In today's information economy, organizations are increasingly engaged in the collection and use of individuals' personal information. This data is subject to a range of cyber risks, from third party hacking to simple human error. Over the past decade, some of the world's largest corporations have suffered data breaches or other lapses in data management.
While the potential for reputational harm arising from improper disclosure of personal information is clear, the applicable law and possible monetary exposure to a corporate entity is often less so.
Understanding recent developments in Canadian privacy torts, intrusion upon seclusion and public disclosure of private facts, is an important step towards assessing and mitigating exposure arising from litigation framed in privacy.
Intrusion Upon Seclusion, the Introduction of a Privacy Tort in Canada
In Jones v. Tsige the Ontario Court of Appeal first recognized a tort for invasion of privacy--the tort of intrusion upon seclusion. Where one intentionally intrudes upon the seclusion or private affairs of another, the intruder will be subject to liability if the following criteria are met:
- The defendant's conduct was intentional or reckless;
- Resulted in an invasion, without lawful justification, of the plaintiff's private affairs or concerns; and,
- A reasonable person would regard the invasion as highly offensive, causing distress, humiliation or anguish. 
A plaintiff can be awarded damages under the tort regardless of whether actual economic harm can be demonstrated.
In Jones v. Tsige, a bank employee, who was in a relationship with the plaintiff's former husband, viewed the plaintiff's personal banking activity without consent on more than 174 occasions for purely personal reasons. The plaintiff brought an action against the employee personally and excluded the bank. The Court of Appeal held that the tort of intrusion upon seclusion should be recognized in Ontario and awarded damages of $10,000. In dicta, the Court referred to Manitoba case law suggesting that "given the intangible nature of the interest protected" the range of damages in cases premised in intrusion upon seclusion shouldnormally not exceed $20,000.
Public Disclosure of Private Facts, a Second Canadian Privacy Tort
In Jane Doe 464533 v. N.D., the Ontario Superior Court was confronted with a particularly egregious violation of privacy colloquially referred to as "revenge porn". In Jane Doe, the plaintiff brought an action against her ex-boyfriend after he posted a sexually explicit video of her on the internet without her consent.
In its analysis, the Court discussed common law privacy torts in existence in the United States. Justice Stinson held that while the facts of the case could be captured within the tort of intrusion upon seclusion, the tort of public disclosure of private facts was more applicable. The elements of this tort are outlined by the Court as follows:
- The facts arise from the publication or publicity of a matter concerning the private life of another;
- It would be highly offensive to a reasonable person; and,
- It is not a legitimate concern to the public.
This newly introduced tort can be seen as an intersect between defamation, slander in particular, and privacy law.
In Jones v. Tsige, the Court of Appeal cautioned that damages in privacy cases involving the tort of intrusion upon seclusion should remain relatively modest. In its decision, the Court referred to Manitoba case law suggesting that "given the intangible nature of the interest protected" the range of damages in cases premised in intrusion upon seclusion shouldnormally not exceed $20,000.
Notwithstanding the Court's direction in Jones, there are situations in which damages can rise significantly in cases involving breach of privacy.
First, recent cases have confirmed that intrusion upon seclusion claims can be eligible for class action certification. This development has the potential to exponentially increase otherwise relatively modest exposure in data breach cases.
In Condon v. Canada a class of individuals were victims of an unauthorized disclosure of their personal information by the federal Ministry of Human Resources. Personal information of 583,000 Canada Student Loan recipients was stored on a hard drive which was lost and never recovered. The Federal Court of Appeal certified the loan recipients' class action against the Ministry based on several claims, including the tort of intrusion upon seclusion. Based on cap on damages suggested in Jones, damages could theoretically exceed 1 billion dollars, although only a fraction of this figure is, in reality, likely to be awarded.
Second, where exceptional circumstances exist, damages above $20,000 can be awarded, including under the new tort of public disclosure of private facts. In Jane Doe, discussed above, the plaintiff was awarded $100,000 in general damages. It is notable that this action was brought under Ontario Simplified Procedure which caps damages at $100,000. Accordingly, the ceiling for damages that the Court could have awarded, and may award in the future, remains an open question.
Privacy torts are most often associated with the actions of individuals or government, as previously discussed in Jones, Condon, and Jane Doe. However, the Ontario Superior Court recently held that intrusion upon seclusion is equally applicable to corporate defendants who can be held vicariously liable for the acts or omissions of their employees.
In Evans v. Bank of Nova Scotia an employee of the bank provided confidential information about 643 customers to third parties in an identity theft scam. The Ontario Superior Court of Justice certified a class action based on intrusion upon seclusion against both the employee and the bank, finding the bank to be vicariously liable for its employee breaching the privacy of its customers.
Similarly, the tort of Public Disclosure of Private Facts would likely apply to corporate defendants. The specific industries most affected will be those active in social media and publishing, given that an element of the tort requires that disclosure occur by way of publication or publicity.
Implementing and maintaining adequate data privacy systems is essential for an organization to minimize the risk of a data breach and, in the event of a breach, mitigating associated liability. All businesses, and in particular those that work frequently with personal information, should ensure that adequate data governance and privacy response policy frameworks have been established and implemented.