The Ontario Court of Appeal recently released three decisions refusing to certify three class actions dealing with the tort of intrusion upon seclusion. The three decisions are as follows:
The reason the decisions are important is that the Court of Appeal held that Database Defendants (those who collect and store personal information) cannot be held liable under the tort of intrusion upon seclusion when the information is accessed illegally or stolen. The basis for the claims was that the Database Defendants had failed to take “adequate steps to protect that information” which allowed the access and use of the information.
As the Court of Appeal noted,
In Jones v. Tsige, 2012 ONCA 32, 108 O.R. (3d) 241, this court recognized the tort of intrusion upon seclusion. In that case, the defendant repeatedly accessed the private banking records of the plaintiff, the former wife of the defendant’s common-law partner, without lawful justification. Sharpe J.A., for the court, held that an intentional or reckless invasion of the private affairs of another, without lawful justification, in circumstances in which a reasonable person would regard the invasion as highly offensive and causing distress, humiliation or anguish, was actionable without proof of any pecuniary loss.
However, what distinguishes the three appeals is that unlike in Jones, it was argued that there was no deliberate act by the Database Defendants.
The Database Defendants used the analogy that whereas a storage facility does not become a thief when a third party enters or steals from the storage unit, that the Database Defendants “did not invade the privacy of the persons whose information was stolen”.
The three appeals were dismissed. It was held that
the defendants did not do anything that could constitute an act of intrusion or invasion into the privacy of the plaintiffs. The intrusions alleged were committed by unknown third-party hackers, acting independently from, and to the detriment of, the interests of the Database Defendants. There are no facts pleaded which could in law provide a basis upon which the actions of the hackers could be attributed to the Database Defendants. There are no material facts pled which indicate that the Database Defendants acted in consort with, or were vicariously liable for, the hackers’ conduct. The identity of the hackers is unknown.
It was noted that the Database Defendants may be liable for their failure to protect the privacy interests of their customers, in negligence, contract or other statutes. However, it does not support a claim of intrusion upon seclusion.
It was concluded that based on the pleadings, the interference with the customer’s data occurred when the personal information was hacked. However, until the hacking occurred, there was no breach of the privacy rights and therefore, no intrusion.
The Court of Appeal refused to expand the tort of intrusion upon seclusion. However, it is likely that the decisions will be appealed to the Supreme Court of Canada.
Therefore, at present, the remedies open to plaintiffs who are victim to these types of cyber attacks will again be contractually, negligence or pursuant to statute.
However, how will this interact with Bill C-27: (An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act to make consequential and related amendments to other Acts), which recently completed its second reading?
Only time will tell. Stay tuned!