[1]              The plaintiff moves to certify a proposed class action that arises out of one of the largest and most publicized privacy breaches in modern times. The high-profile personal data breach primarily involved three players: Facebook, the online social networking giant; a British academic named Aleksandr Kogan; and a London-based data analytics and consulting firm (that no longer exists) called Cambridge Analytica.

[2]              During the 2016 general election campaign in the U.S., millions of America voters were targeted with messages tailored to influence their votes. It was soon discovered that the targeting was achieved in large part using personal information obtained from Facebook users. The personal data was allegedly accessed without their knowledge or consent via a third-party application or app created by Dr. Kogan.

[3]              Dr. Kogan’s app, called “thisisyourdigitallife”, was presented to Facebook users as a “personality quiz” collecting information for academic research, but was actually being used to harvest personal data for commercial purposes. Dr. Kogan sold the personal information to Cambridge Analytica which then used it to target U.S. voters on behalf of its clients.

[4]              Needless to say, the news that Facebook users’ personal data may have been harvested and used without their knowledge or consent to influence and manipulate their vote, generated a flurry of government investigations and hearings, privacy commissioner reports and, of course, class actions.

[5]              According to Facebook estimates, the personal data of 87 million users may have been accessed and shared with Cambridge Analytica. This included some 622,161 Facebook users living in Canada - 272 of whom actually installed the Kogan app and another 621,889 “friends” whose personal data was obtained because the app gained “cascading access” to this information.[1]

[6]              Upon learning of this data breach, Facebook did not react immediately. Eventually, however, Facebook notified its users. The wording of the notification varied based on whether the Facebook user had installed the Kogan app directly or was indirectly affected as a “friend” of the installing user. The version received by most of the potentially affected Canadian users, including the plaintiff, advised as follows:

[7]               Three proposed class actions were filed in Ontario: Chamberlain,[2] Donegani,[3] and Simpson (herein). All were directed at Facebook, the only remaining deep-pocket defendant. Because the proposed classes were similar or overlapping, a carriage decision had to be made. As it turned out, the carriage issue was resolved on consent. The Chamberlain action would be stayed. The Donegani and Simpson actions would proceed, dividing the proposed class action as delineated in the two Carriage Orders.[4]

[8]              Mr. Donegani, who lives in Toronto, was granted carriage of a proposed class action on behalf of Facebook users world-wide whose personal information was improperly obtained “either directly or indirectly” by third parties. Facebook users who voluntarily downloaded a third-party app were excluded.[5] The class included everyone else with one important carve-out: “Canadian residents whose Facebook Information was shared with Cambridge Analytica Group”.[6]

[9]              Ms. Simpson, who also resides in Toronto and who advances the action herein, was thus granted carriage of a proposed class action on behalf of “Canadian residents whose Facebook Information was shared with Cambridge Analytica Group”. The Carriage Order described this class as the “Canadian Cambridge Analytica Class” and appointed Siskinds LLP as carriage counsel.

[10]         The upshot of the two Carriage Orders was that Donegani would advance the worldwide claims of Facebook “friends” whose personal information had been improperly obtained by third parties, including the Kogan app. Simpson would advance the claims of Canadian residents whose Facebook information was actually shared with Cambridge Analytica Group.

[11]         The respective statements of claim were attached as appendices to the Carriage Orders. The defined terms in both the Donegani and Simpson pleadings were carefully drafted and made clear that no third-party app developers, such as Dr. Kogan or his company Global Science Research (GSR) were included in the definition of “Cambridge Analytica Group.” Both Carriage Orders also included the routine admonition that “no other class proceeding may be commenced in Ontario without leave of this Court in respect of the subject matter of the within action”.

[12]         Consistent with the terms of the Carriage Orders, the plaintiff herein advanced the core allegation that Canadian Facebook users’ personal data was improperly shared with Cambridge Analytica. By allowing this to happen, says the plaintiff, the Facebook defendants breached their own terms of use and invaded the privacy of the thousands of Canadian class members. Relying on the tort of “intrusion upon seclusion”,[7] the plaintiff asks that the proposed class action be certified so that Facebook can be held accountable and pay about $622 million in “symbolic or moral damages”[8] and another $62 million in punitive damages — for a total of about $684 million.[9]

[13]         The key point is this. On any fair reading of the plaintiff’s pleading, it was the sharing of Canadian users’ personal data with Cambridge Analytica that constituted the breach or invasion of privacy.

[14]         This is evident from the defined terms and key paragraphs in the Statement of Claim:

[15]         In her Amended Notice of Motion, the plaintiff de facto amended the class definition to focus on the receipt of the notification from Facebook. The class was redefined as: “all Canadian residents who were notified by Facebook that their Facebook Information may have been shared with Cambridge Analytica Group.”

[16]         Counsel for the defendants criticized this amendment as improperly and unfairly expanding the core allegation from personal data being “shared” with Cambridge Analytica to the more nebulous “may have been shared”. For my part, I am content with this proposed amendment because, as noted in other personal data breach cases,[10] the receipt of a notice letter is a better self-identifier for the affected class members than speculating whether one’s personal information was actually shared with an unfamiliar third-party.

[17]         In any event, the amended class definition does not detract from the core allegation that the alleged invasion of privacy is the actual sharing of Canadian Facebook users’ personal data with Cambridge Analytica.

[18]         This brings us to the evidentiary problem.

[19]         It became apparent as the certification hearing progressed that the plaintiff had no evidence that any Canadian user’s personal data was shared with Cambridge Analytica. There is “not a shred of evidence”, say the defendants, that Dr. Kogan sold or transferred any Canadian data to Cambridge Analytica.

[20]         Cambridge Analytica hired Dr. Kogan to collect and transmit personal data that would help tailor messages to target American voters. It therefore follows, argue the defendants, that Cambridge Analytica had no need for, or interest in, the personal information of Facebook users living in Canada.

[21]         If anything, say the defendants, the evidence in the record overwhelmingly supports their submissions.

[22]         It appears that that Dr. Kogan, through his company GSR, entered into two contracts with SCL, an affiliate of Cambridge Analytica. Each of the contracts focused on Facebook users that were U.S. voters. The first contract provided that data “will only be appended to voter file records…in the following eleven States” listed as Arkansas, Colorado, Florida, Iowa, Louisiana, Nevada, New Hampshire, North Carolina, Oregon, South Carolina, and West Virginia. The second contract is not yet public. However, in his written testimony to a British House of Commons committee, Dr. Kogan described an early 2015 contract between his company and SCL pursuant to which he shared data “for survey participants and their friends for all 50 [U.S.] states”.

[23]         The defendants also point to the final report of the U.K. Information Commissioner which concluded that “the data shared with SCL/Cambridge Analytica by Dr, Kogan related to U.S. registered voters.” The defendants further note that both Dr. Kogan and representatives of Cambridge Analytica have maintained throughout, including in statements under oath, that no personal data from Facebook users outside of the U.S. was ever transferred to Cambridge Analytica. And, for its part, Facebook swears it has no information or evidence that Dr. Kogan sent Cambridge Analytica any data on any Canadian Facebook user.

[24]         The onus, of course, is not on the defendants to prove that no Canadian users’ personal data was shared with Cambridge Analytica. The onus is on the plaintiff to adduce some basis in fact — some evidence — for her core allegation: that Canadian users’ personal data was indeed shared with Cambridge Analytica.

[25]         It is this core allegation that drives the plaintiff’s pleading and provides the requisite backdrop for the proposed common issues. Here, the primary PCI asks whether the Facebook defendants “invaded the private affairs or concerns of the class members”. In other words, did the sharing of Canadians’ personal data with Cambridge Analytica constitute an invasion of their privacy or an intrusion upon their seclusion?

[26]          If there is no evidence that any such personal data was actually shared with Cambridge Analytica, then none of the PCIs that deal with invasions of privacy, whether at common law or under the specified provincial privacy statutes, can be certified. And if none of these PCIs can be certified, it follows that the proposed class action itself cannot be certified.

[27]         The plaintiff submits there is ample evidence directly on point. She refers to the following as providing “some evidence” that Canadian users’ personal data was shared with Cambridge Analytica. However, none of these examples (the emphasis has been added) provide any such evidence:

[28]         In short, the defendants are right. There is no evidence in the record that any Canadian user’s personal data was shared with Cambridge Analytica.

[29]         Seeing that the certification motion was collapsing because of the absence of requisite evidence, class counsel scrambled and tried two other approaches: the “peephole” argument and the “affiliate” argument.

[30]         The “peephole” argument. Instead of staying with the core allegation that personal data was actually shared with Cambridge Analytica, class counsel shifted the focus from Cambridge Analytica to Kogan’s app. He argued that Facebook violated users’ privacy by wilfully or recklessly providing this third-party app with unauthorized access to Facebook users’ personal information, whether or not any such information was actually scraped or used.

[31]         This is the so-called “peephole” analogy. As this court has noted in other cases, personal privacy can arguably be invaded when a landlord installs a peephole into the tenant’s bathroom even if the peephole is never used.[11] Simply providing an opportunity for unauthorized access, even without evidence of actual access or usage can sometimes be enough.[12] Here, the findings in the 2009 and 2019 reports of the Office of the Privacy Commissioner of Canada clearly provide some evidence, that (i) third-party application developers such as Dr. Kogan had “virtually unrestricted access to Facebook users’ personal information” and further that (ii) the Kogan app had actually accessed and collected such information.

[32]         To support this change in focus class counsel pointed to a snippet of pleading, namely paragraph 71(b) of the Statement of Claim, that alleges Facebook intruded upon class members’ seclusion because they “permitted access to the Facebook Information without or in excess of the Class Members’ authorization”.

[33]         There are two problems with this shift in focus. The first is that the core allegation, about sharing users’ personal data with Cambridge Analytica, permeates the key definitions (such as Privacy Breach) and paragraphs in the Statement of Claim. Absent the two Carriage Orders, I would have adjourned the hearing under s. 5(4) of the Class Proceedings Act[13] in fairness to the defendants so that the plaintiff could amend the pleadings to properly accommodate the peephole argument and the focus on the Kogan app. However, no such amendments could have been made because of the second problem, the terms of the two Carriage Orders.

[34]         As already noted, the Donegani action was granted carriage of all claims relating to personal information obtained by third-party apps. This included the Kogan app. Therefore, the so-called peephole argument — that Facebook users’ personal data was improperly made accessible to the Kogan App — could not be pursued.

[35]          The “affiliate” argument. The second Hail Mary was class counsel’s attempt to characterize Dr. Kogan and his company GSR as “affiliates” of Cambridge Analytica. Class counsel began this submission by noting (correctly) that Simpson was granted carriage of a proposed class action “on behalf of Canadian residents whose Facebook Information was shared with Cambridge Analytica Group”. Class counsel then pointed out (again correctly) that “Cambridge Analytica Group” was defined in the Statement of Claim as meaning “Cambridge Analytica and its partners and affiliates including, without limitation, SCL Group and Aggregate IQ.” (Emphasis added).

[36]         Class counsel then tried to argue that Dr. Kogan and his company GSR were affiliates of Cambridge Analytica. If that were the case, then the Carriage Orders would not preclude the so-called peephole argument and the shift in focus to the personal data of “friends” that was accessed via the Kogan app, whether or not the data was actually shared with Cambridge Analytica. However, the “affiliate” submission does not succeed.

[37]         The “affiliate” submission is contrary to any fair reading of the two Carriage Orders, the respective statements of claim and the careful definitions of the various corporate entities referred to therein. In any event, there is no evidence that Dr. Kogan or his company were affiliates of Cambridge Analytica Group. Simply alleging in paragraph 71(l) of the Statement of Claim that Cambridge Analytica’s affiliates included “Kogan and GSR” is a bald allegation that has zero support in the evidence.

[38]         In short, class counsel’s two Hail Mary attempts do not succeed. Therefore, I am obliged to return to the plaintiff’s core allegation for which there is no evidence.

[39]         It follows that the motion for certification must be dismissed.

[40]         I should explain this dismissal on the basis of the certification requirements as set out in s. 5(1) of the Class Proceedings Act.

[41]         The defendants contested each of these requirements, from cause of action to the suitability of the proposed representative plaintiff. They advanced an array of, frankly, compelling arguments — for example, that the accessed personal data in question (name, gender, birthday, current city, and pages “liked”) was public not private information; that even if otherwise, the intrusion upon seclusion tort was not triggered because any alleged privacy breaches were at best trivial; and that the need for individualized determinations of matters, such as each user’s specific privacy settings, precludes any finding of class-wide commonality and the certification of any meaningful common issues.

[42]         There is no need for me to deal with any of these secondary submissions because, as already noted, the certification motion turns on the defendants’ primary submission — the plaintiff’s failure to provide any evidence that Canadian users’ personal data was shared with Cambridge Analytica. This alone is enough to deny certification.

[43]         The applicable law on this point is not in dispute. It is fundamental to class action certification that the plaintiff adduce some evidence (some basis-in-fact) for both the existence and commonality of each of the proposed common issues.[14] Here, the focus is on the first part of this requirement, the evidentiary basis for the existence of a proposed common issue. As the Court of Appeal noted in Fulawka:

[44]         No such evidence has been presented.

[45]         It follows that there is no basis in fact for any of the proposed common issues that ask whether the defendants invaded any class member’s privacy, whether at common law under the tort of intrusion upon seclusion or in breach of provincial privacy statutes. None of these PCIs can be certified. Absent common issues, there is no justification for a class proceeding.

[46]         Class counsel, however, can take comfort in knowing that the Donegani action, if certified, will advance the very claims that cannot be advanced here. Ms. Simpson and the class members she had hoped to represent remain class members in the Donegani action and will still have their day in court.[16]

[47]         I conclude with three comments.

[48]         This is that rare certification motion where class counsel was caught between a rock and a hard place. He had no evidence of the existence of the breach of privacy PCIs.  And he couldn’t amend the pleadings to pursue a more viable claim because, by court order, another action had already been given carriage of this very claim. Not really Scylla and Charybdis, but in the context of class action litigation, pretty close.

[49]         The dismissal of this certification motion does not diminish the paramount importance of protecting individual privacy and personal data. An individual’s ability to control their personal information is intimately connected to individual autonomy, dignity and privacy.^[17] Significant invasions of personal privacy are serious matters and deserve regulatory and judicial attention. If Facebook, in breach of its own policies and procedures, recklessly allowed third-party apps to improperly access users’ personal data, it should be held accountable by all appropriate means, including class actions.

[50]         The dismissal of this certification motion is simply a reminder to class counsel that while certification remains a low hurdle it is nonetheless a hurdle. Here, the plaintiff failed to satisfy the common issues requirement and, in particular, the requirement to provide “some evidence” that Canadian users’ data had actually been shared with Cambridge Analytica. This failure was fatal to the motion for certification.

[51]         The motion for certification is dismissed with costs.

[52]         If the parties are unable to agree on costs, I will be pleased to receive brief written submissions — within 14 days from the defendants and within 14 days thereafter from the plaintiff.