But privacy claimants may sue in negligence, contract or statutory breach
The lawyer for one of the plaintiffs involved in the Ontario Court of Appeal’s recent refusal to expand the tort of intrusion upon seclusion to defendants who fail to adequately protect personal information collected and stored for commercial purposes says the decisions do consumers a disservice.
“The millions of consumers affected by these cases will regard them as travesties because they leave the public without any effective remedy for privacy breaches,” says Christopher Du Vernet of Du Vernet, Stewart in Mississauga, who represented the plaintiff Michael Obodo in Obodo v. Trans Union of Canada. “And the option to sue in negligence is cold comfort for consumers given it has more onerous requirements than the intentional tort of intrusion upon seclusion.”
Obodo and its sister proposed class actions, Owsianik v. Equifax Canada Co. and Winder v. Marriott International, originated when third parties hacked the personal information databases stored by credit bureaus Trans Union and Equifax, and Marriott’s Starwood hotels.
The databases included addresses, information on debts owing, payment histories, social insurance numbers, names, birthdates, driver’s license information, credit card numbers, email addresses, passwords, phone numbers, passport numbers and account information.
The plaintiffs’ certification applications sought to apply the OCA’s landmark 2012 decision in Jones v. Tsige, which recognized the intentional tort of intrusion on seclusion. Proof of the tort required evidence that a defendant had intentionally or recklessly unlawfully invaded or intruded upon a plaintiff’s private affairs in a manner that a reasonable person would regard as highly offensive, causing distress, humiliation or anguish.
“Intrusion upon seclusion obviated the need to prove a quantifiable loss, whereas a negligence claim requires such proof,” says Craig Lockwood, a litigation partner in Osler, Hoskin & Harcourt’s Toronto office, who led the team representing Trans Union. “That’s important because not every data loss translates into something a hacker can use to cause an actual loss.”
As the unanimous OCA panel saw it, the database defendants’ conduct, even if negligent (upon which the court did not rule) did not fit the parameters of intrusion upon seclusion.
“On the facts as pleaded, the defendants did not do anything that could constitute an act of intrusion or invasion into the privacy of the plaintiffs,” Justice David Doherty stated in Owsianik for a unanimous panel composed also of Justices Michael Tulloch and Bradley Miller. “The intrusions alleged were committed by unknown third-party hackers, acting independently from, and to the detriment of, the interest of the Database Defendants.”
Nor were the defendants vicariously liable, any more than a storage facility was vicariously liable for unlawful break-ins. And while the defendants could be liable in negligence, contract or under various statutory provisions if they failed to adequately protect the plaintiffs’ information from hackers, their actions “cannot, however, be transformed by the actions of independent third-party hackers into an invasion by the Database Defendants of the plaintiffs’ privacy.”
“The court took the position that even if the defendants were reckless in preventing a wrong, their recklessness did not amount to an intentional act of intrusion that Jones requires,” Lockwood says.
Still, Lockwood maintains that the OCA did not diminish Jones’ scope.
“The court did not water down the value of privacy interests, but the decisions stop the trend of trying to leverage a very discrete advancement in the law to a situation that the Jones decision did not contemplate. Applying Jones to the database defendants would have been a giant leap in the law’s development, and not the incremental development that it is the courts’ job to allow.”
The OCA’s approach, Lockwood adds, was “principled and reasoned.”
“Effectively, what the court said is that if plaintiffs have a remedy, don’t look to the courts to create a new one just because the existing remedy may be more burdensome.”
Not surprisingly, Du Vernet disagrees.
“The panel passed on a golden opportunity to finish what the court started in Jones. Because suing in negligence is completely impractical in these cases, the real result is that most privacy breaches will no longer be litigated because most occur when hackers, not employees, find weaknesses in data management and control. And that’s too bad, because you’re talking about leaving innocent victims without real recourse.”
Du Vernet’s client will seek leave to appeal to the Supreme Court of Canada.
“The principles here are too important not to take up the ladder,” Du Vernet says. “Corporations now know they can get away with it, so as things stand, if the whole point of tort law is to change behaviour, this will change nothing.”