|
Bourbonnière c. Yahoo! Inc. |
2019 QCCS 2624 |
|
SUPERIOR COURT (Class Actions) |
||||
|
|
||||
|
CANADA |
||||
|
PROVINCE OF QUEBEC |
||||
|
DISTRICT OF |
Montreal |
|||
|
|
||||
|
Nos: |
500-06-000842-175 500-06-000841-177 |
|||
|
|
||||
|
DATE: |
June 10, 2019 |
|||
|
_____________________________________________________________________ |
||||
|
|
||||
|
BY |
THE HONOURABLE |
CHANTAL TREMblAY, J.S.C. |
||
|
_____________________________________________________________________ |
||||
|
|
||||
|
BRIGITTE BOURBONNIÈRE |
||||
|
Plaintiff |
||||
|
v. |
||||
|
YAHOO! INC. and YAHOO! CANADA CO. |
||||
|
Defendants and NATALIA KARASIK and RAHUL SURYAWANSHI and DAVID BRUNI and ELIE CHAMNI Third Parties
|
||||
|
_____________________________________________________________________ |
||||
|
|
||||
|
JUDGMENT ON LEAVE TO AUTHORIZE A CLASS ACTION AND TO STAY THE PROCEEDINGS |
||||
|
_____________________________________________________________________ |
||||
|
|
||||
[1] Brigitte Bourbonnière wishes to institute a class action on behalf of all persons residing in Quebec whose personal and/or financial information was stolen from the Defendants as a result of cyberattacks which occurred after January 1, 2013 (the “Principal Victims”). She also wants to represent all other persons, businesses, entities, corporations, financial institutions or banks who suffered damages or incurred expenses as a result of the data security incidents (the “Collateral Victims”) (and collectively “Class Members”).
[2] She alleges that the Principal Victims have experienced inconveniences, mental distress, economic loss or other losses associated with having their private data accessed and intruded upon. She also alleges that these victims are entitled to an unspecified amount for exemplary and/or punitive damages.
[3] Yahoo! Inc. is a company that provides the internet-based services to users worldwide. Yahoo! Canada Co. is a related company (collectively “Yahoo!”). As part of its operations, Yahoo! collects and stores large volumes of personal and/or financial information about its users including but not limited to users’ names, email addresses, telephone numbers, date of birth, passwords and security questions linked to a user’s account. Such information is required in order to create an account.
[4] On September 22, 2016, Yahoo! issues a press release[1] in which it announces that sensitive personal account information associated with at least 500 million user accounts was stolen from the company’s network in late 2014 (2014 Data Breach). The stolen information includes users’ names, email addresses, telephone numbers, date of birth, hashed passwords and in some cases, encrypted or unencrypted security questions and answers.
[5] On December 16, 2016, Yahoo! sends an email[2] to account users in which it announces that a recent investigation by law enforcement confirms that sensitive personal account information was stolen from the company’s network in August of 2013 (2013 Data Breach).
[6] On February 15, 2017, Yahoo! sends another email[3] to account users indicating that based on the ongoing investigation, it believes that the use of forged digital cookie files may have been used in 2015 or 2016 to access account information (Cookie Breach).
[7]
Defendants contest the proposed class action as,
in their view, it fails to meet the requirements of article
[8] The third parties are class plaintiffs in a parallel class action commenced in Ontario against the Defendants in the matter of Natalia Karasik et al. v. Yahoo! Inc. et al.[4] (Ontario Action). They are asking the Court to stay the proceedings for lis pendens in favour of the Superior Court of Justice of Ontario in the event that the solicited class action with regard to the Collateral Victims is not authorized.
1. CONTEXT
[9] On December 16, 2016, a Notice of Action is filed by Natalia Karasik in Ontario against Yahoo! Inc. and Yahoo! Canada Co. followed on January 16, 2017, by the filing of a Statement of Claim (Ontario Action).
[10] On January 31, 2017, Michel Demers files an Application for Authorization to Institute a Class Action and to Appoint a Representative Plaintiff (Authorization Application or Quebec Action).
[11] On September 19, 2017, the Quebec Superior Court dismisses Defendants’ Application to Stay the class proceedings due to the existence of the Ontario Action. The Court concludes that the proposed class members in the Ontario and Quebec proceedings are not identical due to the presence of the Collateral Victims in the Quebec proceedings and this, despite the fact that such subgroup could later prove to be artificial.
[12] On March 16, 2018, Demers is substituted by Brigitte Bourbonnière by way of an Amended Application for Authorization to Institute a Class Action and to Appoint a Representative Plaintiff (Amended Authorization Application).
[13] On April 23, 2018, Defendants proceed with the examination of Bourbonnière.
[14] On May 18, 2018, the plaintiffs in the Ontario Action file a Declaration of Intervention and a Modified Application to Stay the Quebec Action until final judgment is rendered on the certification of the Ontario Action.
2. ANALYSIS
2.1 The Class
[15] The Plaintiff seeks leave to institute a class action on behalf of the following group:
All persons residing in Quebec whose personal and/or financial information was lost by and/or stolen from the Defendants as a result of data breaches that occurred in between January 1 2013 to the present (hereinafter the “Data Breach”), and as all other persons, businesses, entities, corporations, financial institutions or banks who suffered damages or incurred expenses as a result of said Data Breach, or any other Class(es) or Sub-Class(es) to be determined by the Court;.
[16] The Court must first establish the period of the proposed Class as it does not include an ending date. The Class cannot stay open indefinitely and the authorization judgment should end the Class period.
[17] Furthermore, the proposed class is excessively broad as it includes all other persons, businesses, entities, corporations, financial institutions or banks who have suffered damages or incurred expenses as a result of the data security incidents.
[18] At the authorization hearing, no demonstration was made to the effect that there exist persons (other than persons whose accounts are subject to the data security incidents) who suffered damages or incurred expenses as a result of the data breaches.
[19] Therefore, the proposed subclass is artificial in that not a single Collateral Victim has been identified, thereby calling into question its very existence.
[20] Lastly, the class description must be based on objective criteria, which are rational and not circular or imprecise. It must allow a person to know whether or not he or she is a class member. The use of defined terms in the proposed Class defeat such purpose.
[21] For these reasons, the Court redefines the Class as follows:
All persons residing in Quebec whose personal and/or financial information was lost by and/or stolen from Yahoo! Inc. or Yahoo! Canada Co. as a result of data breaches that occurred between January 1 2013 and June 10, 2019.
2.2 Criteria for Authorization
[22]
According to article
(1) The claims of the members of the class raise identical, similar or related issues of law or fact;
(2) The facts alleged seem to justify the conclusions sought;
(3) The composition of the class makes it difficult or impracticable to apply the rules for mandates to take part in judicial proceedings on behalf of others or for consolidation of proceedings;
(4) The class member appointed as representative is in a position to properly represent the class members.
[23]
At the authorization stage, the court must
perform a filtering role by ensuring that the requirements of article
[24] The court must adopt a flexible and liberal approach toward class actions as it is a procedural vehicle to achieve the twin goals of deterrence and victim compensation.[6]
[25] The plaintiff must show an arguable case. It is sufficient for the plaintiff to present a case with a good colour of right that has a chance of success, without needing to establish a reasonable possibility of success.[7]
[26] As stated by the Supreme Court, the class action is not an “exceptional remedy” that must be interpreted narrowly. On the contrary, it is “an ordinary remedy whose purpose is to foster social justice”.[8]
2.2.1 The alleged facts appear to justify the conclusions sought
[27] The plaintiff must establish an arguable case against each and every defendant. Vague, general, and imprecise allegations are not sufficient to meet such a burden. Nor are hypothetical or purely speculative allegations.[9]
[28] When analyzing this criterion, the alleged facts must be considered as true, unless they appear to be clearly inaccurate or implausible, particularly in light of the relevant evidence adduced at the authorization hearing.[10]
[29] In addition, the court must distinguish factual allegations from arguments, opinions, unsupported inferences and hypotheses, as well as assertions that are implausible or false. The insinuations, opinions, and legal arguments set out in the authorization proceeding are not facts that the court must regard as true.
[30] For the following reasons, the Court is of the view that in the present instance, the Plaintiff failed to show an arguable case against the Defendants.
[31] Plaintiff’s personal cause of action reads as follows:
29. The Applicant, who resides in the city of Mascouche, in the province of Quebec, has an email account with Yahoo! Canada;
30. The Applicant’s email account was compromised and it is not known at this time what information from the Applicant was taken as a result of the 2013 data breach only announced in December 2016. The thieves have basically been in possession of the information for the last two years;
31. The Applicant believed that Yahoo! would maintain the personal and financial information contained on his (sic) email account in a reasonably secure manner and provided his (sic) personal or financial information to Yahoo! on that basis. Had the Applicant known that Yahoo! Would (sic) not maintain his (sic) information in a reasonably secure manner, she would not have allowed his (sic) information to be used by Yahoo!;
32. The Applicant’s personal and financial information associated with his (sic) Email account was compromised in and as a result of the Data Breach;
33. The Applicant was harmed by having her financial and personal information compromised and faces the imminent and certainly impending threat of future additional harm from the increased threat of identity theft and fraud due to her financial and personal information being sold on the Internet black market and misused by criminals;
34. The Applicant must now take steps to protect her personal and financial information, such as purchasing identity protection services such as credit monitoring, all of which are highly inconvenient and may result in out-of-pocket costs;
35. The damages suffered by the Applicant are a direct and proximate result of the Defendants’ conduct In addition one (sic) she received the notice from Yahoo in October 2017, her friends began receiving scam emails using her email information as the source of the scam in attempts to extort money from her friends. This proved to be embarrassing to her having to explain that this was not an email that she had sent;
36. As a consequence of the foregoing, the Applicant is justified in claiming damages.
(our emphasis)
[32] In essence, Plaintiff alleges that her Yahoo account was compromised as a result of the 2013 Data Breach and that the Defendants were negligent in failing to protect her personal and financial information.
[33] In Sofio [11], the Court of Appeal states that the demonstration of an alleged fault does not presuppose the existence of prejudice:
[20] Le juge considère les faits allégués. Même tenus pour avérés, il estime prima facie que, malgré la faute de l’Organisme, l’appelant n’a pas établi l’existence d’un préjudice moral tangible et susceptible de compensation monétaire. Il conclut certes à des allégations démontrant l’existence de contrariétés, sans pour autant y voir là un préjudice compensable au sens de l’arrêt Mustapha c. Culligan du Canada Ltée.
[21] Nul n’est besoin de dire qu’une faute ne cause pas ipso facto un préjudice, même moral. Il en est de même de la perte fautive de renseignements personnels bien qu’elle soit susceptible de porter atteinte au droit à la vie privée des victimes. Les auteurs Baudouin et Renaud écrivent :
[…] L’on ne saurait imputer des dommages extrapatrimoniaux du seul fait qu’il y a eu atteinte à un droit garanti par la Charte des droits et libertés de la personne (L.R.Q., c. C-12). L’allocation de dommages et intérêts symboliques n’est pas non plus justifiée quand les tribunaux veulent sanctionner la violation d’un droit subjectif qui produira le plus souvent un préjudice minime; cela irait à l’encontre des principes de responsabilité civile. […]
[22] Les dommages-intérêts ne sont pas accordés en fonction de la gravité de la faute, mais plutôt du préjudice qui en découle. Une faute grave peut ne pas entraîner de préjudice, ou encore donner lieu à un préjudice minime. L’inverse est également vrai. Tout est une question de faits, faits que le requérant doit justement alléguer dans sa requête en autorisation aux fins de l’étude du critère édicté au paragraphe 1003b).
[23] En l’occurrence, à la lumière des allégations de la requête en autorisation, l’appelant ne démontre pas que l’appréciation que fait le juge du critère énoncé au paragraphe 1003b) C.p.c. est manifestement erronée.
[34] In the present instance, Plaintiff fails to demonstrate that she has incurred a compensable injury as a result of the 2013 Data Breach.
[35] As a matter of fact, Plaintiff’s discovery demonstrates that she has no reason to believe that she has been the victim of identity theft or fraud as she has not identified any suspicious charges on either her debit or credit cards and she has not received a bad credit report. She continues using her Yahoo account and she admitted not having purchased any identity protection services such as credit monitoring:
Out of Court Examination, pages 20 and 21:
Q. Alors, mis à part changer des mots de passe...
[...]
Q. ...est-ce que vous avez pris d’autres mesures afin de protéger vos informations personnelles et financières?
R. Non, mais j’en connais pas d’autres.
Q. O.K.
R. Moi...
Q. Avez-vous fait appel...
R. ...mes comptes de banque, ils sont...ils sont corrects. Comme personne a pigé dedans, là...
Q. Hum, hum.
R. ... fait que je le savais que c’était correct.
Q. O.K.
R. Puis j’ai changé les mots de passe. Cartes de crédit, aussi. T’sais, j’ai checké le relevé, tout est beau, mais j’ai changé le mot de passe au cas où.
Q. O.K. Ah, vous avez jamais eu de vol d’identité?
R. Non, pas encore.
Q. O.K. Et vous avez ...
R. Mais pas à ma connaissance, là.
Q. Vous avez jamais eu...vous avez jamais engagé les services de protection contre le vol d’identité, un service quelconque?
R. Non.
[...]
Q. O.K. Vous avez jamais eu un rapport négatif de crédit ou quelque chose qui a été surprenant...
R. Non.
Q. ...relié à ça? Et vous avez jamais engagé des services de vérification de crédit pour voir s’il y avait pas eu des transactions louches ou quelconques?
R. Non.
Q. Non.
R. Quand j’ai vu mes comptes à moi, c’était correct...
[36] In summary, Plaintiff has not incurred any out-of-pocket costs associated with the protection of her personal and/or financial information.
[37] The only prejudice suffered by the Plaintiff relates to the inconvenience of having to change her passwords in all of the accounts associated with her Yahoo email address[12] and the alleged embarrassment suffered as a result of spam emails that were sent to her friends. The Court is of the view that such prejudice is insufficient to justify a class action.
[38] In Mustapha[13], the Supreme Court has provided guidance on the distinction between minor and transient upsets and compensable injury. Compensable injury must be “serious and prolonged” and rise above the ordinary annoyances, anxieties and fears that a person living in society may experience:
[9] Cela dit, les troubles psychologiques constituant un préjudice personnel doivent être distingués d’une simple contrariété. En droit, un préjudice personnel suppose l’existence d’un traumatisme sérieux ou d’une maladie grave : voir Hinz c. Berry, [1970] 2 Q.B. 40 (C.A.), p. 42; Page c. Smith, p. 189; Linden et Feldthusen, p. 425-427. Le droit ne reconnaît pas les contrariétés, la répulsion, l’anxiété, l’agitation ou les autres états psychologiques qui restent en deçà d’un préjudice. Je n’entends pas donner ici une définition exhaustive de ce qu’est un préjudice indemnisable, mais seulement dire que le préjudice doit être grave et de longue durée, et qu’il ne doit pas s’agir simplement des désagréments, angoisses et craintes ordinaires que toute personne vivant en société doit régulièrement accepter, fût-ce à contrecœur. À mon sens, c’est cette nécessité d’accepter de telles contrariétés, au lieu de prendre action en responsabilité délictuelle pour obtenir réparation, qu’évoquait la Cour d’appel lorsqu’elle a cité Vanek c. Great Atlantic & Pacific Co. of Canada (1999), 48 O.R. (3d) 228 (C.A.) : [TRADUCTION] « [E]t la vie continue » (par. 60). Tout bonnement, les contrariétés mineures et passagères n’équivalent pas à un préjudice personnel et, de ce fait, ne constituent pas un dommage.
[39] In the following decisions, the Court of Appeal confirms that normal inconveniences and frustrations are insufficient to form the basis of a cause of action to institute a class action.
[40] Indeed, in Sofio[14], the Court of Appeal confirms the Superior Court’s refusal to authorize a class action because the plaintiff had failed to allege sufficient damages:
[18] Les allégations de fait contenues à la requête amendée en autorisation eu égard, entre autres, au préjudice allégué par l’appelant sont formulées en termes extrêmement généraux. Retenons que l’ordinateur qui a été perdu par un employé de l’Organisme contenait diverses informations personnelles à son sujet, soit son nom, son adresse, la date de sa naissance, le nom du courtier en placement avec lequel il transige et les numéros des comptes ouverts chez ce dernier. L’Organisme l’informe de cette perte le 24 avril 2013, tout en énumérant les mesures prises pour « […] atténuer tout risque potentiel auquel [il] pourrait être exposé » et celles qu’il pourrait prendre pour protéger ses renseignements. Une deuxième lettre, faisant état de nouvelles mesures mises en place par l’Organisme, lui est transmise le 30 avril 2013. Le même jour, il dépose sa requête en autorisation d’exercer un recours collectif que le juge lui permettra d’amender le 4 décembre 2013 afin, notamment, de préciser les dommages subis. Ceux-ci, de nature strictement compensatoires, se divisent en trois catégories, le stress découlant de la perte des informations, le temps consacré à suivre ses activités financières afin de s’assurer qu’il n’est pas victime d’une fraude et les démarches effectuées auprès de deux entreprises, Équifax et TransUnion, pour obtenir les services de surveillance de son crédit, aux frais de l’Organisme.
[19] Le juge étudie chacune d’elles. Il note que l’appelant allègue avoir subi un stress, mais sans fournir aucun autre détail (paragr. 47). Il estime que la description que fait l’appelant du suivi des activités financières (vérification de ses comptes bancaires et de ses relevés de carte de crédit, surveillance de son courrier, non-divulgation de ses renseignements personnels à un inconnu) correspond tout bonnement aux gestes généralement posés par une personne détentrice d’un compte bancaire ou d’une carte de crédit, même lorsque ses renseignements personnels n’ont pas fait l’objet d’une divulgation illégitime. Aux yeux du juge, l’appelant n’allègue, ni plus ni moins, que le suivi auquel on peut s’attendre d’une personne raisonnable afin de protéger ses actifs. On n’allègue en effet aucun surcroît de vigilance ou de mesures de vérification additionnelles ou autres démarches (paragr. 41 à 44). Finalement, quant aux démarches effectuées auprès des entreprises de crédit, le juge retient, à la seule lecture des pièces déposées, qu’elles s’expliquent en raison d’un problème de communication entre les premières et l’appelant (paragr. 45-46).
[20] Le juge considère les faits allégués. Même tenus pour avérés, il estime prima facie que, malgré la faute de l’Organisme, l’appelant n’a pas établi l’existence d’un préjudice moral tangible et susceptible de compensation monétaire. Il conclut certes à des allégations démontrant l’existence de contrariétés, sans pour autant y voir là un préjudice compensable au sens de l’arrêt Mustapha c. Culligan du Canada Ltée.
[…]
[23] En l’occurrence, à la lumière des allégations de la requête en autorisation, l’appelant ne démontre pas que l’appréciation que fait le juge du critère énoncé au paragraphe 1003b) C.p.c. est manifestement erronée.
[…]
[25] Ce n’est pas dire, précisons-le, qu’en matière de perte ou de vol de renseignements personnels, dans un contexte comme celui de l’espèce ou celui de l’affaire Zuckerman, il n’y aurait de préjudice indemnisable que si la perte ou le vol en question entraîne de facto l’usurpation ou la tentative d’usurpation de l’identité du requérant ou la commission d’une fraude ou tentative de fraude à son endroit. Ce n’est pas le cas. Le problème, en l’espèce, tient cependant au fait que les allégations de la requête en autorisation, tenues pour avérées, ne révèlent tout simplement pas de préjudice, même simplement moral : on invoque un stress dont la nature, l’ampleur, l’intensité ou les effets ne sont nullement détaillés et l’on décrit comme un préjudice des activités de vérification tout à fait routinières et habituelles, voire banales, chez la personne raisonnable qui est titulaire d’un compte bancaire ou détient une carte de crédit ou de débit. S’il y a plus, la requête ne le dit pas. Certes, il ne s’agit pas d’inviter ici les requérants ou les demandeurs à dramatiser la présentation de leurs allégations ou gonfler le descriptif de leur préjudice, mais il faut néanmoins un minimum factuel, qui n’est pas présent ici.
[41] Also in Fortin[15], the Court of Appeal rules that the inconveniences suffered by the owners of vehicles did not exceed the normal inconveniences affecting all of the owners in a particular year:
[170] Ensuite, même si les appelants ont subi des désagréments liés à la campagne lancée par Mazda pour corriger le défaut affectant son modèle Mazda 3, à l’évidence, ceux-ci n’excèdent pas les inconvénients normaux auxquels tous les propriétaires de véhicules sont confrontés ici et là dans le cours normal d’une année.
[171] Le droit de la responsabilité civile
n’ambitionne pas de compenser une partie pour toutes ses frustrations et
susceptibilités liées au moindre manquement de la part de celui avec qui elle
interagit, ne serait-ce qu’en raison de la grande part de subjectivité que
comportent les demandes de cette nature. Aussi, il ne convient pas d’accaparer
les tribunaux pour des réclamations individuelles reposant sur des conséquences
de peu d’importance (art.
[42] Similarly, in Mazzonna[16], a case involving the loss of data tape, the Superior Court concludes that the anxiety felt by the plaintiff upon and after learning that her personal information had been lost and the modification of habits in the manner in which she managed her bank account, is not enough to meet the threshold, even on a prima facie basis, of the existence of compensable damages.
[43] The present case can be distinguished from other data security incident cases such as Zuckerman[17] and Belley[18] since, unlike these two other cases, Plaintiff has not incurred any expenses for credit monitoring services nor was she a victim of identity theft.
[44] The transient embarrassement and inconveniences invoked by the Plaintiff are of the nature of ordinary annoyance and do not constitute compensable damages recoverable under the applicable law. Indeed, the need to change a password at a higher frequency cannot give rise to a serious compensable loss claim.
[45] As demonstrated below, the allegations found in paragraph 35 of the Amended Authorization Application are insufficient as they do not demonstrate the existence of any specific damages.
[46] According to Plaintiff’s testimony, 20 of her friends contacted her regarding Spam Emails. However, no copies of these Spam Emails are filed into the Court record.
[47] After learning about the cyberattack, Plaintiff sent emails in 2015 and in 2017 to all her contacts advising them to delete any spam messages that appear to have been sent from her email address:
Out of Court Examination at pages 27 to 29
R. ... moi, j’ai envoyé un email à tout mon monde, vraiment de moi, puis j’ai écrit : « Si vous recevez des choses bizarres, inquiétez-vous pas, c’est pas de moi, personnellement...
[...]
R. ... juste à deleter », comme ... t’sais.
[...]
Q. Mais est-ce que vous avez conservé quelque part, dans votre système, ce email?
R. Je suis classée, mais ça, j’y ai pas repensé, dans le temps, de garder ça. J’ai dit : « J’ai averti mon monde, puis ils m’ont répondu : « C’est correct, pas de problème, là, on le sait ». »
Q. Hum, hum.
R. Puis je n’ai pas réentendu parler après, fait que...d’après moi, c’est beau, là. Je veux dire, s’ils reçoivent quelque chose de bizarre...
Q. Hein, hein.
R. ... ils savent que ça vient pas de moi.
[48] Plaintiff also testifies that following the incident, she was never informed that one of her friends suffered any loss or negative consequences in connection with the Spam Emails:
Out of Court Examination at pages 29 and 41 to 43
Q. Vous avez jamais entendu parler d’une perte quelconque qui a résulté de ces pourriels.
[...]
Q. ... une conséquence négative, perdu de l’argent à cause de ça, à cause d’un email en votre nom, qui était un pourriel?
R. Non, parce que quand eux autres s’aperçoit qu’on demande de l’argent, puis tout ça puis ça vient de moi, il y a quelque chose qui marche pas, là.
[...]
(our emphasis)
[49] In view of the above, the Court concludes that Plaintiff did not demonstrate a arguable case with regard to the allege cause of action.
2.2.2 The members of the class claims raise identical, similar or related issues of law or fact
[50] At the authorization stage, the threshold requirement for common questions is low.[19]
[51] All that is needed is that there be an identical, related or similar question of law or fact, if it settles a not insignificant portion of the dispute.[20]
[52] The common questions submitted need not necessarily lead to common answers.[21] It is not required that each member of a group be in an identical or even a similar position in relation to the defendant or to the injury suffered.[22] It is also not mandatory for the question submitted to obligatoraly be common to all the members of the group. Merely related is sufficient.[23]
[53] The common issues described in the Amended Authorization Application are as follows:
a) Were the Defendants negligent in the storing and safekeeping of the personal and financial information of the Class Members whose information was ultimately lost and/or stolen between January 1, 2013 and the present?
b) Are the Defendants liable to pay damages to the class Members as a result of the Data Breach, including actual monetary losses or expenses incurred, loss of time, inconvenience, moral damages, and/or punitive damages caused by the loss of said information, and if so in what amounts?
[54] The Court is of the view that the above constitute common issues and that the issue of damages must not be decided on the particular facts of each case.
[55] Therefore, this criterion is met.
2.2.3 The composition of the class makes it difficult or impracticable to apply the rules for mandates to take part in judicial proceedings on behalf of others or for consolidation of proceedings
[56]
This third criterion of article
[57] This criterion must be given the same broad and liberal interpretation as the first two.
[58] Plaintiff alleges that the number of persons included in the Class is estimated to be in the thousands and the names and addresses of all these persons are unknown to the Plaintiff but are known to the Defendants.
[59] In addition, she alleges that given the costs and risks inherent in an action before the Courts, many people will hesitate to institute an individual action against the Defendants. Furthermore, individual litigation of the factual, scientific, and legal issues raised by the conduct of the Defendants would increase delay and expense to all parties and to the Court system.
[60] In view of these facts, the Court is of the view that this criterion is met.
2.2.4 The class member appointed as representative plaintiff is in a position to properly represent the class members
[61] When analyzing this fourth criterion, the Court must be certain that the following three elements are present: (1) interest in the suit, (2) competence, and (3) absence of conflict with the class members.[24]
[62] Once again, this criterion must be given a liberal interpretation. No proposed representative should be excluded unless his or her interest or competence is such that the case could not possibly proceed fairly.[25]
[63] The Amended Authorization Application contains the following allegations:
50. The Applicant, who is requesting to obtain the status of representative, will fairly and adequately protect and represent the interest of the Members of the Class, since Applicant:
a) had private personal and/or financial information accessed and/or stolen;
b) understands the nature of the action and has the capacity and interest to fairly and adequately protect and represent the interests of the Members of the Class;
c) is available to dedicate the time necessary for the present action before the Courts of Quebec and to collaborate with Class attorneys in this regard;
d) is ready and available to manage and direct the present action in the interest of the Class Members that the applicant wishes to represent, and is determined to lead the present file until a final resolution of the matter, the whole for the benefit of the Class;
e) does not have interests that are antagonistic to those of the other members of the Class;
f) has given the mandate to the undersigned attorneys to obtain all relevant information to the present action and intend to keep informed of all developments;
g) is, with the assistance of the undersigned attorneys, ready and available to dedicate the time necessary for this action and to collaborate with other Members of the Class and to keep them informed;
[64] The Court of Appeal in Contat v. General Motors du Canada Limitée[26] states:
[33] Even though it is not necessary to have the “best possible representative”, appellant having a non-existent or extremely weak personal claim, could not adequately represent the whole group. On one hand, it is his claim which would normally be the basis for the Court to analyze and decide the case. On the other hand, the procedural vehicle of the class action was not designed to be a method of circumventing principles of civil law. Thus, it must be shown in a class action, just as in any action for damages, that there has been a fault, a damage and that there is a causal relationship between the two.
[34] In similar circumstances, our Court in Option Consommateurs c. Bell Mobilité, decided that the applicant cannot provide adequate representation to members of the group. Rochon J.A., writing for the Court, states:
54. Bref, une personne designee qui n’a pas de recours personnel valable ne peut certes pas se qualifier à titre de représentant des membres dans le cadre d’un recours collectif [...]
(our emphasis)
[65] Similarly, in Charest v. Dessau inc.[27], the Superior Court stated:
[65] L’absense de demonstration par le Requérant qu’il a l’intérêt pour agir et qu’il aurait subi personnellenment des dommages à cause des gestes des intimés suffit à conclure qu’il ne peut poursuivre les intimés et ne satisfait pas à la condition de l’article 1003 b) .
[66] Cette conclusion quant à
l’intérêt d’agir dispose aussi de la condition de l’article
[66] The Court is of the view that the Plaintiff is not in a position to adequately represent the Class as she did not suffer any compensable damages as a result of the data security incidents. Furthermore, the Plaintiff has not demonstrated any legal basis for a claim of punitive damages.
[67] This lack of standing is sufficient to negate this criterion.
2.2.5 Conclusion
[68]
The Court refuses to authorize the proposed class action since the criteria set forth in article
2.3 Lis pendens
[69] In view of the Court’s conclusion, there is no need to address the issue of Lis pendens.
WHEREFORE, THE COURT:
[70] REFUSES Applicant’s Amended Application for Authorization to Institute a Class Action and to Obtain the Status of Representatives;
[71] THE WHOLE, with legal costs.
|
|
||
|
|
__________________________________ chantal tremblay, j.S.C. |
|
|
|
||
|
Me. Erik Lowe |
||
|
Merchant Law Group |
||
|
Attorney for the Plaintiff |
||
|
|
||
|
Me. Laurent Nahmiash |
||
|
Me. Erica Shadeed |
||
|
Dentons Canada LLP |
||
|
Attorneys for the Defendant |
||
|
|
||
|
Me Michael Simkin |
||
|
Simkin Legal Inc. |
||
|
Me Ted Charney |
||
|
Charney Lawyers |
||
|
Attorneys for the Third Party |
||
|
|
||
|
Hearing date: |
December 18, 2018 |
|
[1] Exhibit P-4a).
[2] Exhibit P-4c), page 1.
[3] Exhibit P-4c), page 2.
[4] Court File No. CV-16-566248-00CP.
[5] L’Oratoire Saint-Joseph du
Mont-Royal c. J.J.,
[6] L’Oratoire Saint-Joseph du Mont-Royal c. J.J.,
[7] Vivendi Canada Inc. v. Dell’Aniello,
[8]
L’Oratoire Saint-Joseph du Mont-Royal c. J.J.,
[9] Charles v. Boiron Canada inc.,
[10]
Lambert (Gestion Peggy) v. Écolait,
[11] Sofio v. Organisme canadien de réglementation
du commerce des valeurs mobilières (OCTCVM),
[12] Credit cards, Ebay, Amazon, AliExpress, Alarm system etc...
[13] Mustapha v. Culligan of Canada Ltd,
[14] Sofio v. Organisme canadien de réglementation
du commerce des valeurs mobilières (OCTCVM),
[15] Fortin v. Mazda Canada inc.,
[16] Mazzonna v. DaimlerChrysler Financial Services Canda
Inc/Services financiers DaimlerChrysler inc.,
[17] Zukerman v. Target Corporation,
[18] Belley v. TD Auto Finance Services Inc/Services de
financement auto TD inc,
[19]
Infineon Technologies AG v. Option consommateurs,
[20]
L’Oratoire Saint-Joseph du Mont-Royal c. J.J.,
[21]
Vivendi Canada Inc. v. Dell’Aniello,
[22]
L’Oratoire Saint-Joseph du Mont-Royal c. J.J.,
[23]
L’Oratoire Saint-Joseph du Mont-Royal c. J.J.,
[24]
Infineon Technologies AG v. Option consommateurs,
[25]
Sibiga v. Fido Solutions inc.,
[26]
[27]
AVIS :
Le lecteur doit s'assurer que les décisions consultées sont finales et sans
appel; la consultation
du plumitif s'avère une précaution utile.