Written By Sakina Babwani, Nina Butz and Mehak Kawatra
2022 continued to be positive for institutional clients involved in privacy breach class actions, with the Ontario Court of Appeal refusing to expand the tort of intrusion upon seclusion to impose liability on institutions whose databases were hacked by unauthorized third parties.
Plaintiffs claiming damages in privacy breach class actions have struggled to achieve certification due to the absence of losses beyond everyday inconveniences.
Accordingly, plaintiffs often relied on the tort of intrusion upon seclusion, which does not require proof of a compensable loss. However, some plaintiffs asked the court to extend the tort to apply to not only to the third-party hackers, but also to the database defendants who collected and stored the data in the first place.
In late 2021, the Divisional Court refused to extend the tort, finding that it could not apply to database defendants because they did not commit the “central element” of the tort—the intrusion.
In November 2022, the Ontario Court of Appeal endorsed the Divisional Court’s approach in three appeals heard in tandem: Owsianik v. Equifax Canada Co. [Owsianik], Obodo v. Trans Union of Canada Inc. [Obodo], and Winder v. Marriott International Inc. [Winder]. Bennett Jones acted for Marriott and affiliated entities in Winder.
In each of the three cases, the defendants had collected and stored personal information of their customers for commercial purposes. The plaintiffs alleged that the defendants' failure to take adequate steps to protect personal information had allowed third-party hackers to access and/or use that information. There was no allegation that the defendants themselves had improperly used or disclosed the personal information.
In Owsianik, the plaintiffs argued that they had properly alleged the tort of intrusion upon seclusion because they pleaded that the defendants acted recklessly in storing the information. The Court of Appeal, however, found that unless the defendants' conduct amounted to an unlawful intrusion of the plaintiffs' privacy, the "state of mind" requirement of the tort could not be satisfied and the tort could not apply.
Similarly, in Winder, the Court rejected the plaintiffs' argument that Marriott became an intruder when it allegedly failed in its duty to protect the privacy of its customers. In Winder, the plaintiffs had willingly disclosed information to Marriott for purposes relating to the operations of Marriott's facilities. No facts were pleaded that could support the allegation that Marriott had disclosed personal information to unauthorized persons, or caused the information to be disclosed. The plaintiffs instead asserted that their consent had been provided based on Marriott's representation that the information would be held confidentially, and because Marriott allegedly knowingly or recklessly failed to meet those representations, consent was vitiated. That assertion was found to have no merit.
In Obodo, the plaintiffs argued that the defendant was an "enabler" and urged the Court to impose the equivalent of the doctrine of vicarious liability upon Trans Union to hold it accountable for the actions of the hacker. But, for the doctrine of vicarious liability to apply, an employer-employee relationship had to exist between the hacker and Trans Union. In the absence of such a relationship, Trans Union was not liable for the tort of intrusion upon seclusion.
In short, facts of this trilogy of cases were distinguishable from the facts of Court of Appeal's landmark 2012 decision in Jones v. Tsige [Jones], where the Court established the tort of intrusion upon seclusion because, among other things, the defendant had continually accessed the private banking records of the plaintiff without her consent. There, the defendant intruded, without lawful justification, on the private affairs or concerns of the plaintiff such that a reasonable person would regard the invasion as highly offensive, causing distress, humiliation or anguish.
In the trilogy of privacy appeals, however, the defendants’ allegedly negligent storage of information did not amount to an invasion of the plaintiffs' privacy interests.
The Court of Appeal held that to expand the tort of intrusion upon seclusion to apply to database defendants would create a broad and undesirable basis for liability in intentional torts, by imposing liability on database defendants for the conduct of unknown third parties. Doing so would not be a permissible "incremental development" in the common law but would instead be a "gigantic step in a very different direction". The Court noted that the facts of the database defendant cases simply did not "cry out for a remedy" in the same manner as the facts of Jones, including because the plaintiffs in database defendant cases had recourse under existing causes of action grounded in both statute and common law.
While leave to the Supreme Court of Canada from the Court of Appeal's decisions remains pending, as the law in Ontario currently stands, plaintiffs seeking damages against database defendants have limited recourse to the tort of intrusion upon seclusion in the absence of a connection between the database defendant and the hacker.
That said, businesses that collect personal information of others must continue to maintain secure databases and avoid other grounds of liability that arise from a breach of those informational databases, as the tort of intrusion upon seclusion is but one piece of the potential liability puzzle. For instance, the Court of Appeal commented that database defendants could still be liable for damages flowing from negligence or breaches of contractual or statutory duties, where plaintiffs have suffered compensable harm.