Data Protection Report - Norton Rose Fulbright

In three recent cases, the Court of Appeal for Ontario effectively curtailed the ability of privacy breach victims to advance claims under the tort of intrusion upon seclusion against organizations for failing to prevent unauthorized access to personal information by third parties.

However, while these cases should provide some reassurance that a cyberattack may not lead to liability under the tort of intrusion upon seclusion for an organization that collects personal information, cyberattacks still present a risk of liability under other common law remedies and, potentially, new statutory causes of action.

Background

All three cases involved class actions at the certification stage. The defendants were each victims of cyberattacks committed by unknown third parties in which personal information collected from millions of people, including many Canadians, was compromised.

Each of the representative plaintiffs raised claims based on the tort of intrusion upon seclusion that was first recognized by the Court of Appeal in Jones v. Tsige. In Jones, the court held that a defendant can be liable for intrusion upon seclusion if it engaged in intentional or reckless conduct that invaded the plaintiff’s private affairs, which a reasonable person would consider to be “highly offensive causing distress, humiliation or anguish.”

Since being recognized in Ontario, claims for intrusion upon seclusion have routinely been advanced in class actions arising from large-scale data breaches, as the tort permits the recovery of “moral damages,” which do not require proof of actual, quantifiable loss as other common law remedies such as negligence do. If made out, damages for intrusion upon seclusion are assumed.

In each of these three cases, the plaintiffs argued the defendants could be liable for intrusion upon seclusion because they failed to adequately safeguard the personal information they had collected from the plaintiffs. In response, the defendants disputed the claims for failing to disclose a reasonable cause of action as required by s. 5(1)(a) of the Class Proceedings Act, 1992.

In each instance the lower court agreed with the defendants and refused to certify the intrusion upon seclusion claims.

Holdings and Reasons

The court dismissed all three appeals and refused to certify the intrusion upon seclusion claims.

In Owsianik, the court held that the defendant did not commit an act of intrusion or invasion into the plaintiff’s privacy. The intrusions were committed by unknown third parties, not by the defendants. Therefore, the first element of the tort – an intentional or reckless intrusion – could not be made out.

In Obodo, the plaintiffs argued the defendant could be vicariously liable for the intrusion committed by the unknown third party. The court rejected this argument, as vicarious liability requires a recognized relationship (for example, an employee-employer relationship) and some connection between that relationship and the alleged wrongful conduct. In this case, nothing demonstrated any relationship between the defendant and the unknown third party that could lead to a finding of vicarious liability.

In Winder, the plaintiff creatively argued the defendants, a hotel chain and affiliated entities, committed the tort of intrusion upon seclusion when they collected and stored their customers’ personal information rather than when the third-party hacker accessed the information through a cyberattack. The plaintiff claimed that collecting and storing the information contravened representations the defendants made about how the information would be protected and the invasion was complete when they took possession of the information nevertheless.

The court rejected this argument, finding nothing to support the allegation that the defendants disclosed or caused personal information to be disclosed to unauthorized parties. In addition, there were no allegations that the defendants collected, used or stored personal information for any purposes other than what was contemplated by their customers (i.e., to reserve and pay for hotel rooms), so no breach of privacy rights occurred until the cyberattack occurred.

Takeaways

These decisions confirm that intrusion upon seclusion is a tort of commission, not omission. For a defendant to be liable, it must actually intrude upon or invade the plaintiff’s privacy. Lawfully collecting data is not an intrusion or an invasion. This limitation greatly restricts the prospect of a defendant being liable for intrusion upon seclusion due to cyberattacks by third parties.

However, these cases should not suggest that parties that collect and store information cannot be liable in the event of a cyberattack. On the contrary, as the court noted, there are other causes of action – such as breach of contract, the tort of negligence and statutory causes of action – that could result in liability for a failure to adequately protect personal information from a cyberattack.

There is also a real possibility that the scope of liability for organizations that facilitate privacy breaches on account of inadequate security safeguards, despite being victims of cyberattacks themselves, will soon expand.

In Owsianik, the court wrote that although “it may be that existing common law remedies do not adequately encourage [organizations] to take all reasonable steps to protect the private information under their control…it is certainly open to Parliament and the legislatures to expand these protections to provide for what Parliament and the legislatures might regard as more effective remedies.”

Last summer, the federal government introduced Bill C-27, which seeks to overhaul Canada’s private-sector privacy legislation, and proposes significant fines for contravening the statute as well as a new private right of action for individual victims of privacy breaches. Bill C-27 is currently in second reading in the House of Commons, but it’s possible that federal privacy law reform, with substantially increased liability for violations, could be coming before the close of 2023. Our blog post on steps organizations can start taking now to comply with many of Bill C-27’s proposed changes is available here (link).

Overall, while limiting the scope of the intrusion upon seclusion tort to its intended purpose – intentional and highly offensive acts of intrusion committed by the defendant – is certainly beneficial for organizational victims of cyberattacks, particularly those that collect and use large amounts of personal information for their business purposes, those organizations must still remain vigilant in guarding against cyberattacks and be aware of the legal risks if they fail to do so. Such risks are still substantial and potentially increasing.

The authors would like to thank Articling Student Zack Goldford for his assistance in preparing this update.