Recently, in Winder v. Marriott International, Inc. ("Winder")1, the Ontario Superior Court of Justice has reaffirmed its opinion regarding the limits of liability for the tort upon intrusion on seclusion (or invasion of privacy).

The test for intrusion upon seclusion was previously set out in Jones v. Tsige,2, the key features of which are:

  • The defendant's intrusion must be intentional (or reckless);
  • The defendant must have invaded, without lawful justification, the plaintiff's private affairs or concerns; and
  • A reasonable person would regard the invasion as highly offensive, causing distress, humiliation or anguish.

Winder is especially important as it confirms that a company that has fallen victim to a hack by nefarious third parties is not considered an "intruder" within the meaning of the tort of intrusion upon seclusion. Put another way, the tort of intrusion upon seclusion does not extend to "constructive intruders".

The Decision

Marriott's hotel reservation database was hacked, and a class action was brought against the company.

The court was tasked with determining whether Mr. Winder had pleaded a legally viable cause of action against Marriott for intrusion upon seclusion.

Marriott argued that it was a victim of the hacker and not an intruder. Mr. Winder submitted that Marriott obtained confidential personal information from class members deceptively by false premises and that, as a result, Marriott was a reckless intruder that exposed the sensitive information of its guests to the risk of harm. In other words, Mr. Winder was arguing that Marriott was a "constructive intruder".

Justice Perrell went to great lengths to acknowledge the cleverness of Mr. Winder's argument. However, the court ultimately found Mr. Winder's argument insufficient by returning and reaffirming the principles of intrusion upon seclusion, as applied in Del Giudice v. Thompson3. Del Giudice v. Thompson is a case that stands as the "authority for the proposition that the tort of intrusion upon seclusion is doctrinally restricted to defendants who are "intruders." Owsianik v. Equifax Canada Co.4 and Obodo v. Trans Union of Canada Inc.5 supports this proposition as well.

Justice Perrell gave several reasons why Mr. Winder's argument fails, and the claim was not a legally viable action:

  • Jones v. Tsige prescribed a narrow application for the tort of intrusion upon seclusion, one which does not extend to "constructive intruders" and is limited to real ones.
  • There is no gap in privacy law that needs to be filled by extending the nature of intruders. Liability for intrusion upon seclusion ought not be extended to defendants who obtain information by false pretenses, by breaching contractual promises or by failing to comply with statutorily imposed privacy safeguards.
  • Extending the tort of intrusion upon seclusion to "constructive intruders" would open the floodgates, as it would expand over liability already controlled by other causes of action, such as negligence, breach of confidence and breach of contract.

Tips for Businesses

This case demonstrates the need for organizations to be diligent in guarding against privacy breaches. The availability of the tort of intrusion upon seclusion as a class action matter should concern companies given the generally low threshold for class action certification. Furthermore, while the courts did not discuss the Jones test in this case, the Jones test does not require proof of damage, increasing the likelihood that the common law tort of intrusion upon seclusion could be a basis of action in certain provinces.

Here are some guidelines that may assist businesses in protecting data containing personal information and limit privacy liability:

  • Update privacy policies and contracts that identify the scope of the authorized use of data. This is especially important in industries where large databases are common.
  • Stay up-to-date and follow best practices regarding data storage and cybersecurity to pre-empt litigation based on causes of action in tort, such as negligence, or breach of contract.
  • Develop a breach protocol that is amended periodically to account for improvements in technology.
  • Ensure that record retention and destruction policies comply with existing privacy law requirements. To ensure compliance, destroy or 'anonymize' all personal information once it is no longer needed or legally required to be retained.
  • Undertake employee training initiatives to ensure familiarity and compliance with all policies and practices.

For businesses looking to develop policies and procedures, the following guidelines may be of assistance:

  • Build a security program that protects the confidentiality, integrity and availability of all information, not just personal information.
  • Develop classification standards so that personal and non-personal information, as well as sensitive and non-sensitive personal information, can be easily identified.
  • Ensure that proper security controls are in place and conduct risk assessments of all personal information.

Footnotes

1. Winder v. Marriott International, Inc., 2022 ONSC 390.

2. Jones v. Tsige, 2012 ONCA 32.

3. Del Giudice v. Thompson, 2021 ONSC 5379.

4. Owsianik v. Equifax Canada Co., 2021 ONSC 4112.

5. Obodo v. Trans Union of Canada, Inc., 2021 ONSC 7297.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.