Pushing the Limit: Claims for Privacy Breaches Can Be Filed More Than Two Years After the Breach

  • United States
  • 08/02/2019
  • Sheena L. Owens

Alberta Court of Appeal clarifies that the limitation period for bringing civil actions for privacy breaches doesn’t start running until the time to appeal an OIPC order expires: Moore’s Industrial Service Ltd. v. Kugler 2019 ABCA 178

The Alberta Court of Appeal recently rendered a decision clarifying the limitation period in privacy breach cases. Generally, the Office of the Information and Privacy Commissioner (“OIPC”) handles breaches of the Personal Information Protection Act (“PIPA”). PIPA generally requires that organizations only collect, use, or disclose personal information about individuals with their consent. OIPC is responsible for receiving, investigating, and mediating complaints brought under PIPA. If complaints are not resolved through mediation, OIPC will conduct an inquiry and then make an order about the alleged privacy breach. Although PIPA contemplates bringing a civil action for the privacy breach, it does not explicitly specify the limitation period for bringing such an action. In Alberta, the general rule under the Limitations Act is that an individual must bring any civil action two years after the person knew or ought to have known that the injury occurred, the injury was attributable to the defendant’s conduct, and the injury warranted bringing a proceeding. Accordingly, prior to this decision, it was thought that the limitation period for bringing a civil action for a privacy breach would be two years after the privacy breach occurred. However, the Court of Appeal thought differently.

Mr. Kugler was terminated from his employment with Moore’s Industrial Service Ltd. (“Moore’s”) in 2009. As part of his termination, he returned a company laptop that he had previously used for work purposes. In October 2010, Mr. Kugler discovered that a Moore’s employee had accessed his personal email account and had forwarded Mr. Kugler’s personal emails to the CEO of Moore’s without his consent. Sometime in the fall of 2011, Mr. Kugler filed a complaint to OIPC. The complaint was investigated, and mediation did not result in a settlement. Accordingly, OIPC commenced an inquiry and on November 29, 2013, it found that Moore’s breached its privacy obligations under PIPA. It issued an order under section 52 of PIPA. Moore’s did not apply for judicial review of the order and under section 52 of PIPA there is no right to appeal an OIPC order. Mr. Kugler then filed a civil claim for damages on January 15, 2015. This was over two years after the OIPC order was issued, over three years after the OIPC complaint was filed, and almost six years after Mr. Kugler discovered the privacy breach. Moore’s applied for summary dismissal of the lawsuit on the basis that the limitation period had expired because the civil action was filed more than two years after Mr. Kugler discovered the privacy breach.

The Alberta Court of Appeal considered the relationship between PIPA and the Limitations Act. Under section 60 of PIPA, there is no time limit for commencing a complaint – it must simply be brought within a “reasonable time”. There are also no timelines for investigation or mediation. Prior to issuing an order, the only time limit is that an inquiry must be completed within a year from the day the complaint was received, however, that period can be extended. Once an order is made, an application for judicial review of the order must be brought within 45 days of receipt of an OIPC order.

The Court of Appeal noted that under PIPA, civil actions cannot be commenced for privacy breaches until after OIPC issues an order. Accordingly, if Mr. Kugler had commenced a civil action before the OIPC order was issued then his civil lawsuit could be struck out for failing to disclose a cause of action. This meant that the only reasonable reconciliation between PIPA and the Limitations Act is that the limitation period for bringing a civil claim does not start to run until the time for judicial review of an OIPC order expires. Accordingly, Moore’s application to summarily dismiss the lawsuit on the basis of an expired limitation period was dismissed.

Key Takeaways
The Moore’s decision clarifies the limitation period for filing a civil claim for damages as a result of a privacy breach. Unfortunately, it allows individuals to bring a lawsuit several years after the privacy breach is discovered. The clock will not begin ticking until after OIPC issues an order and the time for bringing a judicial review application has expired. Interestingly, the Court of Appeal did not discuss what the limitation period would be in cases where a judicial review application is filed. Therefore, it is open to argument that the limitation period may be extended even further in such cases.

Organizations that become aware of privacy breaches should retain all records relating to the breach for several years after the privacy breach is discovered as they will be required to produce that information in any arising litigation. While litigation can be commenced two years after the OIPC order becomes final, the civil claim does not need to be served on the defendant until a year after it is filed. Furthermore, the time for service can be extended another three months upon order of the court. This means that organizations may not be aware of a civil claim until over 39 months after an OIPC order is issued. Organizations should be aware of these timelines when assessing their exposure to potential claims they thought were stale-dated.

DISCLAIMER: This publication is intended to convey general information about legal issues and developments as of the indicated date. It does not constitute legal advice and must not be treated or relied on as such. Please read our full disclaimer at www.stikeman.com/legal-notice.

Topics: Employee and workplace privacy Employment Privacy
Posted in: Canadian Communications Law Canadian Employment, Labour & Pension Law