On November 25, 2022, the Ontario Court of Appeal released a trilogy of decisions that firmly shut the door on the pleading of the tort of intrusion upon seclusion by plaintiffs advancing proposed class actions against companies that have suffered a third party data breaches.
Unless successfully appealed to the Supreme Court of Canada, these decisions -Owsianik v. Equifax Canada Co.,2022 ONCA 813("Owsianik"); Obodo v. Trans Union of Canada, Inc.,2022 ONCA 814("Obodo"); andWinder v. Marriott International, Inc.,2022 ONCA 815- raise a significant barrier to the certification of class actions in instances where criminals have accessed stored personal information of customers, but there is no evidence of resulting harm to those individuals.
In June 2022, the Ontario Court of Appeal heard the appeals in three proposed data breach class actions together:
In all three proceedings:
- The plaintiffs had pleaded the tort of intrusion upon seclusion in circumstances where third party hackers accessed and/or used the personal information of the plaintiffs and others which the defendants had collected in the course of business. The plaintiffs alleged the defendants were liable, under this tort, for failing to take adequate steps to protect the personal information from bad actors.
- The defendants argued that the intrusion upon seclusion cause of action could not be certified under s. 5(1)(a) of the OntarioClass Proceedings Act,1992 because tort only applies to defendants who actually invade or intrude upon the privacy of a plaintiff – not defendants who have failed to prevent an invasion or intrusion by a third party.
- The relevant lower court agreed with the defendants.
The Ontario Court of Appeal released its lead decision in Owsianik and dismissed all three appeals.
The Test under Section 5(1)(a)
The Court started with the test under s. 5(1)(a) of the OntarioClass Proceedings Act,1992 which requires a plaintiff to establish that his or her pleading discloses a cause of action in order to have the action certified as a class proceeding. The threshold is low; a plaintiff will meet this requirement unless it is "plain and obvious" that the cause of action cannot succeed against the defendant.
However, the recent Supreme Court of Canada decision inAtlantic Lottery v Babstock,2020 SCC 19(see our analysis ofBabstock,here) established that even in instances of novel pleadings, the Court can act to dispense with a fatally flawed cause of action. As interpreted by the Court of Appeal inOwsianik:
... when the validity of a claim turns exclusively on the resolution of a legal question, the court may on a pleadings motion, even if the answer to the legal question is complex, policy-laden and open to some debate, determine the law and apply the law as determined to the facts as pleaded to decide whether "the claim is plainly doomed to fail and should be struck.
The Court of Appeal noted that the Supreme Court inBabstockemphasized that the application of the test under s. 5(1)(a) in this manner has the advantages of increasing judicial efficiency, enhancing access to justice and promoting certainty in the law; that is, allowing a claim to proceed when "no one could say with any certainty whether the cause of action asserted in these claims existed as a matter of law" (para 48) unnecessarily consumes valuable litigation resources, when the ultimate trial Judge would be in no better position to decide the question of the law than the certification judge, years earlier. (Of course, failing to decide such questions of law at certification could also result in unfairness to defendants, which would be forced to either litigate or settle a case which could lack the necessary legal foundation to actually succeed – a consequence noted by the Court inOwsianik, at para. 49.)
Having concluded that the validity of the intrusion upon seclusion claim was properly addressed by the lower courts in the context of a pre-trial motion, the Court analyzed whether the tort of intrusion upon seclusion could apply in circumstances of a third party hack and determined it could not.
The Tort of Intrusion Upon Seclusion
In the lower Court decisions inOwsianik, both theMotions Judgeand theDivisional Courthad struck out the pleaded tort of intrusion upon seclusion in the circumstances of a third party hack, but in her dissent in the latter decision, Justice Sachs would have allowed this "new tort" to survive the pleadings analysis, because "the common law should be allowed to develop in an incremental way" (para. 51).
The debate about the limits of this tort are particularly significant in the data breach class action context. The existence of the tort of intrusion upon seclusion was first recognized by the Ontario Court of Appeal in Jonesv. Tsige,2012 ONCA 32(seeour analysisofJones). The Court determined that a plaintiff must establish three elements to establish liability:
- The defendant must have invaded or intruded upon the plaintiff's private affairs or concerns, without lawful excuse [the conduct requirement];
- The conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly [the state of mind requirement]; and
- A reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation or anguish.
The tort presented advantages to plaintiffs filing a proposed class action after a data breach, because it does not require proof of harm to establish liability for damages; that feature is attractive to plaintiffs where the intrusion by a criminal hacker is admitted by the defendant, but the plaintiff lacks any evidence that any member of their proposed class of individuals whose information was thereby accessed suffered any resulting loss or damage. If the tort is applicable to defendants who negligently fail to prevent a criminal hack, a plaintiff could therefore still ask the Court to assess and award damages on a class-wide basis.
In some instances, plaintiffs in data breach class actions have foregone the pleading of intrusion upon seclusion, given the need to establish that it could be expanded to address third party hacks: see, for example,our analysisofSetoguchi v Uber B.V.,2021 ABQB 18, where the plaintiff elected not to advance a claim for intrusion upon seclusion in such circumstances (and certification was denied on other grounds).
In these three data breach cases, however, the plaintiffs did plead intrusion upon seclusion, and in each instance the lower Court struck it out.
The Appeal Decisions
Applying the test under s 5(1)(a) to these cases, the Court concluded that it was plain and obvious that the claim for intrusion upon seclusion could not succeed on the pleaded facts, because it is the hacker's conduct in illegally accessing the stored information, not the company's alleged failure to protect it, which constitutes the "intrusion". Thus, the defendant's recklessness with respect to the consequences of some other conduct, for example the storage of the information, does not satisfy the conduct requirement of the tort of intrusion upon seclusion.
Further, the Court concluded that to extend the tort of intrusion upon seclusion to circumstances involving a third party hacker would not be an incremental development in the common law: "[t]he extension of the common law proposed in this submission would not be a small step along a well-established path, but would be a giant step in a very different direction" (para. 63). If the tort were extended as the plaintiffs advocated, a defendant would suddenly be directly liable for the intentional torts of third parties. The effect would be to "morph" negligence "into an intentional tort" (para. 71).
In conclusion, the Court of Appeal noted that refusing to extend the tort of intrusion upon seclusion to a third party hack does not leave plaintiffs whose information has been accessed in a data breach without a remedy. They can sue the hackers themselves for breach of privacy, or proceed in contract, negligence and perhaps statute against the defendant who lost the personal information to the hackers (paras. 76, 78). While the Court acknowledged it now may be more difficult to certify a class proceeding in circumstances of a third party hack, lack of access to a procedural advantage is not lack of access to a remedy and does not warrant a change to the common law. If the existing common law remedies do not adequately encourage defendants who accumulate personal information to take all reasonable steps to protect that information, it is up to Parliament or provincial legislatures to legislate more effective remedies (para 81). We note that in the federal sphere, the government is taking steps to provide new remedies for breach of privacy. Bill C-27 (now in its second reading) proposes a statutory cause of action for damages for loss or injury that the individual has suffered, but only if the Federal Privacy Commissioner or the Personal Information and Data Protection Tribunal makes a final determination that there has been a contravention of the proposedConsumer Privacy Protection Act – see our blog post, here.