Our last installment of this series discusses where privacy law torts are heading and what we can expect in the near future from the courts and legislature alike.
1. Courts Country Wide Continue to Tackle "Revenge Porn" Cases
In March of this year, a Manitoba court awarded Brittany Roque $60,000 when her private intimate photos were maliciously shared with the Brandon Police Service (BPS), her potential employer1. Years prior, Roque had been in a relationship with a Brandon police officer. The officer's then romantic partner, Terry Lynn Peters, found Roque's images and shared them with the BPS.
Roque sued the BPS and Peters, who shared the images. The court awarded Roque $45,000 in general damages, finding the BPS and Peters jointly liable. The court specifically found Peters liable for $15,000 in aggravated damages. Importantly, Roque's civil suit was brought under Manitoba's Intimate Image Protection Act, passed in 2016. Not all provinces have this kind of legislation, including Ontario. In 2017, Alberta followed suit, and in 2018, Nova Scotia and Newfoundland passed their own legislation. Saskatchewan amended its Privacy Act in 2018 to create a right of action against people who share intimate images. Notably, this amendment created a 'reverse onus' where the distribution of an intimate image is presumed to be without the person's consent. Although the Criminal Code makes it an offence to share an intimate image without consent, protections for victims in the civil context are important to deter and punish perpetrators.
Will Ontario follow suit with its own legislation, or will it rely on the court's recognition of the tort of public disclosure of embarrassing private facts to regulate the offence of sharing private photos online? Interestingly, Alberta's Protecting Victims of Non-Consensual Distribution of Intimate Images Act2, was not relied on in the recent intimate image sharing case of E.S. v Thomas Shillington3, because the offences occurred before the Act was passed in 2017. Instead, the plaintiff asked the court to recognize the tort of public disclosure of private facts, which the court did. Recognizing this tort has the advantage of ensuring that individuals are not hampered by the rule prohibiting the retrospective application of statutes.
Overall, the court's willingness to anonymize court proceedings and award aggravated and/or punitive damages on top of the plaintiffs' general damages claim suggests that these cases will continue to set an important precedent not only in Ontario, but throughout Canada.
2. What Do These Torts Mean for Businesses?
As seen in the recent Manitoba case discussed above, businesses may be found liable under these torts and/or statutes.
In that case, the City of Brandon (the Brandon Police Service) was added as a Third Party by Peters. Justice Zinchuk noted that the city did not defend the Main Action. As such, the city was bound by the order in the Main Action and was held jointly liable for $45,000 in general damages. The police officer involved had collected the intimate images from Peters and used them to assess Roque's application to join the BPS. It was uncontested that once the application process had been wrapped up, the BPS permanently destroyed the images. Despite this, Justice Zinchuk found that the police officer involved actively took steps to collect Roque's intimate images, acting in "common design" with Roque. Further, Justice Zinchuk noted that the police officer committed the tort of breach of privacy as he received, viewed, and used Roque's images without her consent.
Businesses should be very wary of collecting any kind of image which could be classified as "intimate," especially if that collection involves a potential or current employee. Further, businesses should be aware that courts have also suggested that "private facts" could include health or financial information collected without the individual's consent.
3. Class Actions and Privacy Torts
Despite what appears to be the burgeoning development of privacy law, it is notable that courts have remained steadfast in their dismissal of class action lawsuits based on privacy breaches when the elements required for certification are not met.
Courts have continued to deny certification to classes when the plaintiffs are unable to demonstrate compensable damages, especially in cases where the business is considered a "database defendant," which stores private information inappropriately accessed by third parties. In these cases, courts across the country have generally held that a mere breach is insufficient. Notably, courts have rejected extending the principles found in Jones v Tsige, where compensable damages are not a required component. You will recall that in intrusion upon seclusion cases, the plaintiff must demonstrate that the defendant intentionally or recklessly intruded on the plaintiff's privacy and that a reasonable person would find the intrusion offensive. The extension of the intrusion upon seclusion tort was most recently rejected by the Ontario Divisional Court in Owsianik v. Equifax Canada Co4. This is not to say that a court would take the same approach if the database defendant itself were somehow responsible for the privacy violation as opposed to being "hacked" by third parties.
Overall, plaintiffs involved in widespread data breach violations need to be cognizant that courts will continue to take their gatekeeping function seriously for class action matters.