Introduction
In a recent trifecta of cases, Oswianik v. Equifax Canada Co., Obodo v. Trans Union of Canada, Inc., and Winder v. Marriott International, Inc., the Court of Appeal for Ontario has provided clarity with respect to the scope of the tort of intrusion upon seclusion, finding that defendants who store personal information of individuals (corporate entities in these cases) cannot be held liable in circumstances where that personal information is illegally accessed or stolen.
All three decisions involved class action certification motions against defendants who collected and stored personal information of the proposed plaintiff class (the “Tort Defendants”) that was stolen or accessed by unidentified individuals in large-scale data breaches. The representative plaintiffs argued that the Tort Defendants had been reckless in their collection and storage of personal information and that the intrusion would be considered highly offensive to a reasonable person.
Ultimately, the Court of Appeal for Ontario denied certification against the Tort Defendants in all three cases for the reasons detailed below.
Intrusion upon Seclusion, Generally
The tort of intrusion upon seclusion was established in the seminal Jones v. Tsige case in 2012.[1] In Jones, the court established a tort where a defendant intentionally, or recklessly, invades a plaintiff’s private affairs or concerns without lawful justification. The invasion must be one that a reasonable person would find to be highly offensive, or causes distress, humiliation, or anguish.[2]
Notably, the plaintiff did not need to establish proof of harm, a boon to plaintiffs who no longer needed to prove actual damages, with the court awarding what has been referred to as ‘moral damages.’
The Decision of the Court Regarding Tort Scope
The foundation for the court’s decision was detailed in Oswianik, with the other two decisions adopting the analysis therein.
In Oswianik, the court found that the intention or recklessness must relate to the act of invasion; specifically, the defendant must be the one who invaded the plaintiff’s privacy, whether intentionally or recklessly.[3] Here, the Tort Defendants were not the ones who actually committed the invasion; thus, they could not be found liable for the tort of intrusion upon seclusion.[4] Whether the Tort Defendants were negligent in their collection and safeguarding of personal information could not provide a foundation for a claim under the tort of intrusion upon seclusion. Accordingly, the court refused to certify the claim against the Tort Defendants.
The court specifically noted that the limiting of the scope of the tort was in line with the specific scenarios that Jones contemplated,[5] wherein it was noted that Jones was not meant to ‘open the floodgates’[6] of potential claims.
The court noted that, theoretically, the plaintiffs could pursue claims against the Tort Defendants for negligence or breach of contract but acknowledged such claims would require proof of a pecuniary loss, as opposed to moral damages, which could be difficult.[7]
Key Takeaways Regarding Data Breaches
Those who routinely collect and store personal information have undoubtedly breathed a sigh of relief in light of the Court of Appeal for Ontario’s decision in these three cases. The narrowing of the scope of the tort will prevent potentially broad exposure to those that collect and store personal information in the event of a data breach. Furthermore, plaintiffs will be required to prove actual damages due to the breach, a greater burden than that required to prove a claim by moral damages.
It appears that Parliament has recognized the disadvantage that people who suffer data breaches may experience in seeking compensation. Bill C-27, the Digital Charter Implementation Act, 2022 which is currently undergoing its second reading in the House of Commons, contemplates a Consumer Privacy Protection Act (“CPPA”), which would repeal parts of PIPEDA[8] and “replace it with a new regime governing the collection, use, and disclosure of personal information for commercial activity in Canada.” Under the CPPA, as currently contemplated, an individual will be able to sue a personal information collector for compensation where a Privacy Commissioner decides that the personal information collector violated that individual’s privacy under the CPPA.
Accordingly, those who collect and store personal information should continue to ensure that they have proper systems and resources in place to prevent data breaches.
[8] Personal Information Protection and Electronic Documents Act
