Québec Court Rejects Privacy-related Class Action Filed After Loss of Laptop

The Québec Superior Court recently rendered judgment in the matter of Lamoureux c. Organisme canadien de réglementation du commerce des valeurs mobilières (2021 QCCS 1093), further to a class action resulting from the loss of a portable computer containing personal information.

Contrary to what often happens with such class actions, this one did make it through the whole process, up to and including an actual judgment on the merits of the case. In the end, the Québec Superior Court rejects the claims, including those for ordinary damages as well as the claim for punitive damages. In doing so, however, the court does provide us with some principles that seem worth remembering.

This case stems from the loss of a portable computer by an employee of the defendant, a non-encrypted device which contained sensitive information about certain individuals. Even though these individuals may have worried and have been somewhat anxious at the thought of having their identities stolen, the court held that this was, in and of itself, insufficient to qualify as a real prejudice at law. As often happens is such cases, the judge found that more was required before the legal system would be required to intervene, including by awarding monetary compensation.

The class representative in this case was also alleging that certain attempts had been made to steal his identity, something more likely to deserve redress by the court. However, the plaintiff was unable to demonstrate causation between the fault of the defendant (in handling his data and the incident at issue) and such attempted identity theft. Given this absence of a causal link between the fault and the alleged damages, the court also rejected this portion of the claim.

Interestingly enough, this case provides us with a good example of the steps taken by an organization faced with a loss of data and which the court validates as appropriate under the circumstances. The defendant organization here performed an adequate inquiry, hired a specialized consultant, notified the privacy authorities, and notified potential victims. The organization also paid for credit-report surveillance services for these individuals, all of which lead the Superior Court judge to also reject this final claim (for punitive damages), given that the steps taken were adequate under the circumstances.