Common Ground? Class Action Updates

Appellate Court Finds Database Defendants not Liable for Tort of Intrusion upon Seclusion where Personal Information “Hacked” by Third Parties

Common Ground? Class Action Updates

Appellate Court Finds Database Defendants not Liable for Tort of Intrusion upon Seclusion where Personal Information “Hacked” by Third Parties

Date: December 8, 2022

In a trio of cases, the Ontario Court of Appeal recently held that a claim for the tort of intrusion upon seclusion does not apply to companies who store personal information for commercial use (the “Database Defendants”) when those databases are hacked by third parties.

Background

In June 2022, the Court of Appeal heard three grouped appeals arising out of three separate class actions. In each of those proceedings, the plaintiffs sought to apply the tort of intrusion upon seclusion, first recognized in Jones v Tsige, to Database Defendants. All three proceedings are at the certification stage.

The Court provided its reasoning in detail in Owsianik v. Equifax Canada Co. and then applied it to the other two cases (Obodo v. Trans Union of Canada and Winder v. Marriott International, Inc.), all rendered concurrently.

The representative plaintiff in Owsianik was initially successful in certifying an intrusion upon seclusion claim as part of a class proceeding. However, the majority of the Divisional Court reversed the motion judge and held the tort had no application to a Database Defendant when the private information was accessed by a third party hacker acting independently of the Database Defendant.

At the Court of Appeal

In Owsianik, the Court reiterated the finding in Atlantic Lottery Corp. Inc. v. Babstock that “novel legal claims which are doomed to fail even if the alleged facts are true, should be disposed of at the certification stage.” The test to be applied in deciding whether a claim discloses a cause of action for the purposes of s. 5(1)(a) of the Class Proceedings Act, 1992 is that a claim should only be struck if it is “plain and obvious” that it cannot succeed.

The Court referred to the elements of the tort of intrusion upon seclusion as set out in Jones v. Tsige and focused on the first element, which is that the defendant must have invaded or intruded upon the plaintiffs’ private affairs or concerns, without lawful excuse.

The Database Defendant in Owsianik was alleged to have failed to take steps to prevent the hackers from invading the plaintiffs’ privacy interests. However, the Court stated that the Database Defendant itself did not interfere with those privacy interests: the wrong arose out of its failure to meet its obligations to protect the plaintiffs’ privacy interests.

As a result, the Court agreed with the majority of the Divisional Court that the claim must fail as there was no conduct by the Database Defendant, or on its behalf, amounting to an intrusion into, or an invasion of, the plaintiffs’ privacy. The Database Defendant’s recklessness in negligently storing the plaintiffs’ personal information could not make it liable for the invasion of the plaintiffs’ privacy by third party hackers.

To impose liability in such a situation would, the Court stated, create a new and broad basis for a finding of liability for intentional torts:

[65] … A defendant could be liable for any intentional tort committed by anyone, if the defendant owed a duty, under contract, tort, or perhaps under statute, to the plaintiff to protect the plaintiff from the conduct amounting to the intentional tort. The security guard who fell asleep on the job, recklessly allowing an assailant to assault the person who the security guard was obliged to protect, would become liable for battery. The garage operator who negligently, and with reckless disregard to the risk of theft, left the keys in a vehicle entrusted to his care, would become a thief if an opportunistic stranger stole the car from the garage parking lot.

Takeaway

This decision confirms that a company cannot be held liable for intrusion upon seclusion where third party hackers acting independently of the company access an individual’s personal information stored by the company.

As stated by the Court of Appeal, if an individual’s privacy is breached in this manner, they may have recourse against the hackers for invasion of privacy. The difficulty in suing the hackers is not justification for creating a remedy against a storage company for the invasion of privacy perpetrated by a hacker.


The article in this client update provides general information and should not be relied on as legal advice or opinion. This publication is copyrighted by Hicks Morley Hamilton Stewart Storie LLP and may not be photocopied or reproduced in any form, in whole or in part, without the express permission of Hicks Morley Hamilton Stewart Storie LLP. ©