CANADA – Privacy and data breach class actions are on the rise in many jurisdictions that allow class action litigation, and Canada is no exception. Ontario’s highest appellate court recently ruled on a case involving 280 patients’ records that were improperly accessed and disclosed at an Ontario hospital. The Court affirmed a lower court decision that the representative plaintiff could seek certification of a class action based on the tort of intrusion upon seclusion.
This tort was first recognized in the Ontario Court of Appeal’s decision in Jones v Tsige. Jones and Tsige had both worked at the same bank, and Tsige had formed a common-law relationship with Jones’ ex-husband. An action for damages was brought when Jones found that Tsige had accessed her banking information 174 times over a period of four years. The Court set out the following requirements for a claim of intrusion upon seclusion to be successful:
(a) intentional or reckless conduct by the defendant;
(b) that the defendant invaded, without lawful justification, the plaintiff’s private affairs or concerns; and
(c) that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. Actual harm is not a requirement for this tort, although the Court commented that symbolic or moral damage awards in this context should not exceed $20,000.
Prior to proposed class proceeding in Hopkins v. Kay, the hospital had taken several measures to remedy the situation, including by terminating the nurse alleged to have accessed and disclosed the patient records, and notifying all patients affected by the incident. These measures addressed the systemic shortcomings in the hospital’s data management policies, as required by Ontario’s Personal Health Information Protection Act (PHIPA). The hospital brought a motion to have the proposed class action dismissed arguing that PHIPA was a comprehensive scheme that had “occupied the field” so that claims based on the common law tort of intrusion could not proceed.
The Court agreed that PHIPA was a lengthy and detailed statute focused on protecting the collection, use, disclosure, retention and disposal of personal health information. The statute is administered and enforced to this end by Ontario’s Privacy Commissioner, who has a mandate of public protection for any contraventions of PHIPA. The Commissioner also has extensive procedural and investigative powers, and recourse to a number of orders to address contraventions. However, the Court also noted that PHIPA does not contemplate a formal adversarial hearing for the resolution of complaints brought by individuals.
In reaching its conclusion that PHIPA did not create a complete code, the Court relied on the fact that the statute itself did not indicate that it was a complete code. The Court held that individuals should be able to have redress to the courts for the common law tort of intrusion upon seclusion.
Impact of the Decision
- Common law claims for breach of privacy can be brought in Ontario’s healthcare sector and this decision may prompt more class actions in this area.
- The Supreme Court of Canada has yet to rule on whether the tort of intrusion upon seclusion exists as part of the common law, and in other parts of Canada like British Columbia or Alberta, statutory causes of actions for privacy breaches exist making recourse to the common law less desirable.
- From the extensive U.S. experience with privacy class actions, a significant hurdle for class plaintiffs is demonstrating a commonality of harm and damages. While the representative plaintiff in Hopkins v. Kay was allowed to proceed on the basis of the common law tort, it remains an unanswered question whether the class will be certified given the individual nature of the common law tort itself.
