Credit agency TransUnion disclosed thousands of files with financial and employment data to unauthorized persons. For years, Marriott Hotels Group gave third parties access to data on hundreds of millions of hotel guests – and took no remedial measures for two months after the breach was discovered. And at credit reporting agency Equifax, the hackers hit the jackpot in the first place — prompting Equifax managers to sell shares quickly before the bad news broke. Despite all this, class action lawsuits by injured Canadians against the corporations have not yielded results.
It is the result of a decision by the Court of Appeal in Ontario, Canada’s largest province. With class action lawsuits against Equifax, Marriott and TransUnion, the injured consumers wanted to hold the companies accountable for their inadequate IT security and win compensation payments for those affected. However, Canadian data protection law lags far behind the European standard. There is no clearly actionable claim.
leaving the door open is not a thief
Therefore, the plaintiffs relied on a well-known concept of Anglo-American common law: the tort of intrusion upon seclusion, which focuses on unauthorized intrusion into protected areas. But both the first instance and now the second instance disprove this: even if a breach in a computer system was only possible because the operating companies did not have proper security precautions in place, the defendant companies themselves did not penetrate anywhere.
The Ontario Court of Appeal says victims can only sue the actual perpetrators. The fact that he can hardly be found is irrelevant. The US government has accused the Chinese of data theft at Equifax, who are said to have acted on behalf of the government of the People’s Republic of China.
Until the decision is overturned by the Supreme Court of Canada, Ontarians currently have little recourse if companies do not protect their personal information. Although the current decisions only formally apply in the province, they have a strong signaling effect for courts in other provinces and the country’s three regions.
Theoretically, legal claims due to negligence or breach of contract are still conceivable, or if concrete monetary damages can be proven – however, large companies routinely nip such claims in the bud with contractual clauses. Canada’s Data Protection Commissioner cannot impose fines itself, but can only apply to them in court. The upper limit is currently a modest USD 100,000 (about EUR 70,000) – not covered by Marriott, TransUnion or Equifax.
Canada’s federal parliament currently has one The bill is called Bill C-27 is in progress, which should improve data protection, significantly increase potential fines and open up the possibility of legal action against sloppy companies. However, those affected should only be able to sue if Canada’s Data Protection Commissioner or the new Data Protection Tribunal has already found that data protection law has been breached.
Such determinations can take years and cannot be enforced by consumers. If the Data Protection Commissioner of Canada does not have the ability to deal with a specific hack, its victims will not be able to take legal action even after the proposed amendment to the law.
First instance decisions of the Ontario Superior Court of Justice:
Major decision of the Ontario Court of Appeal:
Devoted web advocate. Bacon scholar. Internet lover. Passionate twitteraholic. Unable to type with boxing gloves on. Lifelong beer fanatic.