The Ontario Court of Appeal (the "Court") recently released three decisions in class actions about expanding on the tort of intrusion upon seclusion. The Court limited the tort's application, particularly concerning parties who do not commit the "intrusion." This is consistent with other recent Ontario decisions, including another appeal decision in a class action recently released by the Divisional Court.
Owsianik v Equifax Co. (2022 ONCA 813).
In Owsianik v Equifax Co [Owsianik]1, the Court held that the defendant company did not commit the tort of intrusion upon seclusion because it did not intrude on the plaintiffs' privacy. The Court declined to certify the proposed class action under the Class Proceedings Act (the "Act").2
Equifax Canada Co. ("Equifax") provides credit reporting and credit protection services to its customers. It stored large amounts of its customers' personal information to carry out these services. In 2017, hackers unlawfully accessed Equifax's customer database. The hackers accessed social insurance numbers, names, dates of birth, credit card numbers, and other sensitive personal information. The plaintiffs alleged Equifax was liable for the tort of intrusion upon seclusion.
The Court categorized the elements of the tort originally established in Jones v Tsige3 as follows:
- The defendant must have invaded or intruded upon the plaintiff's private affairs or concerns without lawful excuse [the conduct requirement];
- The conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly [the state of mind requirement]; and
- A reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation, or anguish [the consequence requirement].4
The plaintiffs alleged that Equifax acted recklessly in not protecting their personal information. Though recklessness or willful blindness may be relevant to the state of mind requirement, the plaintiffs did not allege that Equifax unlawfully accessed their personal information. Thus, the plaintiffs did not establish the conduct required for the tort of intrusion upon seclusion because Equifax did not commit the intrusion; the hackers did.
The Court also confirmed this was a legal issue that could be determined on certification. Under section 5(1)(a) of the Act, a court cannot certify a class proceeding unless the pleadings disclose a cause of action.5 This is a legal question, and the judge determines it, assuming all the factual allegations are true. The Court confirmed that when a claim's validity turns exclusively on the validity of a legal question, a certification judge may examine and apply the law to determine if the claim is "plainly doomed to fail and should be struck."6 Since Equifax did not commit the conduct requirement of the tort, the Court did not certify the action.
Obodo v Trans Union of Canada, Inc. (2022 ONCA 814).
The Court in Obodo v Trans Union Canada, Inc. [Obodo] held that the defendant company was not liable for the tort of intrusion upon seclusion.7 Trans Union of Canada ("Trans Union"), like Equifax, stored personal information to provide credit-reporting services to its customers. Third-party hackers used stolen customer credentials to gain unauthorized access to Trans Union's customer database, containing 37,000 Canadians' social insurance numbers and debt information. The Court cited its reasons in Owsianik to explain why it did not certify this class action and added that Trans Union was not vicariously liable for the hackers' conduct.
Winder v Marriot International, Inc. (2022 ONCA 815).
Like Owsianik and Obodo, in Winder v Marriot International, Inc., third-party hackers accessed Marriot's reservation database.8 The database contained customers' personal information, such as passport numbers and payment information. The representative plaintiff also tried to argue that Marriot invaded its customers' privacy when it inadequately stored their personal information. The Court held that this, too, did not meet the conduct required for the tort of intrusion upon seclusion and did not certify the class action.
Broutzas v Rouge Valley Health System (2023 ONSC 540).
A recent decision from the Divisional Court is consistent with these decisions. In Broutzas v Rouge Valley Health System, rogue hospital employees accessed new mothers' patient records and sold their personal information to Registered Educational Savings Plan ("RESP") salespeople. The salespeople used the information to sell RESP plans to new mothers. The Divisional Court upheld the motion judge's decision declining to certify this class action against the RESP salespeople because, although they received the information, they did not obtain it.
Conclusion
Companies storing their client's personal information are not liable for the tort of intrusion upon seclusion where third parties unlawfully access the company's database. If a corporation is reckless in protecting the information, or is willfully blind to their inadequate cybersecurity measures, they may be liable for other torts, such as negligence. Whether the tort of intrusion upon seclusion applies in these circumstances is a legal question that can be determined by the certification judge.
Footnotes
1. 2022 ONCA 813 [Owsianik].
2. Class Proceedings Act, 1992, SO 1992, c 6.
3. 2012 ONCA 32.
4. Owsianik at para 54.
5. Class Proceedings Act, 1992, SO 1992, c 6 at s 5(1)(a).
7. 2022 ONCA 814.
8. 2022 ONCA 815.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.