United States 
Canada (EN) 
México 
France 
Deutschland 
United Kingdom 
Quick Hits
- The Superior Court of Québec recently accepted a class action despite no confirmed identity-theft losses at the time of authorization.
- The Superior Court of Québec held that plaintiffs may advance claims for moral damages where alleged distress extends beyond “routine” monitoring.
- Loyalty-program or other contractual terms can create duties that supplement statutory obligations.
- Exposure may extend across several regimes: Privacy law, federal privacy law, the Québec Charter of Human Rights and Freedoms, the Québec Consumer Protection Act (CPA), and consumer reporting laws.
Both decisions also highlight novel arguments from plaintiffs around the application of contractual obligations, other statutory regimes outside of privacy laws such as consumer protection laws, human rights laws, consumer reporting laws, and other provincial statutes.
Superior Court of Québec Decision
In a potentially pivotal decision for Québec privacy litigation, the court ruled that allegations of negligence, such as issuing misleading notices that only basic information was compromised in an incident when additional personal information was available on the dark web, were sufficient to authorize a consumer class action. Notably, the court acknowledged that other legal frameworks, such as the Québec Consumer Protection Act (CPA) and the province’s Charter of Human Rights and Freedoms, could apply, making the possibility of damages under these regimes viable and thus justifying the authorization of the class action.
These decisions, while directed at consumers, also serve as a crucial wake-up call for employers. They highlight that, following a data privacy breach, the way a notice is drafted can be scrutinized by the courts. Employers may want to carefully consider who within their organization is responsible for drafting such communications and review internal procedures to avoid notices being shared with employees without appropriate internal procedures. Inaccurate statements or representations about data management could potentially be used by individuals to support a class action lawsuit.
Contractual Overlay
Both the Québec and Ontario decisions put an emphasis on contractual language. While privacy statutes are often the starting point, agreements even on loyalty-program terms with employees or customers may be treated as enforceable contracts.
Although these decisions address consumers, a parallel can be drawn with the information provided by employers in employee privacy notices or privacy policies. Employers may want to consider whether representations about employee personal information, such as where it is stored and how it is used, are accurate or present a risk of claims of a privacy violation.
Multiple Statutory Hooks
The Superior Court of Québec also acknowledged that exposure may flow from several regimes simultaneously. Alongside private-sector privacy statute and federal privacy law, various consumer protection laws and the civil code in Québec can provide independent grounds for liability. Punitive damages may be sought under:
- Section 5 & 49 of Québec’s Charter of Human Rights and Freedoms (for privacy violations);
- Section 272 CPA (for misleading or deceptive practices); and
- Section 93.1 of the Québec Privacy Act, applicable to violations resulting from intentional acts or gross negligence.
Section 93.1 of Québec’s private-sector privacy law provides that when an organization unlawfully infringes on a right granted by the statute, and that infringement causes harm, punitive damages may be awarded if the act was intentional or the result of gross negligence (“faute lourde”). The minimum punitive award under this section is $1,000. For employers, this highlights that certain privacy breaches, particularly those involving serious lapses or deliberate misconduct, can lead not only to compensatory damages but also to mandatory punitive damages, increasing the potential financial and reputational exposure in class-action litigation.
This layered framework underscores that employers can face parallel risks when managing personal data across jurisdictions.
Communications and Hotline Pitfalls
The Québec ruling also illustrates how communication strategies can become litigation risks. The defendant’s limited social media updates and under-resourced hotline drew judicial attention. According to the court, advertising a call centre but leaving callers without meaningful assistance could amount to a misleading practice. Although this is not a decision on the merits of the case, it did draw the attention of the court that the advertised helpline was allegedly not responsive. Companies that operate employee or customer hotlines may wish to assess whether advertised resources are realistically staffed and capable of providing timely support.
Class Actions in Consumer Contracts
It is also worth noting that, under the CPA in Québec, parties cannot contractually exclude the possibility of a class action. Under section 11.1 of the CPA, companies cannot force consumers to resolve disputes through arbitration or prevent them from pursuing court action, including class actions. However, once a dispute has arisen, a consumer may choose arbitration voluntarily. Even if consumer-facing agreements, such as loyalty-program terms or benefit-related documents, contain provisions aimed at limiting dispute resolution mechanisms, such clauses would not prevent a class proceeding. This highlights that contractual drafting alone may not insulate against class action risk.
Next Steps
In light of the Québec and Ontario courts’ respective decisions to certify consumer class actions based on data breaches, employers may want to consider the following steps:
Auditing Contractual Commitments
Employers may want to review whether employment policies, benefit programs, or loyalty arrangements include promises about data protection that could create contractual obligations.
Enhancing Incident Response Plans
Documented escalation protocols and multilingual communications may help employers respond promptly in the event of a breach.
Evaluating Hotline and Support Resources
Employers that advertise assistance lines can consider whether these services are adequately resourced to meet demand.
Coordinating Messaging
Public statements, internal communications, and legal notifications may benefit from alignment to avoid language that could later be characterized as misleading.
Anticipating Multi-Regime Exposure
Employers can consider modelling potential damages under Québec privacy law, federal privacy law, the CPA, and the Charter of Human Rights and Freedoms, and evaluating whether cyber-insurance policies provide coverage for punitive damages.
Ogletree Deakins’ Canadian offices, Class Action Practice Group, and Cybersecurity and Privacy Practice Group will continue to monitor developments and will post updates on the Canada, Class Action, Cross-Border, Cybersecurity and Privacy, and Retail blogs as additional information becomes available.
Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts
