By Esther Shainblum and Martin U. Wissmath

SCC Denies Leave in B.C. Data Breach Case, Leaving Privacy Act Ruling Intact

The Supreme Court of Canada (SCC) has denied leave to appeal in G.D. v. South Coast British Columbia Transportation Authority, letting stand a July 2024 B.C. Court of Appeal decision that may expand liability for organizations handling personal data. The case arose from a cyberattack on TransLink, Metro Vancouver’s public transit authority, which resulted in the unauthorized disclosure of sensitive personal information. The B.C. Court of Appeal found that it was, at a minimum, arguable that a public body could be liable under the B.C. Privacy Act for failing to adequately protect personal data, and a duty of care may be found in certain circumstances, forming the basis for a negligence claim.

The SCC’s refusal to hear the appeal leaves the appellate ruling in place, signaling the potential for increased legal exposure for organizations that collect and store personal information of individuals in databases (“Database Defendants”). While breach of privacy under the B.C. Privacy Act is a statutory tort with limited scope, this case suggests that courts may be willing to hold Database Defendants liable for a third party’s intrusion into the personal information held by the Database Defendants.

The B.C. Court of Appeal stated that its view differs from the Ontario Court of Appeal’s view as to the interpretation of “willfully” in the context of B.C.’s statutory privacy tort. In a trilogy of cases that we discussed in the January 2023 Charity & NFP Law Update, the Ontario Court of Appeal held that the tort of intrusion upon seclusion will generally not be available against Database Defendants because the tort of intrusion upon seclusion applies only against the cyberattackers who recklessly or intentionally invaded individuals’ privacy and not against the Database Defendants. While Database Defendants who fail to take steps to adequately protect personal information might be liable for negligence or breach of contract, the Court of Appeal specifically chose a narrow and limited interpretation of the tort of intrusion upon seclusion that does not apply to the Database Defendant’s failure to prevent a third party’s intrusion.

Ontario-based charities and not-for-profits can likely rely on the principles set out in the Owsianik trilogy of cases to argue that they should not be liable for a privacy breach arising from a cyberattack. However, this ruling does muddy the waters for any organization that collects and stores personal information in databases, including charities and not for profits. As digital record-keeping and donor databases become more prevalent, charities and not-for-profits should recognize that data breaches may trigger liability under statute as well as common law liability, depending on the jurisdiction in which they are located. Ensuring strong cybersecurity measures, internal protocols, and compliance with federal and provincial privacy laws is increasingly necessary to mitigate these risks.

As regulatory enforcement and litigation around data breaches intensify, charities and not-for-profits must prioritize data protection to safeguard personal information, maintain public trust, and limit potential legal exposure.

Europe Strengthens Data Protection with New Pseudonymization Guidelines under GDPR

The European Data Protection Board (EDPB) has adopted new guidelines on pseudonymization, clarifying its role under the General Data Protection Regulation (GDPR) and its impact on data security, legal compliance, and cross-border cooperation. Announced on January 17, 2025, these guidelines reinforce pseudonymization as a key technique for protecting personal data while enabling lawful processing.

Pseudonymization involves processing personal data in a way that prevents direct attribution to an individual without additional information, which must be kept separately and protected. For example, a hospital would pseudonymize patient data by replacing names with unique codes in medical records used for research, while securely storing the code-to-name key separately to prevent re-identification. While pseudonymized data remains personal data under the GDPR, the EDPB highlights its potential to reduce legal risks, facilitate data processing that is necessary for the purposes of a legitimate interest, and enhance security measures under the GDPR. The guidelines also provide practical recommendations on technical and organizational safeguards to “prevent unauthorized identification of individuals,” according to the EDPB.

For Canadian charities and not-for-profits operating internationally, these guidelines underscore the growing emphasis on data protection. Organizations engaging with EU-based donors, beneficiaries, or partners should assess whether their data processing practices align with GDPR expectations, particularly regarding anonymization, pseudonymization, and secure data transfers.

As regulatory scrutiny of data protection increases worldwide, charities and not-for-profits should proactively review their privacy policies, implement strong security safeguards, and monitor developments in privacy law to ensure compliance and uphold donor trust.

​Read the March 2025 Charity & NFP Law Update