Faced with the discovery that someone else had accessed her bank records more than 174 times, without authorisation or any lawful reason, Sandra Jones reacted by suing for invasion of privacy. The Ontario Court of Appeal responded by recognising a new common law tort for invasion of privacy: intrusion upon seclusion. This decision represents an important evolution in Canadian privacy law which will affect insurers, insureds and insurance intermediaries.
Jones was an employee and account holder of the Bank of Montreal. Winnie Tsige worked for a different branch of the same bank. Although the two women did not know one another directly, Tsige was in a common-law relationship with Jones' former husband. Over a four-year period, Tsige used her work computer to view Jones' personal banking activity on more than 174 unique occasions. Such activity was conducted without authorisation, for no valid work-related reason. When Jones discovered that Tsige had repeatedly gained access to her confidential information, she brought an action for invasion of privacy.
Although Tsige admitted to accessing her colleague's bank account, the Ontario Superior Court initially ruled that Jones' claim could not succeed because Ontario common law does not recognise a tort of invasion of privacy, and noted that privacy legislation in Canada constituted a balanced and carefully nuanced system for addressing privacy concerns.
intrusion upon seclusion
The Ontario Court of Appeal overturned the lower court's decision, ruling in favour of Jones and recognising a new common law tort: intrusion upon seclusion. The new tort is a subset of the broader category of 'invasion of privacy', which includes other recognised and potential causes of action. A central rationale for the recognition of the new cause of action was the unprecedented power to capture and store vast amounts of personal information using modern technology. Over the past century, technological changes have included the invention of near-instant photography and the proliferation of newspapers. Today, highly sensitive personal information can be accessed with relative ease, including financial and health information as well as data related to individuals' whereabouts, communications, shopping habits and more. The appeal court determined that the common law must evolve in response to the modern technological environment.
The appeal court followed the approach that has been developed in the United States, and formulated the new tort as follows:
"One who intentionally [or recklessly] intrudes, physically or otherwise, upon the seclusion of another or his [or her] private affairs or concerns, is subject to liability to the other for invasion of his [or her] privacy, if the invasion would be highly offensive to a reasonable person."
It is significant that this test includes an objective standard such that the invasion of privacy must be "highly offensive" to a "reasonable person". The court also acknowledged that the protection of privacy may give rise to competing claims, such as freedom of expression, which may trump privacy rights.
It is also noteworthy that the tort of intrusion upon seclusion is actionable without economic harm. However, the court indicated that an upper ceiling of C$20,000 is appropriate in cases where there is no evidence of economic harm. Punitive and aggravated damages may also be possible in egregious circumstances. The court listed the following factors in relation to assessing damages:
- the nature, incidence and occasion of the defendant's wrongful act;
- the effect of the wrong on the plaintiff's health, welfare, social, business or financial position;
- any relationship, whether domestic or otherwise, between the parties;
- any distress, annoyance or embarrassment suffered by the plaintiff arising from the wrong; and
- the conduct of the parties, both before and after the wrong, including any apology or offer of amends made by the defendant.
Upon consideration of these factors, Jones was awarded damages of C$10,000.
implications for insurance industry
Although this case involved no intrusion on Jones' privacy by her employer or another entity with which Jones carried on a commercial relationship, it has significant implications for insurers in Ontario and other provinces that currently have no privacy legislation applicable to certain private sector matters.
Specifically, while insurers and insurance adjusters are subject to the Personal Information Protection and Electronic Documents Act (Canada) once an insured has a commercial relationship with an insurer, no privacy law regime governs the period pre-contract, before a commercial relationship exists. Accordingly, an insurance underwriter or a broker working on a significant contract may be required to consider the tort of intrusion upon seclusion when assessing the risk.
With this decision in mind, insurers, insureds and their brokers are advised to:
- prepare and enforce reasonable, effective privacy policies, looking to legislation such as the Personal Information Protection and Electronic Documents Act as a best practice;
- review internal practices relating to background checks, particularly those checks that are not disclosed to subjects;
- assess what ongoing checks are conducted, how important they are and whether they should be disclosed to the subjects. In many cases, disclosure of this ongoing monitoring will be effective in behaviour modification; and
- consult with legal counsel if in doubt about their rights or obligations.