Introduction
On November 25, 2022 the Ontario Court of Appeal released three decisions clarifying the scope of the common law tort for invasion of privacy called “intrusion upon seclusion”. These cases are Owsianik v Equifax Canada Co., Obodo v Trans Union of Canada, Inc. and Winder v Marriott International, Inc.
The issue before the Court was “whether a claim for intrusion upon seclusion can succeed against the collectors and custodians of private information (“Database Defendants”) where they are alleged to have acted recklessly in the storage of that information such that the information was improperly accessed by a third-party”. In short, the answer is no.
Background on the tort of intrusion upon seclusion
The tort of intrusion upon seclusion was first introduced in Ontario by the Court of Appeal’s decision in Jones v Tsige. In that case, the Court found Tsige liable for accessing, without authorization, the personal banking records of her common-law partner’s ex-wife almost 200 times.
Three elements must be present in order to establish the tort of intrusion upon seclusion:
- Intentional or reckless conduct by the defendant;
- Invasion, “without lawful justification”, by the defendant into “the plaintiff’s private affairs or concerns”; and
- “That a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish”.
In addition to the above, “a claim for intrusion upon seclusion will arise only for deliberate and significant invasions of personal privacy”.
The recent Ontario Court of Appeal decisions
Inall three cases, third-party hackers entered the defendants’ computer servers/databases and accessed the personal information of the defendants’ customers. Class actions were proposed, including allegations that the defendants intruded upon the seclusion of class members by recklessly maintaining insufficient data protection protocols.
The Court held that the Database Defendants’ failure to take appropriate data protection measures “is actionable in different ways, but does not support a claim of intrusion upon seclusion”. In reaching this conclusion, the Court emphasized the high degree of intention or recklessness required under the first element of the tort. The tort “requires an act by the defendant which amounts to a deliberate intrusion upon, or invasion into, the plaintiffs’ privacy”.
A deliberate intrusion was present in Jones v Tsige where the defendant “admitted that she had, without lawful excuse, taken advantage of her employment to look at the plaintiff’s banking records and related information”.
By contrast, the Database Defendants in the present cases did not directly interfere in the plaintiffs’ privacy interests. They were allegedly negligent in the storage of customer information, or reckless as to the consequences of negligent storage. However, the Court found this fell short of a deliberate invasion, and so the Database Defendants cannot be liable for intrusion upon seclusion.
Takeaways
- Database Defendants failing to take sufficient data protection measures to safeguard customers’ personal information from hackers are unlikely to be liable for intrusion upon seclusion so long as the third-party hackers are acting independently.
- The tort of intrusion upon seclusion is an intentional tort that requires conduct, either intentional or reckless, that amounts to a deliberate invasion of privacy.
- Liability may still arise for Database Defendants through claims of negligence, breach of contract or breach of statutory obligations.
