In a recent decision by the Honourable Justice Paul Perell, the Ontario Superior Court of Justice has again declined to expand the scope of the tort of intrusion upon seclusion to apply to companies that suffer data breaches. Following a line of recent cases on this issue, Winder v. Marriott International, Inc., 2022 ONSC 390 reaffirmed the ambit of intrusion upon seclusion as a tort that can only be advanced against defendants who are "intruders".
Background
The tort of intrusion upon seclusion was established in Ontario law by the Court of Appeal for Ontario's decision in Jones v. Tsige, 2012 ONCA 32 (our review of which is found here). Jones v. Tsige established a new cause of action (i.e., a basis on which you can make a civil claim) in Ontario for the privacy tort of "intrusion upon seclusion". The facts of Jones v. Tsige involved a bank employee accessing the financial records of her ex-husband's new partner approximately 174 times over a span of four years. The Court held that it was presented "with facts that cry out for a remedy". The Court adopted the new tort from the U.S. Restatement (Second) of Torts (2010), and affirmed the following elements:
- The defendant's conduct must be intentional, which includes recklessness;
- The invasion must be of the plaintiff's private affairs or concerns and without lawful justification; and
- A reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. However, proof of harm to a recognized interest is not an element of the cause of action.
Since 2012, a number of cases have tested the boundaries of the tort. The courts have generally remained disciplined about maintaining the narrow scope of the tort envisioned by the Court of Appeal in Jones v. Tsige. More recently, the courts have been asked to weigh in on the potential applicability of the tort to companies that experience and are sued in respect of data breaches involving their databases. Again, the courts have generally upheld the parameters of the tort.
In a split decision in Owsianik v. Equifax Canada Co., 2021 ONSC 4112, the Divisional Court set aside the certification of a class proceeding on the tort of intrusion upon seclusion where the defendants had suffered an unauthorized security breach that exposed customer data to hackers. The majority in Owsianik found the act of intrusion to be a central element of the tort. Citing the Court of Appeal's concern about opening the floodgates of liability, the Court declined to extend liability to a person "who does not intrude, but who fails to prevent the intrusion of another." The majority held that doing so would constitute more than an incremental change to the common law. The majority concluded resoundingly that the tort of intrusion upon seclusion "has nothing to do with a database defendant".
Following Owsianik, in Del Giudice v. Thompson, 2021 ONSC 5379, Justice Perell struck a claim for intrusion upon seclusion in a proposed class action arising from a data breach involving Capital One, Github, and Amazon Web. Justice Perell found that a failure to prevent an intrusion, even a reckless failure to prevent, is not an intrusion. Justice Perell held that a failure to prevent does not possess the requisite degree of intentionality of conduct. Justice Perell further held that the defendants' failure to prevent the breach was not "highly offensive causing distress, humiliation, or anguish to a reasonable person", as required.
In Obodo v. Trans Union of Canada, Inc., 2021 ONSC 7297, another case involving a data breach, Justice Glustein followed the Divisional Court ruling in Owsianik in finding that the tort did not apply to the database defendant in a hacker attack.
Background to Winder v. Marriott
In Winder v. Marriott, the plaintiffs brought a proposed class action against Marriott after the hotel chain's reservations database was hacked and customer personal information was alleged to have been compromised as a result.
The parties used Rule 21(1)(a) of the Rules of Civil Procedure to put a question of law before the Court: had the plaintiff pleaded a legally viable cause of action in intrusion upon seclusion against Marriott? The plaintiff sought to distinguish Owsianik, Del Giudice, and Obodo by arguing that on the facts of the case Marriott itself was akin to a hacker, and therefore within the scope of the tort. More specifically, the plaintiff argued that Marriott had obtained the class members' personal information on false pretenses, thereby rendering itself a reckless intruder that exposed stored personal information to the risk of being hacked.
Justice Perell rejected the argument and found the plaintiff had not pleaded a legally viable cause of action against Marriott. Justice Perell was ultimately unable to distinguish the claim from those that had sought to be advanced in Owsianik, Del Giudice, and Obodo.
In his analysis, Justice Perell placed considerable weight on the "intrusion" element. He declined to find that the facts as pleaded were sufficient to make Marriott an intruder for the purposes of the tort. At most, he held, Marriott might be construed as a "constructive intruder", but such a characterization would not attract liability under the intrusion upon seclusion tort. Pointing to the original intention of the Court of Appeal in Jones to prescribe a narrow ambit for the tort, he concluded that intrusion upon seclusion "does not extend to constructive intruders and is limited to real ones."
Justice Perell found that the "pith and substance" of the claims were the other causes of action advanced in the proposed proceeding. Justice Perell held that there was no gap in the law of privacy that needed to be filled by broadening the nature of intruders. Extending the tort to include constructive intruders would open the floodgates and unnecessarily expand the scope of liability under the tort. Justice Perell declined to consider potential tactical or procedural advantages of using the tort in a class setting in considering the viability of the proposed claim.
Why This Case Matters
Winder v. Marriott is another statement from Ontario courts regarding the specifically defined elements of the intrusion upon seclusion tort. Specifically, in the data breach context, the tort does not extend to incidents in which a defendant has failed to prevent a privacy breach. While such scenarios may attract liability from other areas of law, the courts have held the floodgates on the privacy tort for the time being and are unlikely to entertain claims of intrusion upon seclusion brought against defendants whose databases have been breached.
To view the original article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
