Failure to prevent a data breach not equal to invasion of privacy: Ontario Court of Appeal shuts the door on “intrusion upon seclusion” tort

December 2, 2022 | Kate Genest, David Krebs, Amanda Cutinha

The Ontario Court of Appeal has released a new trilogy of cases regarding the privacy tort “intrusion upon seclusion.” Specifically, whether the privacy tort is available as against commercial entities collecting and storing clients’ personal information, where there was a breach of security by third-party malicious actors as a result of inadequate safeguards. The Court referred to these commercial entities as “Database Defendants.”

The three cases are:

  • Owsianik v Equifax Canada Co;[1]
  • Obodo v Trans Union of Canada, Inc;[2] and
  • Winder v Marriott International, Inc.[3]

Background

The tort of intrusion upon seclusion was first recognized by the Ontario Court of Appeal ten years ago in Jones v Tsige.[4] Some other Canadian jurisdictions have enacted specific legislation adopting the tort of invasion of privacy, which covers, among other things, intrusion upon seclusion.[5]

In Jones v Tsige, Sandra Jones and Winnie Tsige both worked at the Bank of Montreal. Tsige became involved with Jones’ ex-husband, and used her workplace computer to access Jones’ personal account information at least 174 times. Jones learned of Tsige’s misconduct and sued for invasion of privacy and breach of fiduciary duty, seeking damages of $20,000.

The Court found Tsige liable, establishing the new tort of intrusion upon seclusion. Describing the harm, the Ontario Court of Appeal stated that:

“One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.”[6]

In order for intrusion upon seclusion to be found:

  • the defendant’s conduct must be intentional or reckless;
  • the defendant must have invaded, without lawful justification, the plaintiff’s private affairs; and
  • a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.

Notably, the Court found that an absence of a financial harm does not prevent the recovery of damages.

The application to organizations in control of personal information

Given the absence of a private right of action in existing federal privacy law, individuals harmed by privacy breaches have brought actions against these corporations, asserting the tort of intrusion upon seclusion as a cause of action.

In the class action context, for an action to be certified, the pleadings must disclose a reasonable cause of action.[7] Accordingly, courts have had to determine whether the application of this tort to organizations collecting and storing personal information is valid. The Ontario Court of Appeal set out to clarify this inquiry, hearing three appeals in the class actions context related to whether the tort of intrusion upon seclusion is a viable claim against these organizations, as described below.

Owsianik v Equifax, 2022 ONCA 813

Owsianik, on behalf of the identified class, brought a class action against Equifax, alleging intrusion upon seclusion. For six weeks in 2017, threat actors (i.e. “hackers”) gained unauthorized access to customers’ personal information stored by Equifax, including social insurance numbers, names, dates of birth, addresses, driver’s licence numbers, credit card numbers, email addresses, and passwords. The data breach affected people all around the world, including approximately 20,000 Canadians.. The representative plaintiff, Owisianik, was among the impacted Canadians and brought a claim alleging that Equifax’s cybersecurity and data protection measures were inadequate, leading to the breach.

Owsianik was initially successful in certifying an intrusion upon seclusion claim as part of a class proceeding. However, the majority of the Divisional Court reversed this finding and held that the tort had no application to a Database Defendant when the private information was accessed by a third-party hacker acting independently of the Database Defendant.

Obodo v Trans Union of Canada Inc, 2022 ONCA 814

Obodo, on behalf of the identified class, brought a class action against Trans Union, alleging intrusion upon seclusion. Over a two-week period in  2019, hackers, using credentials stolen from a Trans Union customer, accessed the database through a customer portal. Within three months, Trans Union notified the affected parties that their information had been improperly accessed by hackers. Trans Union offered certain compensation to affected parties. The improperly accessed information included information pertaining to about 37,000 Canadians. Those individuals made up the proposed class.

Mr. Obodo’s motion for an order certifying an intrusion upon seclusion claim against Trans Union was unsuccessful. The motion judge did, however, certify other common issues.

Winder v Marriott International Inc, 2022 ONCA 815

Winder, on behalf of the identified class, brought a pretrial motion under r. 21.01(1)(a) of the Rules of Civil Procedure, for a determination of a question of law. Winder asked the court to determine whether he had pleaded a legally viable cause of action for intrusion upon seclusion against Marriott and the related defendants. His claim arose after Marriott disclosed that information provided to Marriott by customers had been accessed by unknown, unauthorized persons who had hacked into the reservation database of Marriott’s Starwood Hotels.

Winder advanced claims for negligence, breach of contract, and breach of various statutory provisions. He also alleged that Marriott was liable for the intentional tort of intrusion upon seclusion. Winder’s claim alleged, among other things, that Marriott had failed to take adequate steps to protect the private information provided to it by Mr. Winder (and others) from being accessed and/or used by third-party hackers. The motion judge held that the claim as pleaded did not disclose a viable cause of action against Marriott for intrusion upon seclusion. The other claims made against Marriott were not in issue on the motion.

Finding

The Court dismissed all three of the appeals. The Court ultimately held that while data controllers can be sued in negligence, contract or breach of statutory obligations to protect personal information, they cannot be sued for the tort of inclusions upon seclusion.

In particular, the Court found that intrusion upon seclusion is an intentional tort. The defendants lacked intention in that they did not do anything that could constitute an act of intrusion or invasion into the privacy of the plaintiffs. The intrusions alleged were committed by unknown third-party hackers, acting independently from, and to the detriment of, the interests of the defendant organizations.

The Court stated the failure to take adequate steps to protect personal information and consequently, the plaintiffs from the intrusion upon their privacy by third parties, may attract liability in negligence, contract and under various statutes. The organizations’ failure to meet their common law duty of care, or their contractual and statutory responsibilities under privacy or data protection law, to the plaintiffs to properly store the data, cannot, however, be transformed by the actions of independent third-party intruders into an invasion by defendant organizations of the plaintiffs’ privacy.

Takeaway

The Court made clear that organizations that are personal information controllers cannot be found liable under the tort of intrusion upon seclusion for breaches conducted by independent, third-party malicious actors, limiting the causes of action available to plaintiffs.

Nevertheless, organizations can be found liable under non-privacy torts, such as negligence or breach of contract. Moreover, reform to privacy legislation may raise a private right of action for individuals impacted by contravention of the legislation by commercial entities as demonstrated through Quebec’s Bill 64, discussed in our previous article.

To better understand your obligations in the event of a data breach and avoid liability, our Cybersecurity and Commercial Litigation groups can help.

[1] 2022 ONCA 813

[2] 2022 ONCA 814

[3] 2022 ONCA 815.

[4] 2012 ONCA 32

[5] See Privacy Act, RSBC 1996 c 373; Privacy Act, RSM 1987, c P125; Privacy Act, RSN 1990 c P-22; Privacy Act, RSS 1978, c P-24.

[6] 2012 ONCA 32 at para 19.

[7] Class Proceedings Act, 1992, SO 1992 c 5, s 5(1)(a).

Disclaimer

This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.