Skip to content

Our Ontario Lawyers

When success matters, there is no substitute for the advantage that comes from experience.

Search for a lawyer below:


Search Results

We're sorry, We cannot locate any lawyers with that criteria. Please search again.

Sort By:

Experience and Expertise:

How Can We Help? We’ll be happy to match you to the right qualified Lerners Lawyer.

Not all Privacy Breaches warrant Certification of a Class Action

7 minute read
Also authored by: Jacqueline M. Palef

In the recent decision in Stewart v Demme,[1] the Divisional Court granted the defendant's appeal setting aside the order of the certification judge[2] and ultimately dismissing the plaintiff's motion to certify the proposed class action for intrusion upon seclusion. The case is yet another example of a claim for breach of privacy being rejected by the court because the claimants could not show that the breach was significant enough to warrant a remedy.

Certification Decision of Morgan J.

In the underlying certification motion before Justice Morgan, the plaintiff sought to certify a class action against a nurse and the hospital which employed her. The defendant nurse had engaged in a series of thefts of opioids, ultimately obtaining 23,932 pills. She acquired the drugs by misusing her position at the hospital to gain unauthorized access to patients' medical files, and used patient information to dispense the pills. In total, the nurse had improperly accessed the individual health records of 11,358 patients. Patients whose files were improperly accessed could be divided into two categories: those who were actually patients of the nurse or were on the unit in which the nurse worked, and those who were hospital patients but not her patients, and for whom she had access to their digital records. The plaintiffs sought damages for intrusion upon seclusion and negligence.

Justice Morgan noted the central question before him was "whether a privacy violation can be "highly offensive" and actionable even if it is fleeting and causes no harm."[3]

While Justice Morgan was satisfied the certification criteria were met, and that the claim for intrusion upon seclusion claim was a viable cause of action under s. 5(1)(a) of the certification test, he found there was insufficient evidence of a viable cause of action in negligence on a class-wide basis, as causation and damages questions were elusive.

Appeal to the Divisional Court

On appeal, the court considered the motion judge's comments that "this was not a case that cries out for a remedy." In light of his findings regarding the nature and seriousness of the intrusion, the Divisional Court held that the motion judge erred in concluding that the claim met the threshold necessary to disclose a tenable cause of action in intrusion upon seclusion and re-affirmed that this tort is a limited and specific tort developed for cases where there was a "deliberate and significant invasion of highly personal information that would be highly offensive to a reasonable person."[4] In this case, "while the information accessed was health information, the information accessed was limited, and the access was fleeting and incidental to the medication theft. Ms. Demme [the nurse defendant] was not "after" the information, nor did she retain it or share it with anyone else." The court concluded, "the medication theft cried out for a remedy, which was forthcoming; the privacy intrusion did not."[5]

The Divisional Court confirmed the proper interpretation of the leading Court of Appeal decision in Jones v Tsige,[6] noting that "Not every intrusion into private health information amounts to a basis to sue for the tort of intrusion upon seclusion. The particular intrusion must be "highly offensive" when viewed objectively having regard to all the relevant circumstances. If the case does not "cry out for a remedy," it is a signal that the high standard for certification of this limited tort may not be met."[7]

The tort of inclusion upon seclusion was not designed to offer a remedy for every situation where there is a privacy intrusion. Instead, the court reiterated, it is "designed to offer a remedy in situations where the privacy intrusion is very serious, not any privacy intrusion."[8] The court also emphasized that the significance of the intrusion is to be assessed individually and not collectively; the fact that there were 11,000+ intrusions did not mean that intrusion was significant and highly offensive.[9]

In considering the proper interpretation of Jones, the Divisional Court confirmed that for the tort of intrusion upon seclusion, "the intrusion must still be deliberate and significant to be considered "highly offensive." To find otherwise would be to "open the floodgates" to claims such as the one at issue in this proceeding, where the intrusions were fleeting, the information accessed was not particularly sensitive within the realm of health information, the intruder was not "after" the information itself, which was otherwise available to her and/or a number of other hospital staff, and there was no discernible effect on the patients."[10]


The Divisional Court has reaffirmed the high threshold to satisfy a cause of action under the tort of inclusion upon seclusion. It remains clear that evidence, or even admission, of a privacy breach will not necessarily lead to a viable privacy class action. This is particularly so where the more significant wrongful conduct, in this case, the medication theft, is being addressed by other means. This case is consistent with other decisions that have held that the nature of the information at issue in a privacy class action continues to be an important factor in assessing whether a class action is an appropriate vehicle to support this type of claim.

Privacy class actions are increasing in number but have yet to see much success in Canadian courts. As we have noted previously,[11] the courts have been reluctant to find that such a claim is viable absent evidence of actual harm resulting from a breach and amounting to more than ordinary inconvenience. As demonstrated by the decision in Stewart v Demme, a claim that does not involve a breach that is serious and significant in and of itself is also unlikely to overcome the initial hurdle of certification. Indeed, given the court's comments in this and other cases, the tort of intrusion upon seclusion does not seem well-suited to a privacy class action. It remains to be seen whether class actions premised on other privacy torts will have greater success or if plaintiffs who suffer privacy breaches will have to rely primarily on more traditional causes of action such as negligence and breach of contract.

[1] Steward v Demme, 2022 ONSC 1790.

[2] Steward v Demme, 2020 ONSC 83.

[3] Steward v Demme, 2020 ONSC 83 at para 1.

[4] Steward v Demme, 2022 ONSC 1790 at para 3.

[5] Steward v Demme, 2022 ONSC 1790 at para 3.

[6] Jones v Tsige, 2012 ONCA 32.

[7] Steward v Demme, 2022 ONSC 1790 at para 16.

[8] Steward v Demme, 2022 ONSC 1790 at para 22.

[9] Steward v Demme, 2022 ONSC 1790 at para 24.

[10] Steward v Demme, 2022 ONSC 1790 at para 27.

[11] See our earlier blog posts part 1, part 2 and part 3.

Jennifer L. Hunter

We are here to help.

Do you have any questions about your unique scenario? Feel free to reach out directly by visiting my Lerners Profile View My Full Profile