The Court of Appeal for Ontario has confirmed that the tort of intrusion upon seclusion cannot be applied to companies collecting and storing personal information (Database Defendants) in the context of a cyberattack by a third-party hacker. Rather, the tort is meant to apply to those who actually invaded or intruded upon a plaintiff’s privacy by accessing that plaintiff’s private information. Moreover, Database Defendants cannot be held vicariously liable for “enabling” a hacker’s intrusion upon seclusion, absent the requisite relationship that gives rise to such liability.
The Court of Appeal’s findings in this regard were articulated in three companion decisions released earlier this month: Owsianik v. Equifax Canada Co., 2022 ONCA 813 (Owsianik), Obodo v. Trans Union of Canada, Inc., 2022 ONCA 814 (Obodo) and Winder v. Marriott International, Inc., 2022 ONCA 815 (Winder).
The decisions dispositively curtail plaintiffs’ ability to expand the scope of liability for Database Defendants in the context of data breaches, and bring much needed clarity and certainty to the privacy class action arena. Importantly, Database Defendants will no longer be disadvantaged in certification proceedings owing to the prospect of the tort supporting a claim for class-wide aggregate damages in the absence of proof of loss.
Background on the trilogy of cases on appeal
The Court heard three grouped appeals that arose from three separate class actions: (1) Owsianik v. Equifax Canada Co., 2021 ONSC 4112; (2) Obodo v. Trans Union of Canada, Inc., 2021 ONSC 7297; and (3) Winder v. Marriott International, Inc., 2022 ONSC 390.
Each of the class actions shared the following features:
- The case was at the certification stage.
- The defendant collected and stored personal information of others for commercial purposes and were subject to cyberattacks by third-party hackers.
- The plaintiff sought to apply the tort of intrusion upon seclusion to the defendant for allegedly failing to have adequate security measures in place to prevent the cyberattack.
- In response, the defendant argued that the intrusion upon seclusion claim should not be certified because, as pleaded, it did not disclose a cause of action as required by s. 5(1)(a) of the Class Proceedings Act (CPA).
- The lower court refused to certify the intrusion upon seclusion claim against the defendant.
The invasion or intrusion must be committed by the defendant
The Court addressed the issues and arguments common to all three appeals in the Owsianik decision, dealing with certain discrete issues in the reasons for the other two appeals. As a starting premise, the Court noted that the tort of intrusion upon seclusion, established in Jones v. Tsige, 2012 ONCA 32 (Jones) (as summarized in our prior post), involves three necessary elements:
- Conduct requirement: the defendant must have invaded or intruded upon the plaintiff’s private affairs or concerns, without lawful excuse.
- State of mind requirement: the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly.
- Consequence requirement: a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation or anguish.
The Court dismissed all three appeals on the basis that the “conduct requirement” was not met in the context of Database Defendants. On the pleaded facts, the defendants did not do anything that could constitute an act of intrusion or invasion into the plaintiffs’ privacy.
Specifically, the Court dismissed the argument that the defendants’ failure to take appropriate steps to guard against unauthorized access to sensitive information involving the class members’ private affairs or concerns constituted an “intrusion”. In each instance at issue, the intrusions were committed by independent and unknown third-party hackers. The plaintiffs did not plead any material facts that indicated that the Database Defendants acted in consort with – or, as discussed in the context of the Obodo appeal, were vicariously liable for – the hackers’ conduct.
The Court reiterated that the state of mind requirement is connected to the conduct requirement. More specifically, the Court made it clear that, if the defendant did not engage in conduct that amounts to an invasion of privacy, the defendant’s recklessness related to the consequences of some other conduct (such as the storage of the information) cannot lead to the defendant being liable under the tort of intrusion upon seclusion. In other words, the defendants’ recklessness had to be pleaded in relation to the intrusion, which in this case was entirely absent.
In an effort to expand the scope of the tort, the plaintiffs also argued that the tort of intrusion upon seclusion was necessary for privacy class actions because “the remedies available in contract and negligence require proof of pecuniary loss”. In dismissing this argument, the Court held that while “the inability to claim moral damages may have a negative impact on the plaintiffs’ ability to certify the claim as a class proceeding … that procedural consequence does not constitute the absence of a remedy. Procedural advantages are not remedies.”
Based on the foregoing reasoning, the Court concluded that the plaintiffs failed to establish a cause of action as required by s. 5(1)(a) of the CPA.
No relationship to establish vicarious liability for third-party hackers
In the companion case, Obodo, the Court addressed additional arguments raised by the appellant, including the argument that the defendant “enabled and facilitated” the hackers’ intrusion upon seclusion of the class members. The appellant sought to hold the defendant vicariously liable for the hackers’ acts and omissions.
In dismissing the argument, the Court reiterated that a finding of vicarious liability would require the hacker and the defendant to have a relationship giving rise to such liability – such as the one that exists between employer and employee. On the facts, no such relationship could reasonably be said to exist, and therefore there was no basis to impose any form of vicarious liability. In so ruling, the Court alluded to the possibility of limitless liability if the concept of vicarious liability was extended to this context.
An intrusion does not occur at the time of authorized collection and storage
In the companion case, Winder, the appellants additionally argued that the defendant had invaded its customers’ privacy by collecting and storing the information in contravention of its representations and obligations, regardless of whether any third-party ever actually gained access. Notably, the appellant argued that the intrusion occurred at the time the information was stored, rather than when the third-party hacker accessed it.
In dismissing the argument, the Court emphasized that there were no allegations that the defendant had accumulated, stored or used its customers’ personal information for any purpose other than the purposes reasonably contemplated by the customers. Accordingly, until the hackers acted, there could be no intrusion or breach of the customers’ privacy.
Keeping the floodgates closed and the boundaries of liability clear
The Court boiled down the appellants’ arguments to the same core allegation each time – the appellants were trying to frame the Database Defendants as the intruders for allegedly failing to have adequate security measures in place to prevent the cyberattack. Ultimately, the Court found that this was not the proper interpretation of the tort as set out in Jones.
The Court was clear that it did not want to create a new and potentially very broad basis for a finding of liability for intentional torts, nor did it want to obscure the boundaries between a defendant’s liability for the tortious conduct of third parties and the defendant’s direct liability for its own failure to properly secure the plaintiffs’ information. The Court emphasized that the plaintiffs were not without a remedy, insofar as they could pursue remedies against the defendants in a claim based on breach of contract, negligence or breach of a statute. In this regard, the Court also noted that the difficulties inherent in advancing such claims on a class-wide basis did not mean that remedies were unavailable.
On the basis of the Court of Appeal’s findings, it is clear that Database Defendants subject to a cyberattack by a third-party hacker should not be exposed to liability for the tort of intrusion upon seclusion, or the potentially significant moral damages associated with such a tort claim. Nevertheless, Database Defendants may still be exposed to liability for breach of a duty owed to the plaintiffs, and/or breach of contractual or statutory obligations. However, any such claims will require the plaintiffs to prove legally compensable loss.
A watchful eye should be kept on how the Ontario decisions are treated by other Canadian jurisdictions, which have already alluded to the potential precedential value of the decisions at the certification stage.