This post originally appeared on Dentons Data blog.
On May 12, 2019, the Alberta Court of Appeal released a decision from a summary dismissal application that should resolve any confusion that may have arisen at the crossroads of that province’s limitations act and its privacy legislation, the Personal Information Protection Act, SA 2003, c P-6.5 (“PIPA”).
In Alberta, in order to have a cause of action related to a privacy breach claim, claimants must first go before the Office of the Information and Privacy Commissioner of Alberta (“AB OIPC”) and obtain a final order against an organization. Only then does a claimant have a cause of action against the organization for damages for loss or injury that the individual has suffered as a result of the breach by the organization. In Moore’s Industrial Service Ltd. v Kugler, 2019 ABCA 178 (“Moore’s”) the issue was whether the limitation period ran from the time of privacy violation, or from the time the order was obtained.
The Court held that where a claimant initiates a proceeding under PIPA, wherein an investigation is held and order is made under section 52, which gives rise to a cause of action under section 60, the limitation period for the alleged breach of privacy does not start to run until such time as the AB OIPC has at least completed its investigation and more likely rendered its decision.
PIPA is the Alberta statute that governs the collection, use, disclosure and management of personal information by corporations acting within Alberta. PIPA is substantially similar to the other private sector privacy laws in Canada and PIPA, like these other privacy acts, requires organizations to take reasonable measures to protect the personal information they hold. However, it is unusual in requiring individuals affected by a privacy violation to first pursue the matter through the AB OIPC and obtain an order before attempting to bring an action for a privacy violation in court.
The facts of this case were straightforward and not in dispute before the Court.
Upon his termination from Moore’s Industrial Service – the industrial coating specialist, not the suit coat specialists, which would be governed by PIPEDA rather than PIPA – in 2009, Mr. Kugler, returned his company-issued laptop. In October 2010, Mr. Kugler found that his personal emails had been forwarded to another Moore’s employee. In December 2010, Mr. Kugler determined that the Moore’s employee had accessed his personal email account on the returned laptop and reset Mr. Kugler’s passwords. In the fall of 2011, Mr. Kugler brought a complaint before the AB OIPC; the AB OIPC authorized an investigation, scheduled a mediation (ultimately unsuccessful), and finally held a written inquiry. On November 29, 2013, the AB OIPC issued an order pursuant to section 52 of PIPA stating that Moore’s had breached its obligations to Mr. Kugler under PIPA.
Pursuant to section 60 of PIPA, it was at this point that Mr. Kugler had a cause of action against Moore’s:
Damages for breach of this Act
60(1) If the Commissioner has made an order under section 52 against an organization and the order has become final as a result of there being no further right of appeal, an individual affected by the order has a cause of action against the organization for damages for loss or injury that the individual has suffered as a result of the breach by the organization of obligations under this Act or the regulations.
On January 15, 2015, Mr. Kugler filed a civil claim against Moore’s seeking $310,000 in damages. Moore’s applied to strike, or alternatively, dismiss Mr. Kugler’s claim on the basis that section 3 of the Limitations Act, RSA 2000 c L-12 (“Limitations Act”) rendered it statute barred. The Limitations Act required Kugler to bring his action “within 2 years after the date on which the [he] first knew, or in the circumstances ought to have known” that the injury had occurred. Moore’s argued that as Mr. Kugler was aware of the privacy violation in December 2010, the 2 year limitation period began to run at the at point and had since expired, barring Mr. Kugler’s claim.
The application was dismissed before both the Master and Chambers Judge, who held that the two-year limitation period in section 3(1) of the Limitations Act did not start to run until November 29, 2013, or sometime thereafter, when the AB OIPC made its order and the order had become final. It was from that decision that Moore’s appealed to the Court of Appeal for a summary dismissal of Mr. Kugler’s lawsuit.
At paragraph 10 of its decision, the Court of Appeal summarized the process of a complaint filed under PIPA:
[T]he Commissioner may investigate and attempt to resolve complaints about personal information being collected, used or disclosed by an organization in contravention of the Act: s 36(2). An individual must initiate a complaint to the Commissioner within a “reasonable time”: s 47(3). Once in receipt of the complaint, the Commissioner may authorize a person to investigate and attempt to mediate the complaint (s 49), and if the matter is not resolved, conduct an inquiry: s 50. An inquiry must be completed within one year from the day that the complaint was received, but the Commissioner is entitled to extend that period: s 50(5). On the completion of an inquiry, the Commissioner must make an order under s 52.
The Court further confirmed that under section 53, an order from the AB OIPC is final. Under section 54.1, an application for judicial review of an AB OIPC order must be made within 45 days from the day the person making the application is give a copy of the order. Having reviewed this, the Court held that PIPA contemplates that the time between an individual discovering a privacy breach and the AB OIPC making an order regarding a complaint about the privacy breach may in fact be longer than two years.
In conducting its analysis, the Court of Appeal agreed with the lower court’s analysis that a section 60 PIPA cause of action requires the making of an order under section 52 to come into existence. Under a plain reading of PIPA, the injury for which Mr. Kugler sought a remedial order could not occur until after a section 52 order was made by the AB OIPC and triggered the section 60 cause of action. Alternatively, the injury that assumed liability on the part of Moore’s did not warrant bringing a proceeding until the AB OIPC had completed an investigation. Citing Martin v General Teamsters, Local Union No. 362, 2011 ABQB 412, the Court of Appeal further concluded that had Mr. Kugler filed a claim prior to the AB OIPC’s decision on November 29, 2013, the claim would have been struck for failing to disclose a cause of action.
The Court noted Moore’s concern that its interpretation of PIPAcould permit individuals to bring section 60 PIPA causes of action many years after the discovery of a privacy breach. However, the Court held that PIPA addresses this concern specifically at section 50(3), wherein the AB OIPC is required to notify the defendant organization if the AB OIPC is conducting an inquiry into a complain about that organization. The Court further determined that if a matter is referred to mediation prior to an inquiry, a defendant organization will also receive notice. In both circumstances, the requirements of PIPA put the defendant organization on notice in advance of a final determination, removing concerns about “stale claims” being made years later.
The Court’s decision in Moore’s clarifies that where a piece of legislation does not stipulate a limitation period, but does create an instance wherein a cause of action only exists upon the completion of an investigation, decision or other pre-condition of the legislation in question, the two-year limitation period in section 3(1) of the Limitations Act does not start until that pre-condition has occurred.
Businesses should be aware that this has the effect of extending the period of risk they may face in respect of alleged violations of PIPA.
 British Columbia’s Personal Information Protection Act, S.B.C. 2003, ch. 63; Québec’s An Act Respecting the Protection of Personal Information in the Private Sector, R.S.Q., ch. P-39.1; and, the Federal Personal Information Protection and Electronic Documents Act, SC 2000, ch 5 (“PIPEDA”).
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business.