How would you react if you discovered that someone had accessed your bank records more than 174 times, without authorization or any lawful reason? Sandra Jones ("Jones") reacted by suing for invasion of privacy. Her action was summarily dismissed by the Ontario Superior Court of Justice on the basis that Ontario does not recognize common law privacy rights, and Jones was ordered to pay $30,000 in costs to the woman who had repeatedly invaded her privacy.

This week, the Ontario Court of Appeal overturned the lower court's decision.1 In the process, the Court definitively recognized a new common law tort: "intrusion upon seclusion." This decision represents an important evolution in Canadian privacy law, which will affect businesses and individuals. In particular, this case has the potential to significantly impact private-sector, provincially-regulated employers in Ontario and other provinces that do not currently have data protection legislation applicable to employment matters.

Background

Jones was an employee of the Bank of Montreal, where she also had a personal bank account. Winnie Tsige ("Tsige") worked for a different branch of the same bank. Although the two women did not know one another, Tsige was in a common law relationship with Jones' former husband. Over the course of four years, Tsige used her work computer to view Jones' personal banking activity on more than 174 occasions. Such activity was conducted without authorization and for purely personal reasons. When Jones discovered that Tsige had repeatedly gained access to her confidential information, she brought an action for invasion of privacy.

Although Tsige admitted to accessing her colleague's bank account, at first instance, the Court ruled that Jones' claim could not succeed because Ontario common law does not recognize a tort of invasion of privacy. The Court's reasoning relied upon an off-hand comment in a prior, unrelated Court of Appeal decision. In addition, the Court indicated that privacy legislation in Canada constituted a balanced and carefully nuanced system for addressing privacy concerns.

The lower Court's reasoning contained some significant flaws. Courts have been considering the existence of a common law cause of action for invasion of privacy for over 100 years, and a number of cases have suggested that privacy rights should be recognized. Moreover, there are significant gaps in the statutory framework. For example, the Personal Information Protection and Electronic Documents Act ("PIPEDA") does not provide any recourse for privacy intrusions by individuals or persons who are not engaged in commercial or employment activities. Further, in Ontario and a number of other jurisdictions, there is no privacy legislation applicable to employment matters for private-sector, provincially-regulated employers.

Intrusion Upon Seclusion: Ontario's Newest Tort

The Ontario Court of Appeal overturned the Superior Court of Justice decision, ruling in favour of Jones and recognizing a new common law tort: "intrusion upon seclusion." The new tort is a subset of the broader invasion of privacy category, which includes other recognized and potential causes of action. A central rationale for the recognition of the new cause of action was the unprecedented power to capture and store vast amounts of personal information using modern technology. In the last century, technological changes included the invention of near-instant photography and the proliferation of newspapers. Today, highly sensitive personal information can now be accessed with relative ease, including financial and health information as well as data related to individuals' whereabouts, communications, shopping habits and more. The Court found that the common law must evolve in response to the modern technological environment.

The Court of Appeal followed the approach that has been developed in the United States, and formulated the new tort as follows:

One who intentionally [or recklessly] intrudes, physically or otherwise, upon the seclusion of another or his [or her] private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.

It is significant that this test includes an objective standard, such that the invasion of privacy must be "highly offensive" to a "reasonable person." The Court also acknowledges that the protection of privacy may give rise to competing claims, such as freedom of expression, which may trump privacy rights.

It is also noteworthy that the tort of intrusion upon seclusion is actionable without economic harm. However, the Court indicated that an upper ceiling of $20,000 is appropriate in cases where there is no evidence of economic harm. Punitive and aggravated damages may also be possible in egregious circumstances. The Court listed the following factors relevant to assessing damages:

  1. the nature, incidence and occasion of the defendant's wrongful act;
  2. the effect of the wrong on the plaintiff's health, welfare, social, business or financial position;
  3. any relationship, whether domestic or otherwise, between the parties;
  4. any distress, annoyance or embarrassment suffered by the plaintiff arising from the wrong; and
  5. the conduct of the parties, both before and after the wrong, including any apology or offer of amends made by the defendant.

Upon consideration of these factors, Jones was awarded damages of $10,000 in this case.

Importance For Employers

Although this case did not involve any intrusion on Jones' privacy by her employer, this case has significant implications for provincially-regulated employers in Ontario and other provinces that currently have no privacy legislation applicable to private-sector employment matters.

Employers are frequently required to balance the privacy of employees with the need to effectively manage their businesses. In the absence of applicable legislation, employers often take the position that they are entitled to engage in activities that could be considered intrusions upon privacy, including video and computer monitoring, pre-employment background checks, and searches of employees and their property. Although some arbitrators have placed limits on these types of activities in unionized workplaces, prior to Jones v. Tsige, it was unclear whether non-union employees had any recourse to dispute potential invasions of their privacy. Now that it is clear that common law privacy rights exist in Ontario, it is likely that intrusion upon seclusion claims will arise in employment cases. For example, employees may add such claims in constructive dismissal cases where an employer implements video monitoring, or where the employee is dismissed for inappropriate use of technology discovered through computer monitoring. It will be interesting to see how the courts apply this new tort in the employment context.

Practical Tips

Courts and litigants will doubtless wrestle with intrusion upon seclusion claims in the months and years ahead. The best defence against such claims is to prepare and enforce reasonable, effective privacy policies. Organizations that were already subject to privacy legislation, such as PIPEDA or provincial health privacy legislation, may be better prepared to defend against this new cause of action, but should still be mindful of whether their privacy policies address this new source of potential liability.

On the other hand, prospective plaintiffs should consider the Court's reasoning respecting damages. In the past, plaintiffs have claimed hundreds of thousands of dollars for privacy breaches. Today, the potential for damages has been significantly curtailed, and plaintiffs would be well-advised to consider whether the cost and risks of litigation are worthwhile.

Footnotes

1 Jones v. Tsige, 2012 ONCA 32.

The foregoing provides only an overview. Readers are cautioned against making any decisions based on this material alone. Rather, a qualified lawyer should be consulted.

© Copyright 2012 McMillan LLP