Introduction

On November 25, 2022 the Ontario Court of Appeal released three decisions clarifying the scope of the common law tort for invasion of privacy called “intrusion upon seclusion”. These cases are Owsianik v Equifax Canada Co., Obodo v Trans Union of Canada, Inc. and Winder v Marriott International, Inc.  

The issue before the Court was “whether a claim for intrusion upon seclusion can succeed against the collectors and custodians of private information (“Database Defendants”) where they are alleged to have acted recklessly in the storage of that information such that the information was improperly accessed by a third-party”. In short, the answer is no.

Background on the tort of intrusion upon seclusion

The tort of intrusion upon seclusion was first introduced in Ontario by the Court of Appeal’s decision in Jones v Tsige. In that case, the Court found Tsige liable for accessing, without authorization, the personal banking records of her common-law partner’s ex-wife almost 200 times.

Three elements must be present in order to establish the tort of intrusion upon seclusion:

  1. Intentional or reckless conduct by the defendant;
  2. Invasion, “without lawful justification”, by the defendant into “the plaintiff’s private affairs or concerns”; and
  3. “That a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish”.

In addition to the above, “a claim for intrusion upon seclusion will arise only for deliberate and significant invasions of personal privacy”.

The recent Ontario Court of Appeal decisions

Inall three cases, third-party hackers entered the defendants’ computer servers/databases and accessed the personal information of the defendants’ customers. Class actions were proposed, including allegations that the defendants intruded upon the seclusion of class members by recklessly maintaining insufficient data protection protocols.

The Court held that the Database Defendants’ failure to take appropriate data protection measures “is actionable in different ways, but does not support a claim of intrusion upon seclusion”. In reaching this conclusion, the Court emphasized the high degree of intention or recklessness required under the first element of the tort. The tort “requires an act by the defendant which amounts to a deliberate intrusion upon, or invasion into, the plaintiffs’ privacy”.

A deliberate intrusion was present in Jones v Tsige where the defendant “admitted that she had, without lawful excuse, taken advantage of her employment to look at the plaintiff’s banking records and related information”.

By contrast, the Database Defendants in the present cases did not directly interfere in the plaintiffs’ privacy interests. They were allegedly negligent in the storage of customer information, or reckless as to the consequences of negligent storage. However, the Court found this fell short of a deliberate invasion, and so the Database Defendants cannot be liable for intrusion upon seclusion.

Takeaways  

  • Database Defendants failing to take sufficient data protection measures to safeguard customers’ personal information from hackers are unlikely to be liable for intrusion upon seclusion so long as the third-party hackers are acting independently.
  • The tort of intrusion upon seclusion is an intentional tort that requires conduct, either intentional or reckless, that amounts to a deliberate invasion of privacy.
  • Liability may still arise for Database Defendants through claims of negligence, breach of contract or breach of statutory obligations.
Author

John Pirie leads Baker & McKenzie's Litigation and Government Enforcement Group in Canada. He is a Chambers listed trial lawyer who acts for clients in complex business disputes, with significant experience in cross-border litigation and arbitration. Widely recognized as a leading trial, arbitration and appellate lawyer, John has a long record of success acting for both foreign and domestic parties. John has acted for multinational corporations, banks, a securities regulator, a stock exchange, investors and a range of professionals. John has recently been engaged to act for an Ontario Superior Court Judge.

Author

David Gadsden practices mainly in complex commercial litigation in Baker & McKenzie's Toronto office. He is known for his sound advice on commercial class actions, securities litigation and product liability matters. He also represents clients on business crime investigations and fraud recovery. David was recently honored by Lexpert magazine as a 2014 Rising Star, recognizing him as one of Canada's leading lawyers under 40. He has also been named as a "Litigator to Watch" in Lexpert's annual Guide to the Leading US/Canada Cross-border Litigation Lawyers in Canada and has been ranked in Legal 500 for dispute resolution.

Author

Brendan O'Grady is a senior associate with Baker McKenzie's North America Litigation & Government Enforcement Practice Group in Toronto. He advises on commercial litigation and arbitration proceedings.