Failure To Prevent A Data Breach Not An Invasion Of Privacy: Ontario Court Of Appeal Releases Landmark Privacy Class Action Decision - Privacy Protection

In recent years, organizations that have been the victims of cyberattacks have frequently been named as defendants in privacy class actions. In many of these cases, plaintiffs have attempted to avoid the need to establish that they and other putative class members suffered actual loss or harm as a result of the incident by advancing claims under the common law tort of intrusion upon seclusion: an intentional privacy tort that is actionable in relation to deliberate intrusions into private affairs and that allows for compensation without proof of loss. Plaintiffs have argued that the intrusion tort applies not only to the perpetrators of the cyberattack but also to the targeted organization (often referred to as a “Database Defendant”) on the basis that the organization failed to take adequate steps to protect the information they had collected and stored from unauthorized access.

On November 25, 2022, the Ontario Court of Appeal released its precedent-setting decision in Owsianik v. Equifax Canada Co. ¹ alongside two companion decisions. ² In this trio of cases, the Court of Appeal upheld the Divisional Court's ruling in Owsianik ³ that the intrusion upon seclusion tort is not actionable based on an alleged failure to prevent an intrusion by an independent third party and thus this cause of action will generally not be available as against Database Defendants. This trilogy of decisions represents the first occasion on which a Canadian court of appeal has considered the scope of the intrusion tort since this cause of action was first recognized by the Ontario Court of Appeal in 2012 and will have significant implications for privacy class actions throughout Canada.

History of the Intrusion Upon Seclusion Tort

The tort of intrusion upon seclusion was recognized by the Ontario Court of Appeal in Jones v. Tsige. ⁴ The facts of the Jones case were straightforward. The defendant and plaintiff both worked at, and held bank accounts at, different branches of the same bank. After the defendant entered into a romantic relationship with the plaintiff's ex-husband, she deliberately misused her position at the bank to obtain unauthorized access to the plaintiff's bank account information at least 174 times over a four-year period. Despite the deliberate and prolonged nature of the defendant's intrusive conduct, there was no remedy available to the plaintiff under Ontario law at the time.

It was in this context that the Court of Appeal recognized the tort of intrusion upon seclusion: a narrow and limited intentional tort intended to provide a remedy to individuals in cases where a defendant had deliberately and significantly intruded upon a plaintiff's private affairs. More specifically, the intrusion tort recognized in Jones requires that each of the following constituent elements be pleaded and proven:

1. Conduct Requirement: the defendant must have invaded or intruded upon the plaintiff's private affairs or concerns without lawful justification;

2. State of Mind Requirement: the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly; and

3. Consequence Requirement: a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation or anguish. ⁵

Proof of loss is not a requirement for damages to be awarded under the intrusion tort. Where liability can be established, a plaintiff will be awarded “moral” damages without proof of loss to vindicate the plaintiff's infringed privacy rights and to recognize the intentional harm caused by the defendant. ⁶

Owsianik and the Court of Appeal Trilogy

The Owsianik case arose from a 2017 privacy incident in which hackers gained unauthorized access to personal information that had been collected and stored by Equifax. The plaintiff alleged, among other things, that Equifax had committed the tort of intrusion upon seclusion by failing to prevent the hackers from gaining access to this information. The motion judge certified the plaintiff's intrusion claim on the basis that the scope of this tort remained unsettled and that the issue needed to proceed to trial to be decided on a full evidentiary record. A majority of the Divisional Court reversed, finding that this cause of action did not apply to Database Defendants and that the plaintiff's proposed reformulation of the tort could not be characterized as a modest and incremental evolution from existing legal principles. The dissenting judge would have dismissed the appeal and allowed plaintiff's intrusion claim to proceed to trial for adjudication on its merits.

The Court of Appeal dismissed the plaintiff's appeal and affirmed that the need to establish that the defendant committed an intrusive or invasive act is a fundamental and indispensable component of the intrusion tort, which cannot be made out based on an alleged failure to prevent a third party's intrusion into the plaintiff's private affairs. ⁷ The Court held that to award “moral damages” against Database Defendants for what is essentially an allegation of negligence or breach of contract would run contrary to the very purposes underlying such damages, namely: to vindicate the rights infringed and to recognize the intentional harm caused by the defendant. ⁸ Further, unlike in Jones, individuals whose information is compromised in a data breach are not left without a remedy; other causes of action, such as negligence and breach of contract, may be available to those who are able to prove that they suffered actual pecuniary loss as a result of a data breach. ⁹

In striking out the plaintiff's intrusion claim, the Court of Appeal relied on the Supreme Court of Canada's decision in Atlantic Lottery Corp Inc v Babstock, ¹⁰ which demonstrated how the plain and obvious test is to be applied in the context of supposedly novel claims. In applying Babstock, the Court identified four factors that offered “strong justification” for deciding the legal viability of the plaintiff's intrusion claim at the pleadings stage:

1. the question fell to be answered on the facts as pleaded and there was no chance that any evidence led at trial would impact the answer to the legal question posed;

2. there was no unfairness to either party in deciding the merits of the legal question on the pleadings motion;

3. the issue was fully briefed and argued; and

4. the institutional considerations articulated in Babstock favoured deciding the legal question on the merits. ¹¹

Comments and Implications

Owsianik and its companion cases represent a significant development in Canadian privacy law and will have immediate implications for privacy class actions across Canada. By affirming the elements of the intrusion tort recognized in Jones, the Court of Appeal has reinforced the narrow and limited scope of this intention tort, the primary focus of which is to punish wrongdoers and to deter others from intentionally intruding into the private affairs of others.

The Owsianik decision also builds upon Babstock and provides useful guidance regarding the application of the plain and obvious test in the context of supposedly novel claims.

Footnotes

1. 2022 ONCA 813 [Owsianik].

2. Obodo v. Trans Union of Canada, Inc., 2022 ONCA 814; Winder v. Marriott International, Inc., 2022 ONCA 815.

3. 2021 ONSC 4112.

4. 2012 ONCA 32 [Jones].

5. Owsianik at para. 54; Jones at paras. 70-71.

6. Jones at para. 87; see also: Owsianik at para. 77.

7. Owsianik at para. 57.

8. Owsianik at para. 77.

9. Owsianik at paras. 75-79.

10. 2020 SCC 19 [Babstock].

11. Owsianik at para. 50.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.