While the concept of privacy is a fundamental value recognized by most Canadians, the nature and extent of the legal protections afforded to individual privacy interests continue to develop and evolve. In a recent trilogy of decisions, the Ontario Court of Appeal provided welcome guidance on the ambit of individual privacy rights and the circumstances in which a defendant may be found liable for the tort of “intrusion upon seclusion”.
Privacy Rights in Canada
Privacy interests in Canada are addressed through a patchwork of legislation and common law protections. Federal and provincial privacy legislation has tended to focus predominantly on protecting the collection, use and disclosure of an individual’s personal information in the hands of governments and businesses.
In most of common law in Canada there is no widespread statutory recognition of an individual’s right to privacy.  As a result, the scope of an individual’s right to privacy, and the ability to claim damages where such privacy has not been observed, is left to the Courts to develop. Even in the handful of provinces which have created a statutory tort for invasion of privacy, the right to sue is circumscribed and generally can only be enforced where a defendant willfully invades the privacy of another and without a right of claim. There is very little statutory guidance as to what constitutes an invasion of privacy and the legislation limits such entitlements to what is “reasonable in the circumstances.”
Jones v. Tsighe Decision
In 2012 the Ontario Court of Appeal released a watershed decision recognizing a common law right to privacy and paved the way for the acceptance of four distinct, but related privacy torts.
In Jones v. Tsighe, the plaintiff and defendant were employed at the same bank. The defendant improperly accessed the banking records of the plaintiff on numerous occasions because the plaintiff was in a relationship with the defendant’s ex-husband. The plaintiff sued for invasion of privacy and the Court of Appeal allowed the action. In reaching this conclusion, the Court of Appeal noted that tortious invasion of privacy may take different forms and can fall into one of four categories:
- Intrusion on the plaintiff’s seclusion or solitude, or into his or her private affairs;
- Public disclosure of embarrassing private facts about the plaintiff;
- Publicity which places the plaintiff in a false light in the public eye; and
- Appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness.
In Jones, the Court considered that the most applicable tort in the circumstances was that of “intrusion on seclusion” as the defendant had repeatedly accessed the private information of the plaintiff contrary to the bank’s own policy. The Court described the tort in the following terms:
One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.
While the plaintiff in the Jones case did not suffer any financial damage as a result of the defendant’s misconduct, symbolic damages were nevertheless awarded for the distress, humiliation and/or anguish caused by the defendant’s wrongful conduct.
Emerging Threats to Privacy
In the decade following the Jones decision, a handful of lower court decisions have considered and applied the privacy law torts identified in Jones but there had been no further appellate consideration of the scope of tortious invasion of privacy.
Within this same timeframe, new threats have emerged which have compromised individual privacy. Ransomware attacks in particular have risen in prominence. Strictly speaking, such tactics are not new and are considered to date back to at least 1989 when malicious actors sent infected floppy disks to unsuspecting organizations. However, in recent years these attacks have increased both complexity and frequency. It is now sadly commonplace for a “threat actor” to infiltrate the computer network of an organization with the aim of encrypting and/or stealing sensitive data, including personal information of customers and employees. The threat actor usually demands payment of a ransom to decrypt or return the stolen data. Such attacks have no doubt been facilitated by the concomitant emergence of cryptocurrencies which allow the threat actor an easy means of nearly anonymous payment.
As the number of organizations that have fallen victim to malicious attacks has grown, so has the number of privacy class proceedings. These actions are often started on behalf of the individuals whose personal information has been stolen against the organizations who have failed to keep that information safe. These claims are often framed in negligence, breach of contract or statutory duty. Increasingly, however, resourceful plaintiffs’ counsel have asserted that liability should also be based on the organization’s wrongful intrusion on seclusion in large part to gain the advantage of not having to prove the breach resulted in any actual damage to plaintiffs.
Organizational or “database” defendants have challenged the certification of claims for intrusion on seclusion arguing that the cause of action simply cannot be established. They assert that it was the threat actor, and not the organization, who invaded the privacy of the class members and the tort should not be extended to include those who are alleged to have failed to adequately protect that information.
The Owsianik Trilogy
The issue of the liability of a database defendant for intrusion on seclusion came to the forefront in a trilogy of class proceedings in Ontario namely Owsianik v. Equifax Canada Co, Obodo v. Trans Union of Canada Inc. and Winder v. Marriott International, Inc.
In each of these cases, the plaintiffs sought to certify class proceedings against corporate defendants who had each experienced a data breach in which threat actors had hacked the defendants’ computer networks and compromised their data, including the personal information of the proposed class members. In addition to claims of negligence and breach of contract, the plaintiffs alleged the database defendants were also liable for intruding on the plaintiffs’ privacy.
Owsianik was the first of the three cases to be heard by the lower courts. At first instance, the court certified the claim for intrusion on seclusion finding that it was not plain and obvious that the tort could not succeed at trial. That decision was reversed however by a majority of the Divisional Court who found that there was no possibility of establishing the tort where the database defendants were not alleged to have committed the wrongful intrusion themselves. The Courts in Obodo and Winder reached similar conclusions to the majority of the Divisional Court.
In June 2022, the Ontario Court of Appeal heard appeals in all three matters and issued its reasons for decision on November 25, 2022. In each case, the Court dismissed the appeals, unanimously agreeing that database defendants could not be found liable for the tort of intrusion on seclusion in these circumstances. In doing so, the Court offered important clarifications on the scope and application of this privacy tort.
The Court took the opportunity to enumerate the three key elements of the tort being:
- An invasion or intrusion by the defendant on the plaintiff’s private affairs or concerns, without lawful excuse (the “Conduct Requirement”);
- The conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly (the “State of Mind Requirement”); and
- A reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation or anguish (the “Consequence Requirement”).
In each of the three proposed class proceedings, the cause of action failed the Conduct Requirement. None of the database defendants were alleged to have invaded the plaintiffs’ privacy. Rather, the Court considered that a fair reading of the allegations in all three actions was that the database defendants each negligently stored the plaintiffs’ information which allowed third parties to wrongfully obtain it. Negligent storage cannot amount to an invasion of privacy interests in that information.
The Court further rejected the argument that the alleged “recklessness” of the database defendants as to the consequences of negligent storage could create liability. The Court clarified that the Conduct Requirement and State of Mind Requirement were separate elements of the tort, both of which must be separately satisfied to establish liability. Here, there was simply no alleged conduct on the part of any of the defendants which was capable of amounting to an intrusion of the plaintiffs’ privacy and the alleged recklessness in carrying out some other obligation could not satisfy the elements of the tort.
The plaintiffs further argued the ambit should be expanded from the actual intruder to those who failed to safeguard personal information in their care.
The Court dismissed this contention finding that to do so would create a “new and very broad basis” for the finding of liability for intentional torts. If accepted, a defendant would be liable for an intentional tort committed by an unrelated third party if the defendant had any contractual, tort-law or statutory duty to protect the plaintiff from the intentional misconduct. This would radically reconfigure the boundary between a defendant’s liability for the conduct of third parties and its own failure to fulfill an obligation to the plaintiff. The law can and does fashions remedies particular to the defendant’s own misconduct, not the misconduct of others, and the law should not be altered to change this.
In the Odobo appeal, the plaintiff argued that the database defendants could be vicariously liable for the invasive acts of the third-party threat actors. This was also soundly rejected by the Court stating that vicarious liability is predicated on the existence of an employer-employee relationship and policy reasons which support extending liability to the employer for the actions carried out on its behalf by its employee.
Finally, the plaintiffs asserted that liability should be extended to the database defendants because the remedies available under contract, negligence or breach of statutory duty are inadequate in the circumstances. This was also dismissed by the Court. The plaintiffs had remedies against both the third-party threat actors for invasion of privacy (though difficult to enforce) as well as the database defendants for negligence, breaches of conduct and/or statutory duties. The Court noted that the plaintiffs’ real complaint was that the remedies available to them in contract and negligence required proof of actual damage. That some plaintiffs may not be able to show such damage is not equivalent to being without any remedy.
The Owsianik Trilogy is not the end of the discussion of common law privacy rights in Canada. Indeed, to paraphrase Churchill, it is not even likely the end of the beginning of that discussion. It does however represent an important and welcome step in the clarification of the scope of the tort of intrusion on seclusion and makes clear that liability can only attach to a party who is an active participant in the wrongful access of private information of another. In this result, the Court of Appeal has effectively narrowed the scope for future privacy class actions against database defendants.
Ellen Snow is a partner in Clyde & Co’s Toronto commercial litigation group, dealing with a range of complex issues and disputes, with a particular focus on cyber security and privacy issues.
 In Québec, the right to privacy is recognized in both the Civil Code of Québec, S.Q. 1991, c. 64, Articles 3 and 35-37 and Charter of Human Rights and Freedoms, R.S.Q. c. C-12, section 5.
 2012 ONCA 32
 This tort has subsequently been recognized in Yenovkian v. Gulian, 2019 ONSC 7279.
 2022 ONCA 813 (“Owsianik”)
 2022 ONCA 814 (“Obodo”)
 2022 ONCA 815 (“Winder”)