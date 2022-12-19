It has been an eventful year for privacy law in Canada. In 2022, the Canadian privacy landscape saw significant changes, as stakeholders at all levels recognized the need to keep up with a data-driven world. This article summarizes the top five recent developments that businesses and stakeholders should be aware of.

At the beginning of this year, the Ontario Superior Court rendered its decision in the case of Winder v. Marriott International, Inc. (“Winder”). Winder involved a class action brought against the Marriott after its hotel reservation database was hacked. The court considered whether the Marriott, as the victim of the hacker, could be liable for the tort of intrusion upon seclusion.

The plaintiff argued that Marriott had obtained confidential personal information from class members under ”false pretenses” and, as a result, was a “constructive intruder.” Justice Perell of the Ontario Superior Court ultimately determined that the tort of intrusion upon seclusion would remain restricted to defendants who are “intruders,” and not apply to “constructive intruders.”

On November 25, 2022, the Ontario Court of Appeal (the “Court of Appeal”) upheld the lower court's decision as part of a trilogy of cases that would firmly reject the pleading of the tort of intrusion upon seclusion by plaintiffs who advance proposed class actions against companies that suffer a third-party data breach. Alongside two other cases—Owsianik v. Equifax Canada Co. and Obodo v. Trans Union of Canada, Inc.—the Court of Appeal's decision in Winder precludes the certification of class actions in cases where a third party has accessed stored personal information of customers, but there is no evidence of resulting harm to those customers.

Using the test under 5(1)(a) of the Ontario Class Proceedings Act, 1992, the Court of Appeal determined that it was plain and obvious in each of the three cases that the claim for intrusion upon seclusion could not succeed on the pleaded facts, because it was the hacker's conduct in illegally obtaining the stored information, not the company's alleged failure to protect it, that constituted the “intrusion.” A company's recklessness with respect to the storage of the information, for example, would not satisfy the conduct requirement of the tort of intrusion upon seclusion. Finally, the Court of Appeal noted that refusing to extend the tort of intrusion upon seclusion to a third-party hack does not leave plaintiffs whose information has been accessed in a data breach without a remedy.

Bonus: OPC Releases First Finding of the Year

On June 1, 2022, the OPC released findings from an investigation against the Tim Hortons app. It was discovered that the app extensively tracked the exact locations of its users, revealing up to 2,700 collections for one user over a five-month period. The granular location data that Tim Hortons collected through the app was not used for the intended purpose of targeted marketing and was found to be unacceptable due to the frequency and amount of sensitive data collected. The consents from Tim Hortons gathered from users of the app were found to have been obtained without proper disclosure, as users were unaware that the app tracked data even when not being used. Further, the OPC's findings addressed inadequate contractual protections between Tim Hortons and a third-party service provider that assisted the coffee giant with collecting the sensitive personal information.

Conclusion

This year has brought a number of new developments to the privacy and cybersecurity space, making this a rapidly evolving area that businesses can no longer afford to ignore. In light of significant new enforcement mechanisms and heightened penalties for privacy violations, it is becoming increasingly important to ensure that organizations have up-to-date privacy management procedures and processes to remain in compliance with newly-introduced regulations (or soon-to-be introduced regulations). Businesses are encouraged to reach out to the Technology, Privacy & Data Management Group at Torkin Manes with questions and to receive business-specific recommendations.