In Simpson v. Facebook, Inc., the Ontario Divisional Court upheld the dismissal of the plaintiff’s certification motion against Facebook in a proposed class action alleging that the personal data of Canadian Facebook users was improperly shared with the Cambridge Analytica Group (“Cambridge Analytica”).

The Divisional Court concluded that the action was not appropriate for certification because the plaintiff failed to satisfy the common issues requirement of the Class Proceedings Act, 1992, S.O. 1992, c. 6 (“CPA”) and, in particular, the requirement to provide “some evidence” that Canadian users’ data had actually been shared with Cambridge Analytica.

The decision in this appeal:

• Reaffirms that there must be some evidentiary basis indicating that a common issue exists beyond a bare assertion in the pleadings. This does not involve an examination of the merits of the claim, but simply requires that there be some factual basis – in the form of admissible evidence – to support the allegation.
• Underscores the willingness of Canadian courts to exercise their “gatekeeper” role and bar certification of privacy class actions based merely on speculative assertion.

Background

The proposed class action in this case arose from a personal data breach linked to the 2016 U.S. election campaign where voters were targeted with messages tailored to influence their votes. The targeting apparently relied on the use of personal data obtained from Facebook users, allegedly accessed without their knowledge or consent through a third-party “app” created by a British academic, who then sold the data to Cambridge Analytica, which proceeded to use it to target U.S. voters on behalf of its clients.

The fallout resulted in several putative class actions filed in Canada. The plaintiff in this case was granted carriage of a proposed class action on behalf of “Canadian residents whose Facebook Information was shared with Cambridge Analytica”. 

Certification Decision

The plaintiff sought to certify a putative action against Facebook, alleging that Canadian Facebook users’ personal data was improperly shared with Cambridge Analytica, and that by allowing this to happen, Facebook breached its own terms of use and invaded the privacy of the putative Canadian class members. The plaintiff relied on the tort of intrusion upon seclusion and sought approximately $622 million in “symbolic or moral damages” and another $62 million in punitive damages.

The Ontario Superior Court of Justice dismissed the plaintiff’s certification motion. The motion judge considered the evidence proffered and held that there was no evidence in the record to support the plaintiff’s core allegation that the personal data of at least some Canadian Facebook users had been shared with Cambridge Analytica. He went on to conclude that:

there is no basis in fact for any of the proposed common issues that ask whether the defendants invaded any class member’s privacy, whether at common law under the tort of intrusion upon seclusion or in breach of provincial privacy statutes.

Divisional Court Decision

On appeal, the Divisional Court upheld the ruling of the motion judge.

Among other things, the plaintiff argued that the motion judge erred by failing to apply the statutory five-part test under the CPA and had instead determined certification on a threshold evaluation of the merits. The plaintiff argued that she is not required to prove a “core allegation” at certification and that the motion judge had erred in assessing the core allegation under the s.5(1)(c) “some basis in fact” standard.

The Divisional Court held that the motion judge had properly applied the certification test and that it was not an error in principle to focus on the s.5(1)(c) common issues requirement because a failure to meet any of the certification requirements is fatal.

Drawing on the case law, the Court explained that to show the existence of the common issues, the plaintiff must establish “a factual basis for her claim and the allegations to which the common issues relate”. The Court reiterated that this does not involve an examination of the merits, but simply requires that there be some factual basis – in the form of admissible evidence – to support the allegation.

The Court held that the motion judge did not assess the merits of the case or require that the plaintiff prove the core allegation at the certification stage. Rather, the Court held that the motion judge properly considered and applied the governing legal principles to find that there was no evidence in the record for the core allegation on which the plaintiff’s claim and proposed common issues depend (i.e., that the personal data of at least some Canadian Facebook users was shared with Cambridge Analytica).

The Court rejected other arguments advanced by the plaintiff relating to findings of fact and the motion judge’s interpretation of the carriage orders.

Conclusion

The case highlights the recent trend by Canadian courts to exercise their gatekeeper function and deny certification of proposed privacy class actions based on speculative assertions (Chow v. Facebook, Kish v. Facebook, Setoguchi v. Uber B.V. ).