where there is no proof of consequential loss. In Insurance Corporation of British Columbia v. Ari, the B.C. Court of Appeal confirmed that an aggregate award of damages for breach of privacy under the Privacy Act can, even absent proof of consequential harm, be more than nominal. General damages (not nominal damages) may be awarded without proof of consequential loss where the seriousness of the violation of the right itself calls out for vindication, deterrence, and compensation for harm to the claimant’s intangible interests.^[15] Damages for breach of privacy where the plaintiff suffered no pecuniary loss are intended to vindicate rights or symbolize recognition of their infringement.^[16]

Quebec's Distinctive Approach to Data Breach Class Actions

Quebec presents a unique environment for data breach class actions. The province's threshold for certification – or, as it is referred to in Quebec, authorization – is lower than the threshold in other Canadian provinces.

The role of a judge at the authorization stage is largely that of “screening” out untenable and frivolous cases that clearly do not meet the requirements of a class action.^[17] The plaintiff is not required to demonstrate that their claim is based on a sufficient factual foundation. Their primary burden is that of “logic” and not of evidence, where the plaintiff must establish the facts they alleged, if true, would justify the conclusions sought.^[18] At most, plaintiffs are required to present “some evidence” in instances where their factual allegations in support of their authorization request are vague or imprecise.^[19]

Quebec’s relatively permissive approach to class action certification is combined with the strict new provisions of its private sector privacy law, the Act respecting the protection of personal information in the private sector (the “Quebec Act”) which was overhauled by Law 25 to facilitate privacy claims. Law 25, adopted by Quebec’s National Assembly in 2021, brought forth a host of new requirements for businesses related to data breaches, such as the appointment of a Privacy Officer, data breach notification and record-keeping obligations, and enhanced individual rights, including data portability and the right to be forgotten. Notably, section 93.1 of the Quebec Act, which came into force in September of 2023, allows plaintiffs to claim punitive damages for violations of that Act or for certain privacy protections provided for in the Civil Code of Quebec that are intentional or that result from gross negligence.

Several recent decisions have shown that the Quebec courts are continuing to use a liberal framework for authorizing data-breach class actions, proving reluctant to exclude the scope of damages that can be claimed at the authorization stage. In Harguindeguy c. Suncor Énergie inc. (Petro-Canada), 2025 QCCS 3072, the Superior Court of Quebec authorized a class action on behalf of all Quebec residents whose personal or financial information held by Petro-Canada was compromised in a cybersecurity incident on June 21, 2023. While the Court refused to grant an injunction ordering Petro-Canada to provide credit monitoring services to class action members pending the resolution of the lawsuit, it authorized the class action, including a claim for punitive damages under section 93.1 of the Quebec Act, despite finding that the allegations in support of them were not well developed.

In Royer c. Capital One Bank (Canada Branch), 2025 QCCA 217, the Quebec Court of Appeal overturned several findings of the authorization judge at first instance, in the context of a class action authorization for Quebec residents impacted by a data-breach by a hacker of personal information that affected over 100 million Americans and six million Canadians. The Court of Appeal overturned the authorization judge’s decision to limit the authorized damages to compensation for credit-monitoring costs, finding that the class action members could claim any costs related to the data breach that they could establish at trial, including non-pecuniary costs related to stress and anxiety.

As a Quebec Court has not yet awarded punitive damages under section 93.1 of the Quebec Act against a class action defendant since that section came into force, Harguindeguy will set an important precedent if it proceeds to a trial on the merits. The Court of Appeal’s decision in Royer confirms that Quebec jurisprudence generally favours a broad and liberal approach to authorizing class actions arising from data breaches.

This article is part of our 2026 Data Breach Insights series, designed to help companies navigate the evolving data breach landscape. As threats grow more sophisticated and regulatory scrutiny increases, companies face greater legal, financial, and operational risks. To help you stay ahead of these challenges, each part of this series provides actionable insights on data breach preparedness, compliance obligations, and risk mitigation. Explore the full series here.

What we mean by “data breach”

When people hear “data breach,” they often think only of incidents involving personal information. In this series, we use the term more broadly. We’re looking at any security incident where sensitive or confidential data is accessed, exfiltrated, published, changed, wiped, or made unavailable without authorization – whether that data belongs to individuals or to the business itself. That includes everything from intellectual property and financial records to operational systems taken offline by ransomware.

To learn more about how our Cyber/Data Group can help you navigate the cyber and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.

^[1] Jones v Tsige, 2012 ONCA 32.

^[2] Owsianik v Equifax Canada Co, 2022 ONCA 813; Obodo v Trans Union of Canada, Inc., 2022 ONCA 814; and Winder v Marriot International, Inc, 2022 ONCA 815.

^[3] Setoguchi v Uber B.V., 2023 ABCA 45.

^[4] Quantz v Ontario, 2025 ONSC 90 at para. 67.

^[5] Quantz v Ontario, 2025 ONSC 90 at para. 66.

^[6] Litvin v Mackenzie Financial Corporation, 2025 ONSC 6138 at para. 36.

^[7] Litvin v Mackenzie Financial Corporation, 2025 ONSC 6138 at para. 51, following Owsianik v Equifax Canada Co, 2022 ONCA 813.

^[8] GD v South Coast British Columbia Transportation Authority, 2024 BCCA 252; Campbell v Capital One Financial Corporation, 2024 BCCA 253.

^[9] See, for example, Kish v Facebook Canada Ltd, 2021 SKQB 198; Chow v Facebook Inc, 2022 BCSC 137; Simpson v Facebook, 2021 ONSC 968.

^[10] See, e.g., Hvitved v Home Depot of Canada Inc, 2026 BCCA 39 at paras. 46-62; Lam v Flo Health Inc, 2024 BCSC 391 at para. 100.

^[11] Situmorang v Google, LLC, 2024 BCCA 9. The Court of Appeal overturned the order dismissing the action for disclosing no reasonable cause of action, and the matter was remitted to the BC Supreme Court to address the remaining certification issues.

^[12] Cleaver v The Cadilac Fairview Corporation at paras. 121, 126, 148.

^[13] Cleaver v The Cadilac Fairview Corporation at para. 230.

^[14] Trueman v Rogers Communications Canada Inc, 2025 ONSC 5972 at para. 99.

^[15] Insurance Corporation of British Columbia v Ari, 2025 BCCA 131 at para. 48.

^[16] Insurance Corporation of British Columbia v Ari, 2025 BCCA 131 at para. 15, citing Jones v Tsige, 2012 ONCA 32.

^[17] Wang c CST Consultants inc., 2021 QCCS 1104 at para. 47.

^[18] Allard c Procureur general du Québec, 2022 QCCA 686 at para. 28.

^[19] Allard c Procureur general du Québec, 2022 QCCA 686 at para 28.