Written By Michael Eizenga, Ruth Promislow, Nina Butz and Mehak Kawatra
On July 13, 2023, the Supreme Court of Canada (SCC) denied leave to appeal from three Ontario Court of Appeal (ONCA) decisions declining to apply the tort of intrusion upon seclusion to database defendants—i.e., organizations which collect and store personal information in the course of carrying on a commercial activity and whose databases are hacked by unauthorized third parties. The SCC's denial of leave is a significant development for database defendants, as data breach plaintiffs must now prove compensable loss to make out a claim against such defendants in connection with a breach by an unauthorized third party. This can pose a substantial challenge for plaintiffs, particularly in class actions, where the plaintiff class has not incurred sufficiently serious or compensable losses rising above everyday reasonable expenses or inconveniences.
The tort of intrusion upon seclusion is a common law breach of privacy cause of action first adopted by the ONCA in Jones v Tsige (2012 ONCA 32) [Jones] to recognize moral harm stemming from the intentional invasion of a plaintiff's privacy. The tort has three elements:
- the defendant must have intruded upon the plaintiff’s private affairs or concerns, without lawful excuse ("the conduct requirement");
- the conduct which constitutes the intrusion must have been done intentionally or recklessly ("the state of mind requirement"); and
- a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation or anguish ("the consequence requirement").
As the tort recognizes the moral wrong, it does not require proof of pecuniary loss in order to be awarded damages. This potential for an award of damages without proof of pecuniary loss made the tort an appealing cause of action for plaintiffs in privacy breach class actions against database defendants.
Following Jones v. Tsige, there was uncertainty in Ontario's case law concerning the application of intrusion upon seclusion to database defendants. In that context, three privacy class actions were initiated in the Superior Court, and ultimately came before the Ontario Court of Appeal in 2022: Owsianik v. Equifax Canada Co. (2022 ONCA 813) [Equifax], Obodo v. Trans Union of Canada Inc. (2022 ONCA 814) [Trans Union] and Winder v. Marriott International Inc. (2022 ONCA 815) [Marriott], (the Trilogy). Bennett Jones acted for Marriott.1
Equifax, Trans Union and Marriott each involved database defendants which collected and stored some form of personal information belonging to Canadian customers including names, birth dates, addresses, and/or credit or payment card information. In each instance, those databases were breached by unknown and unauthorized third-party hackers. In Equifax, the plaintiff argued that Equifax committed the alleged intrusion upon seclusion by recklessly storing the personal information it had collected. In Trans Union, the plaintiff argued that Trans Union committed the alleged intrusion upon seclusion by enabling the third party hack. And in Marriott, the plaintiff argued that Marriott committed the asserted intrusion upon seclusion when it allegedly failed to protect the information in its database in accordance with its representations and legal obligations.
In Equifax (the lead decision in the Trilogy), the ONCA held that intrusion upon seclusion does not apply to database defendants because they do not commit the requisite "intrusion" identified as the first element of the tort in Jones. Regardless of how each plaintiff tried to frame the database defendants' alleged misconduct, the Court held that there were no facts to demonstrate that they directly committed an "intrusion". The intentionality or recklessness of the defendants' actions under the tort must relate to the prohibited conduct, which is the actual intrusion upon the plaintiffs' private affairs—in each case the Court found that the intrusion was committed by the unknown and unauthorized third-party hackers, not by the database defendants. The Court also declined to expand the tort in order for it to apply to the alleged conduct of the database defendants in the Trilogy.
In finding that the tort of intrusion upon seclusion does not apply to database defendants, the ONCA also reaffirmed the principles enunciated by the SCC in Atlantic Lottery Corp Inc v Babstock (2020 SCC 19) [Babstock] regarding the "plain and obvious" standard used to assess whether pleadings disclose a tenable cause of action and the importance of disposing of claims at an early stage if appropriate. In Babstock, the cause of action at issue was waiver of tort. The SCC held that a claim will not survive an application to strike simply because it is novel; if a court would not recognize a novel claim even when the facts as pleaded are taken to be true, then the claim is plainly doomed to fail and should be struck.
In Equifax, the ONCA added to the Babstock principles by holding that a court may determine the validity of a claim on a pleadings motion even where the legal question to be answered is complex, policy-laden and open to some debate. Early resolution of the legal viability of claims, particularly those plainly doomed to fail, serves judicial efficiency, enhances access to justice and promotes certainty in the law. The ONCA held that this approach would also minimize the unfairness arising from any legal uncertainty that could exacerbate the defendants' potential liability and provide the plaintiffs with a "leg up" in the certification process.
The tort of intrusion upon seclusion, like the waiver of tort doctrine that came before it, was useful for plaintiffs seeking certification. Plaintiffs were able to utilize the novelty of the alleged causes of action and the courts' reluctance to dismiss claims on the basis of motions to stike pleaded cause of actions, in order to advance class proceedings by eliminating the need for individualized inquiries which degraded their ability to satisfy the commonality requirement. This strategy is no longer available to plaintiffs.
While businesses that collect and store their customers' personal information remain subject to statutory, contractual and other legal obligations (including the tort of negligence), the SCC's denial of leave to appeal the Trilogy brings welcome clarity for database defendants facing claims for moral damages under the tort of intrusion upon seclusion.
1 For a detailed analysis of the Trilogy, see our blog from June 1, 2023, The Ontario Court of Appeal Confirms the Narrow Confines of the Tort of Intrusion Upon Seclusion.