In a trio of decisions, the Ontario Court of Appeal (the Court),[1] has confirmed that the tort of intrusion upon seclusion is not available as a cause of action in class action proceedings involving so-called “Database Defendants” – i.e., defendants who, for commercial purposes, collect and store the private information of others and whose alleged failure to take adequate steps to store that information allowed third-party hackers to access or use that information. This is an important development in the privacy litigation landscape, particularly as it concerns class actions.
Background
In 2012, the Court first recognized the tort of intrusion upon seclusion in the decision in Jones v Tsige.[2]There, it held that where a plaintiff could establish that a defendant had intentionally or recklessly invaded, without lawful justification, a plaintiff’s private affairs or concerns, such that the invasion would be regarded as highly offensive to a reasonable person, the plaintiff was entitled to moral or symbolic damages. No proof of harm was necessary.
Jones quickly spawned a series of class actions across Canada. Many of the claims that were later certified dealt with unauthorized access to internal databases by internal actors.[3] Courts’ initial tendency was also to certify cases involving Database Defendants.[4] However, beginning in 2021, Ontario trial judges began to grow skeptical of the application of the tort of intrusion upon seclusion in such circumstances.
In Owsiniak v. Equifax Canada Co,[5]Ontario’s Divisional Court overturned a 2019 decision of the Superior Court certifying a claim for intrusion upon seclusion relating to a breach of the defendant’s systems that affected thousands of customers. Relying on the decision of the Supreme Court of Canada in Atlantic Lottery Corp. Inc. v Babstock,[6] the Divisional Court held that “novel claims that are doomed to fail should be disposed of at an early stage and that courts can do so even if this requires resolving complex questions of law and policy.”[7] The court went on to find that extending liability to a person who does not intrude, but rather fails to prevent the intrusion of another, would be an unwelcome expansion of the tort.[8]
Following Owsiniak, the Superior Court in Obodo v Trans Union of Canada, Inc,[9]also declined to certify a claim involving a cyberattack into the systems of the credit reporting and monitoring defendant. And in Winder v Marriott International Inc.,[10] the Superior Court considered a motion to strike the plaintiff’s claim for failing to plead a legally viable cause of action. There, the defendant had also been the victim of a hacker and customer information was alleged to have been compromised as a result. The plaintiff argued that the defendant had obtained the class members’ personal information on false pretenses, thereby rendering itself a reckless intruder that exposed stored personal information to the risk of being hacked. The motions judge rejected this argument, finding that the letter and spirit of the Jones court’s decision prescribed a narrow ambit for the tort. The judge also found there was no need to the extend liability to defendants who obtained information by false pretenses, by breaching contractual promises or failing to comply with statutorily imposed privacy safeguards. Moreover, the judge found themselves bound by the decisions in Owsianik and Obodo.
The decisions in Owsiniak, Obodo and Winder were appealed by the respective plaintiffs – setting the stage for the Court to decisively rule on the scope and application of the tort of intrusion with respect to Database Defendants.
The decisions
The Court dismissed all three appeals, finding that none of the defendants did anything that could constitute an act of “intrusion” or “invasion” into the privacy of the plaintiffs, and thus finding that the plaintiffs’ claims did not satisfy the test for certification under the Class Proceedings Act requiring a claim to disclose a cause of action. The Court noted that in all three cases, the intrusions alleged were committed by unknown third-party hackers acting independently from, and to the detriment of, the interests of the defendants. And in all three cases, no facts had been pleaded that could, in law, provide a basis upon which the actions of the hackers could be attributed to the defendants.
The defendants’ fault, if any, was their alleged failure to take adequate steps to protect the plaintiffs from the intrusion upon their privacy by hackers acting independently of the defendants. The Court held that any liability for such failure, be it under breach of contract, in negligence or for breach of privacy statutes, could not be transformed by the actions of third parties into an invasion of the plaintiffs’ privacy.
The Court’s reasoning: “Plain and obvious”
The Court’s detailed reasons were set out in its decision on the Owsiniak appeal. With particular reference to the cause of action criterion, the Court reviewed the history of decisions certifying claims for intrusion upon seclusion and noted that no decision had ever found that the tort of intrusion upon seclusion applies to Database Defendants on the merits. Rather, such claims have been certified on the basis that it was not “plain and obvious” that their claims could not succeed (“plain and obvious” being the well-established threshold for establishing the cause of action criterion). The Court agreed with the Owsiniak court’s reliance on Babstock, holding that where the validity of a claim turns exclusively on the resolution of a legal question, the court may on a pleadings motion, even if the answer to the legal question is complex, policy-laden and open to some debate, determine the law and apply the law as determined to the facts as pleaded to decide whether “the claim is plainly doomed to fail and should be struck.”
The Court’s reasoning: It is empowered to decide whether the claims are “doomed to fail”
The Court found there to be good reasons to decide the legal viability of the plaintiffs’ claims at certification:
- The question was to be answered on the facts as pleaded. There was no dispute as to the facts that were relevant and material to the legal viability of the cause of action pleaded. There was no chance any evidence could be led at trial that would impact on the answer to the legal question posed;
- There was no unfairness to either party in deciding the merits of the legal question on the pleadings motion;
- The issue was fully briefed and argued on the pleadings motion; and
- The institutional considerations articulated in Babstock favoured deciding the legal question on the merits.
The Court’s reasoning: Intrusion upon seclusion
Having determined that it was appropriate to decide the legal viability of the plaintiffs’ claims at certification, the Court considered the tort of intrusion upon seclusion.
The Court held that the conduct alleged by the plaintiffs was fundamentally incapable of amounting to an intrusion into, or an invasion of, the plaintiffs’ privacy. In doing so, the Court distinguished the defendants’ conduct with that of the defendant in Jones, who had deliberately taken advantage of her employment to access the plaintiff’s banking records. Any recklessness by the defendants with respect to the storage of private information did not itself equate to reckless conduct for the purposes of the tort.
The Court also rejected the plaintiffs’ submissions that the expansion of the tort from the actual intruder to entities who fail to protect adequately information in their control would be justified in light of the realities of modern technology, the threats to individual privacy posed by the accumulation of large volumes of personal information, and the absence of any remedy for persons whose information held in databases is accessed and used improperly. The Court held that such an expansion would be a wholesale departure from the tort as originally established in Jones and would radically reconfigure liability for intentional torts more broadly. Finally, remedies could still be available for breach of contract, negligence or breach of statute.
Takeaways
The Court’s decisions are the final “nail in the coffin” for class action claims against Database Defendants – at least those based on the tort of intrusion in Ontario (subject to an appeal to the Supreme Court of Canada). It is now settled that such defendants cannot be sued for the tort of intrusion where no material facts are pleaded that allege the respondents acted in consort with, or were vicariously liable for, the conduct of hackers.
It is not yet clear what impact these decisions will have on claims based on vicarious liability. The extent to which other claims (based on contract or negligence) can be successful on these types of facts is also unclear. Accordingly, businesses should ensure that they take steps to implement and document policies and procedures for the safeguarding of personal information in accordance with industry standards. They should also be sure to adequately train their employees with respect to the handling of personal information and take steps to appropriately sanction or discipline employees failing to comply with such obligations.
For more information, please reach out to Chloe Snider or Luca Lucarini.
[1] Owsiniak v Equifax Canada Co, 2022 ONCA 813; Obodo v Trans Union of Canada, Inc., 2022 ONCA 814; Winder v Marriot International, Inc., 2022 ONCA 815.
[2] 2012 ONCA 32 [Jones].
[3] E.g. Evans v Wilson, 2014 ONSC 2135, leave to appeal ref’d, 2014 ONSC (Div Ct) (bank employee disseminating customer information to third parties). Hynes v Western Regional Integrated Health Authority, 2014 NLTD 137 (unauthorized employee access of personal health information Daniells v McLellan, 2017 ONSC 3466 (unauthorized employee access of personal health information). MM v Family and Children’s Services of Lanark Leeds and Grenville, 2017 ONSC 7665 (dissemination of CAS records online).
[4] E.g. Tucci v Peoples Trust Co., 2017 BCSC 1525, var’d 2020 BCCA 246. Agnew-Americano v Equifax Co, 2019 ONSC 7110.
[5] 2021 ONSC 4112 [Owsiniak].
[6] 2020 SCC 19 [Babstock].
[7] Ibid at para 53.
[8] Ibid at para 55.
[9] 2021 ONSC 7297 [Obodo].
[10] 2022 ONSC 390 [Winder].
