a hand holding a guitar

Insights

ARTICLE

Failing to prevent a cyber attack is not intrusion upon seclusion

In a decision that significantly alters the existing dynamics for privacy class actions in Ontario, the Divisional Court has held in Owsianik v. Equifax Canada Co. that gatherers and custodians of personal data cannot be liable for intrusion upon seclusion when third parties steal or access that data.

Cybercrime is a top security issue, and organizations need to focus on bolstering their defences against cyber attacks. In recent years, organizations that were victims of high-profile cyber attacks frequently faced privacy class actions, regardless of whether the impact on privacy was meaningful and whether people suffered harm. The Owsianik decision has the potential to curtail the number of privacy class actions brought where there is no loss of privacy and no harm.

Background

The number of privacy class actions commenced in Canada has increased over the last few years. In Ontario, approximately one in six new class actions alleges breaches of privacy rights.

Most of these claims have been brought under the tort of intrusion upon seclusion, first recognized by the Court of Appeal in Jones v. Tsige. In Jones v. Tsige, Sharpe JA, writing for the Court, held that in order to succeed under the new tort, a plaintiff must prove that:

  • the defendant’s conduct was intentional or reckless;
  • the defendant invaded, without lawful justification, the plaintiff’s private affairs or concerns; and
  • (iii) a reasonable person would regard the invasion as highly offensive, causing distress, humiliation or anguish.

If these requirements are met, a court may award symbolic damages of a modest amount, up to $20,000.

The Jones v. Tsige case was not a class action. It was an individual action, in which the plaintiff sued an employee at a bank where the plaintiff was a customer. The defendant was in a relationship with the plaintiff’s ex-husband and used her position to “snoop” into the plaintiff’s financial records. The plaintiff did not sue the financial institution that held her personal information. Instead, the plaintiff only sued the specific individual who had deliberately invaded her privacy.

Prior to Jones v. Tsige, it is unlikely that the plaintiff would have had a common law remedy against the defendant, because she had suffered no pecuniary losses and presumably failed to meet the threshold that applies in negligence to mental injury claims. That threshold, confirmed by the Supreme Court of Canada in Saadati v Moorhead, requires a plaintiff seeking damages for mental injury to prove that they have suffered a disturbance that is serious and prolonged and rises above the ordinary annoyances, anxieties and fears that come with living in civil society.

The decision in Jones v. Tsige represented a sea change in the law of privacy in Ontario and, eventually, several other common law jurisdictions. It opened the door to claims for non-pecuniary damages in cases that fell short of involving serious and prolonged injuries. The Court made it clear that proof of harm to a recognized economic interest is not an element of the cause of action, and that the symbolic damages available for intrusion upon seclusion are not intended to compensate plaintiffs for damages they actually suffered.

At the same time, the Court of Appeal made it clear that it did not intend to “open the floodgates” and that a claim for intrusion upon seclusion would arise only for deliberate and significant invasions of personal privacy.

Plaintiff-side class action lawyers eagerly adopted the tort of intrusion upon seclusion. It was attractive because (like waiver of tort before it), it offered the prospect of recovery without proving individual pecuniary losses. A wave of class actions alleging intrusion upon seclusion followed. Many of these cases were fundamentally different from Jones v. Tsige, because the plaintiffs sued defendants who were not alleged to have invaded the class members’ privacy, but rather to have failed to prevent others from doing so. In particular, a number of cases were brought against companies that were gatherers and custodians of personal information who were themselves the victims of cyber crimes, such as ransomware attacks.

The decision

The plaintiff in Owsianik alleged that her personal information was compromised when the defendant was affected by a cyber attack, and that the defendant’s cybersecurity measures were inadequate to the point of constituting “reckless” conduct.

The judge who heard the certification motion held that this pleading was sufficient to meet the low certification requirement imposed by section 5(1)(a) of the Class Proceedings Act, 2002. That section requires the plaintiff to show that it is not “plain and obvious” that the claim cannot succeed, assuming that the plaintiff will be able to prove the facts pleaded. The certification judge certified claims in negligence and for intrusion upon seclusion.

The judge’s decision was consistent with most other certification decisions in cyber attack cases, in which other judges commented that while a claim for intrusion upon seclusion against a custodian of personal information seemed “far fetched,” such a claim was not necessarily doomed to fail.

The majority of the Divisional Court overturned the certification judge’s decision, to the extent that it certified the claim for intrusion upon seclusion. Specifically, the majority held that:

The tort of intrusion upon seclusion was defined authoritatively only nine years ago. It has nothing to do with a database defendant. It need not even involve databases. It has to do with humiliation and emotional harm suffered by a personal intrusion into private affairs, for which there is no other remedy because the loss cannot be readily quantified in monetary terms. I agree that Sharpe J.A.’s definition of the tort is not necessarily the last word, but to extend liability to a person who does not intrude, but who fails to prevent the intrusion of another, in the face of Sharpe J.A.’s advertence to the danger of opening the floodgates, would, in my view, be more than an incremental change in the common law.

The majority went on to note that there was no allegation that the defendant had intruded upon the plaintiff’s privacy, and that this was the central element of the tort:

The intrusion need not be intentional; it can be reckless. But it still has to be an intrusion. It is the intrusion that has to be intentional or reckless and the intrusion that has to be highly offensive. Otherwise the tort assigns liability for a completely different category of conduct, a category that is adequately controlled by the tort of negligence.

While the majority allowed the claim to proceed in negligence, its decision to strike the intrusion upon seclusion claim was extremely significant because, as noted above, a person alleging negligence must prove actual damages and cannot claim the “symbolic damages” available for intrusion upon seclusion. Moreover, to obtain damages for mental injury, claimants in negligence must prove a serious and prolonged harm that transcends ordinary emotional upset or distress.

It is worth noting that the decision includes a strong dissent, with reasons that are considerably longer than those of the majority. The plaintiff has indicated an intention to seek leave to appeal to the Ontario Court of Appeal.

Takeaways

Key points to know about this decision are:

  • It significantly clarifies the law on intrusion upon seclusion in Ontario. The majority has held that a defendant that gathered or held personal information that cyber criminals or other third parties wrongfully accessed cannot be liable for intrusion upon seclusion. While those affected by the privacy breach can still sue information gatherers and custodians in negligence or for breach of contract, they generally will have to prove either pecuniary losses or a serious and prolonged disturbance in order to recover damages.
  • It brings the law of Ontario more in line with that of Québec. Québec courts have held that victims of privacy breaches must prove actual damages.1
  • It is arguably part of a larger judicial trend to push back against class actions in which class members cannot prove they suffered direct and foreseeable damages. The Supreme Court of Canada’s decisions in Atlantic Lottery Corp. Inc. v. Babstock (which held that waiver of tort is not a cause of action under Canadian law). For further detail on the case, watch a presentation from BLG’s latest Class Actions Seminar (starting at 1:14:12). The case 1688782 Ontario Inc. v. Maple Leaf Foods Inc. (which struck a claim for pure economic loss in a class action) could be viewed as part of this same trend.
  • It will not be the last word upon intrusion upon seclusion. There is little doubt that the Ontario Court of Appeal (and perhaps the Supreme Court of Canada) will at some point rule on whether or not the tort of intrusion upon seclusion can apply when a plaintiff sues a party for having allegedly permitted a breach of privacy, rather than having committed it. If the Court of Appeal grants leave, it may decide the issue in Owsianik.

1 For a detailed discussion of the divergence in available remedies for privacy breaches under the law of Ontario and Québec, see Anne Merminod, Karine Chênevert and Markus Kremer, “Two solitudes of privacy: privacy class actions in Quebec and the rest of Canada,” in Barreau du Québec, Service de la formation continue, Colloque national sur l’action collective Développements récents au Québec, au Canada et aux États-Unis, vol 480, Montréal (QC), Éditions Yvon Blais, 2020, 67. The BLG article “A first in Canada: Class action over loss of personal information dismissed on the merits” is also relevant to this case.

Key Contacts