Canada: Ontario Court Of Appeal Removes Confusion: Negligent Security Not An "Intrusion Upon Seclusion"

The Ontario Court of Appeal recently ruled that an organization that fails to take adequate steps to safeguard personal information in its possession cannot be held liable under the tort of intrusion upon seclusion when that personal information is accessed by unauthorized third-party hackers, although the organization may well be liable for claims based on contract, negligence or statutory causes. This is significant because, while successful claims for intrusion upon seclusion need not prove pecuniary loss, such losses must be proved for claims grounded in negligence or contract, which can be more difficult in a class action.

Background

In the case of Owsianik v Equifax Canada, 2022 ONCA 813 ("Owsianik"), the Ontario Court of Appeal (the "ONCA") considered three grouped appeals, each arising from a separate class action that was at the certification stage. ¹

The facts in each proceeding were similar—a database containing vast amounts of personal information was breached by third-party hackers, acting independently from, and against the interests of the operators of the databases (which the Court termed "Database Defendants"). In each case the plaintiffs sought to apply the tort of intrusion upon seclusion to such defendants who, for commercial purposes, collected and stored the personal information of others, and who allegedly failed to take adequate steps to protect that information, thereby allowing third-party hackers to access and/or use the personal information. Although they were successful in obtaining certification to proceed with other claims, each of the three representative plaintiffs, on behalf of their respective identified classes, appealed from lower court rulings that refused to certify the intrusion upon seclusion claim.

In all three proceedings, the Database Defendants argued that the intrusion upon seclusion claim should not be certified because, as pleaded, it did not disclose a cause of action as required by section 5(1)(a) of the Class Proceedings Act. The Database Defendants submitted that the tort of intrusion upon seclusion targets those who had actually invaded or intruded upon the privacy of a plaintiff, by accessing that plaintiff's private information and that the tort could not reach Database Defendants whose inadequate security measures may have allowed others, with no connection to the Database Defendants, to access the private information stored in the databases.

Analysis

Overview of the Tort of Intrusion Upon Seclusion

The common law right to privacy was first recognized in Ontario in 2012 in Jones v Tsige, 2012 ONCA 32 ("Jones").In Jones, the plaintiff and defendant were employees of the Bank of Montreal, and the plaintiff maintained her primary bank account there. Because of her job function, the defendant had full access to Jones' banking information. The defendant, who was in a common-law relationship with Jones' ex-husband, accessed Jones' banking records at least 174 times, contrary to the bank's policy.

In Jones, the ONCA endorsed the following statement as a summary of the elements of the tort of "intrusion upon seclusion":

One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.

Three elements are required to establish the tort of intrusion upon seclusion:

(1) the defendant must have invaded, without lawful justification, the plaintiff's private affairs or concerns (conduct requirement);
(2) the defendant's conduct must be intentional or reckless (state of mind requirement); and
(3) a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish (consequence requirement).

Lack of Required Conduct

In the view of the ONCA in Owsianik, the plaintiffs' case failed at the conduct requirement of the tort of intrusion upon seclusion. The conduct component of the tort requires that the defendant invaded the plaintiff's private affairs or concerns without lawful justification. In this case, the Database Defendants did not themselves invade the plaintiff's private affairs—they stored, accessed, and used the data for commercial purposes under contracts with those whose data was stored. The plaintiff's alleged that the intrusion occurred when "the [Database Defendants] failed to take appropriate steps to guard against unauthorized access to sensitive" personal information involving the class members' private affairs or concerns. However, the ONCA held that Database Defendants failing to take steps to prevent independent hackers from invading the plaintiff's private affairs did not amount to invading the private affairs of the plaintiffs.

The plaintiffs also submitted that their claim of intrusion upon seclusion discloses a cause of action because the Database Defendants acted recklessly. However, the ONCA clarified that the reckless component of the tort is part of the state of mind requirement, not the conduct requirement.

Incremental Development in the Common Law

The plaintiff's submitted that the extension of the tort from the actual intruder to entities who fail to adequately protect information in their possession is a natural, incremental development in the common law. The ONCA disagreed, holding that extending the tort of intrusion upon seclusion would "create a new and potentially very broad basis for a finding of liability for intentional torts". Intentional torts require that the defendant engage in the proscribed conduct with a specified state of mind. The Court noted that by extending the tort of intrusion upon seclusion, the scope of intentional torts would be expanded such that a defendant could be liable for an intentional tort committed by anyone if the defendant owed a duty under contract, tort, or statute to protect the plaintiff from the conduct amounting to the intentional tort.

Furthermore, the ONCA held that extending the tort of intrusion upon seclusion would drastically reconfigure the border between the defendant's liability for the tortious conduct of third parties and the defendant's direct liability. The law of negligence in Canada regarding a defendant's potential liability for the tortious conduct of a third party is well-developed. In these cases, liability would be imposed if the plaintiff can show that the Database Defendants had an obligation at tort, under contract, or under statute to protect the private information stored in its database from access by third-party hackers, and failed to do so, thereby causing economic harm to the plaintiffs. In short, the Court stated, "negligence cannot morph or be transformed into an intentional tort".

Consistency with American Case Law

The plaintiffs also argued that expanding the tort of intrusion upon seclusion to capture situations such as this one would be consistent with American case law. The ONCA disagreed, stating that it could not arrive at a generalized conclusion about the state of the law, due to the quantity of American caselaw, the different statutory provisions at play in the cases, and the fact that the outcomes of the cases turned on a variety of legal principles.

Inadequate Remedies

Lastly, the plaintiffs alleged that, as in Jones, they were left in circumstances that "cry out for a remedy" because the remedies available against Database Defendants in a claim based on breach of contract, negligence or statute are inadequate. The ONCA distinguished the plaintiffs in this case from the plaintiff in Jones, as the plaintiff in Jones had no remedy of any kind against the defendant who had intentionally invaded her privacy; by contrast, in the claims considered in Owsianik, the plaintiffs could sue the hackers for invasion of privacy, or could sue the Database Defendants for breach of contract, negligence, or under statutory causes. While the ONCA acknowledged that identifying the hackers to be able to sue for invasion for privacy was a major, if not impossible, obstacle to overcome, it stated that "the inability to sue the actual hackers is not [...] justification for creating a remedy against a different defendant who has committed a different tort for which the plaintiffs have all the usual remedies available to them".

The ONCA noted that the plaintiffs' "no remedy" argument really came down to the assertion that, because the remedies in contract and negligence require proof of pecuniary loss, the plaintiffs, who could not prove pecuniary loss, were left without a remedy. The Court rejected this argument, noting that this was not what the court intended in Jones when it described the plaintiff as being without a remedy, further noting that the plaintiffs in the cases considered in Owsianik, were in the same position as anyone else who advances claims in negligence or contract: pecuniary loss must be demonstrated.

In obiter comments, the ONCA noted that the risk presented by the accumulation of private personal information by Database Defendants is real, and that it may be that existing common law remedies do not adequately encourage Database Defendants to take all reasonable steps to protect the personal information under their control. However, the Court stated that this risk is one better addressed by Parliament and the legislatures, rather than the courts.

The author would like to acknowledge the support and assistance of Renée Taillieu, articling student at law.

Footnote

1. The other two cases are Obodo v Trans Union of Canada, Inc, 2022 ONCA 814 [Obodo] and Winder v Marriott International, Inc, 2022 ONCA 815 [Winder].

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.