Latest Posts
Search for:
Privacy

Ontario Court of Appeal halts “intrusion upon seclusion” claims against defendants whose databases are hacked by third-parties

By , and 3 Mins Read

Introduction

On November 25, 2022 the Ontario Court of Appeal released three decisions clarifying the scope of the common law tort for invasion of privacy called “intrusion upon seclusion”. These cases are Owsianik v Equifax Canada Co., Obodo v Trans Union of Canada, Inc. and Winder v Marriott International, Inc.  

The issue before the Court was “whether a claim for intrusion upon seclusion can succeed against the collectors and custodians of private information (“Database Defendants”) where they are alleged to have acted recklessly in the storage of that information such that the information was improperly accessed by a third-party”. In short, the answer is no.

Background on the tort of intrusion upon seclusion

The tort of intrusion upon seclusion was first introduced in Ontario by the Court of Appeal’s decision in Jones v Tsige. In that case, the Court found Tsige liable for accessing, without authorization, the personal banking records of her common-law partner’s ex-wife almost 200 times.

Three elements must be present in order to establish the tort of intrusion upon seclusion:

  1. Intentional or reckless conduct by the defendant;
  2. Invasion, “without lawful justification”, by the defendant into “the plaintiff’s private affairs or concerns”; and
  3. “That a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish”.

In addition to the above, “a claim for intrusion upon seclusion will arise only for deliberate and significant invasions of personal privacy”.

The recent Ontario Court of Appeal decisions

Inall three cases, third-party hackers entered the defendants’ computer servers/databases and accessed the personal information of the defendants’ customers. Class actions were proposed, including allegations that the defendants intruded upon the seclusion of class members by recklessly maintaining insufficient data protection protocols.

The Court held that the Database Defendants’ failure to take appropriate data protection measures “is actionable in different ways, but does not support a claim of intrusion upon seclusion”. In reaching this conclusion, the Court emphasized the high degree of intention or recklessness required under the first element of the tort. The tort “requires an act by the defendant which amounts to a deliberate intrusion upon, or invasion into, the plaintiffs’ privacy”.

A deliberate intrusion was present in Jones v Tsige where the defendant “admitted that she had, without lawful excuse, taken advantage of her employment to look at the plaintiff’s banking records and related information”.

By contrast, the Database Defendants in the present cases did not directly interfere in the plaintiffs’ privacy interests. They were allegedly negligent in the storage of customer information, or reckless as to the consequences of negligent storage. However, the Court found this fell short of a deliberate invasion, and so the Database Defendants cannot be liable for intrusion upon seclusion.

Takeaways  

  • Database Defendants failing to take sufficient data protection measures to safeguard customers’ personal information from hackers are unlikely to be liable for intrusion upon seclusion so long as the third-party hackers are acting independently.
  • The tort of intrusion upon seclusion is an intentional tort that requires conduct, either intentional or reckless, that amounts to a deliberate invasion of privacy.
  • Liability may still arise for Database Defendants through claims of negligence, breach of contract or breach of statutory obligations.
Categories:
Author

John Pirie leads Baker & McKenzie's Litigation and Government Enforcement Group in Canada. He is a Chambers listed trial lawyer who acts for clients in complex business disputes, with significant experience in cross-border litigation and arbitration. Widely recognized as a leading trial, arbitration and appellate lawyer, John has a long record of success acting for both foreign and domestic parties. John has acted for multinational corporations, banks, a securities regulator, a stock exchange, investors and a range of professionals. John has recently been engaged to act for an Ontario Superior Court Judge.

Author

David Gadsden represents global clients in complex commercial disputes. He is the Chair of Baker McKenzie's Canadian Class Actions Group and is known for his sound advice on commercial class actions, competition and antitrust matters, arbitration, fraud cases and product liability matters. Clients value David's pragmatic and determined approach to disputes and have described him as "absolutely terrific at bringing across the finish line the most complex and multidimensional issues". David has been recognized by Benchmark Litigation, Legal 500, Best Lawyers Canada, and Lexpert’s annual Guide to the Leading US/Canada Cross-border Litigation Lawyers. He has previously been recognized by Lexpert as a Rising Star. As Chair of Baker McKenzie's Canadian Class Actions Group, David draws on his extensive class action experience, having acted as counsel for defendants and plaintiffs in numerous national and global class action lawsuits involving allegations of anti-competitive conduct, professional service negligence, product liability and securities fraud. David's practice also comprises international and domestic business disputes of all manner, including competition and antitrust litigation, commercial arbitration, business tort and trade secrets claims and product liability matters. David also has deep experience in fraud and financial crime matters. He is trusted counsel on multijurisdictional fraud investigations, including related civil disputes and regulatory proceedings. David has appeared as counsel at all levels of court in Ontario and in international and domestic arbitrations. He has completed the Osgoode Intensive Trial Advocacy Program, as well as the Intensive Advocacy Training Program conducted by the National Institute of Trial Advocacy. David has also lectured in the Osgoode Hall Graduate (LL.M.) Programme.

Author

Brendan O'Grady is a senior associate with Baker McKenzie's North America Litigation & Government Enforcement Practice Group in Toronto. He advises on commercial litigation and arbitration proceedings.

Related Posts