Standing to Bring a Class Action for Data Breach

It appears as if there is a major difference between Canadian and US law on standing to sue, at least in class actions.

Most US class actions by people whose personal information has been compromised in some way by a data breach have been stopped by a motion to dismiss. The essence of the argument is that the prospective plaintiffs have not suffered any demonstrable damage, and the US Constitution that authorizes the court system requires that there be a real dispute, which requires real damages.

On the other hand, the Federal Court of Appeal has just decided, in Condon v Canada, that if the plaintiffs allege damages, that is sufficient for the action to be certified. For the purposes of a motion to certify, or a motion to dismiss, it is presumed that the facts alleged in the statement of claim are true. Determining their actual truth is left for trial. So it’s all about the pleadings, assuming that there is a consistent class with a consistent relationship to the alleged tort.

Does this mean that we will see lots of data breach litigation in Canada proceed to trial, while the US that is almost unheard of? (I believe a couple of cases have survived motions to dismiss, but I do not believe any has reached judgment.)

I note, by the way, that the court of first instance in Condon certified the case to proceed for intrusion upon seclusion. (The appeal was about claims in negligence.) Is that not an intentional tort? Is there any suggestion in the case that the government intentionally leaked the data?

h/t Canadian Privacy Lawyer Blog (via Slaw.ca)