In Broutzas v. RVHS, 2023 ONSC 540, the Divisional Court upheld the refusal to certify two proposed class actions arising from rogue hospital employees selling the contact information of new parents to salespersons of Registered Education Saving Plans (RESPs). The decision confirms that personal information such as contact information is not necessarily private information sufficient to establish the tort of inclusion upon seclusion, and that not all unauthorized disclosure of information from a hospital system is necessary highly offensive for the purpose of this new tort. This important decision confirms the narrow scope of the intrusion upon seclusion tort.
Background
Jones v. Tsige, 2012 ONCA 32, the decision in which the Court of Appeal recognized the tort of intrusion upon seclusion, involved an individual action in which the plaintiff bank customer sued an employee at the bank who had snooped into her banking records 174 times in four years.
The Court of Appeal held that, to establish an intrusion upon seclusion, the defendant must have intentionally or recklessly, and without lawful justification, intruded into the private affairs or concerns of the plaintiff, such that a reasonable person would regard the intrusion as highly offensive, causing distress, humiliation, or anguish. In creating this tort, the Court of Appeal made it clear that it did not intend to “open the floodgates” to claims that are not significant invasions of highly personal information.
The facts in Broutzas
In separate incidents, three hospital employees accessed the names and contact information of patients who had recently given birth at two hospitals. The employees then sold the contact information to RESP salespersons. Importantly, these rogue employees did not access patients’ medical charts or disclose sensitive medical information. In the process of stealing contact information, the rogue employees incidentally viewed other limited information, which, depending on the case, included information such as: the newborn’s name, gender, and date of birth; the mother’s date of birth, health card or hospital patient number, date of admission to the hospital, and the name of the treating physician.
The hospitals reported the incidents to the police, the Ontario Securities Commission, the Information and Privacy Commissioner of Ontario, to the relevant health regulatory college. The hospitals were unable to identify who was specifically affected by these incidents so they chose to notify thousands of potentially targeted patients. The rogue employees and RESP salespersons lost their jobs and were subject of criminal or disciplinary proceedings. Both the Ontario and Federal Privacy Commissioners investigated and issued decisions in relation to these matters.
Two class actions were commenced against the hospitals, the rogue employees, the RESP companies and the RESP salespersons involved in purchasing patient contact information.
The certification decision
The certification motions were heard together. Justice Perell accepted that contact information, which the rogue employees were looking for, does not qualify as objectively private information. Rather, this type of information is routinely and readily disclosed in order to confirm one’s identification, age, or place of residence. Moreover, all of the proposed representative plaintiffs had, in various ways, provided consent to being contacted by RESP representatives before any of the alleged intrusions occurred, and had announced the news of their pregnancies and the births of their children to family, friends, and colleagues – sometimes to thousands of friends on social media profiles open to the public.
The motions judge also concluded that a reasonable person would not regard the disclosure of this type of information as highly offensive and capable of causing distress, humiliation or anguish. As a result, the motions judge held that the claim for intrusion upon seclusion could not be certified because there was no basis in fact to establish that it raised common issues that actually existed and could be answered in common across the class.
The Divisional Court’s decision
On appeal, the Divisional Court agreed with the motion judge’s conclusion that, in the context of this case, the information at issue was not private and that the action of the rogue employees did not amount to a significant intrusion that a reasonable person would regard as highly offensive so as to cause distress, humiliation or anguish, and was therefore not sufficient to establish the tort of intrusion upon seclusion as described by the Court of Appeal in Jones v. Tsige. The Divisional Court clarified that annoyance, aggravation, or indignation is not enough to meet the threshold of this tort.
The Divisional Court reaffirmed the conclusions it reached in the Stewart v. Demme case:
- the threshold of this tort is met where the privacy intrusion is very serious and not every privacy intrusion will suffice, and
- even if the information at issue falls within the realm of health information, the threshold will not likely be met where the intrusion was fleeting, the information accessed not particularly sensitive, the information was otherwise available and the intrusion had no discernable effect.
Takeaways
- This decision clarifies the law on intrusion upon seclusion in Ontario. Only deliberate and significant invasions of highly personal information that a reasonable person would regard as highly offensive, such as to cause distress, humiliation or anguish are captured by the tort. Not all privacy breaches and not all privacy breaches in the realm of personal health information are serious enough to meet the high threshold of this tort.
- It is part of a broader trend of recent appellate decisions that are favourable to defendants in privacy class actions that reject attempts to broaden the scope of this tort and instead reaffirm its narrow and tight parameters as originally established by the Court of Appeal in Jones v Tsige.
- It confirms that the elements of the tort of intrusion upon seclusion and the remedies that it provides are distinct from the statutory causes of action enacted in privacy legislation such as PIPEDA and PHIPA.
For more information on the decision, please reach out to any of the key contacts listed below.