The issue of vicarious liability of an employer for privacy breaches perpetrated by a rogue employee is increasingly  before the Courts. The British Columbia Supreme Court previously found that an employer was vicariously liable for the actions of a rogue employee because the employer created the risk of wrongdoing by providing access to customers’ personal information and not setting monitoring mechanisms to prevent misuse (see our previous post on Ari v Insurance Corporation of British Columbia, here). The new class action certification case of Burke v Red Barn at Mattick’s Ltd, 2023 BCSC 367 provides some further guidance on the elements that a Court may consider in determining vicarious liability.

Key Takeaways

Vicarious liability is established when there is a strong connection between the employment enterprise and the employee’s wrongful act. This case suggests that such a connection need not be direct or strong, but may be established when an employer creates an environment that condones and effectively encourages the employee’s wrongful act. As a result, employers need to not only be more alert to the direct authority, policies, and controls on employee access to personal information, but also to how the environment they create may condone or indirectly permit employees to engage in wrongful acts involving the personal information of customers or other employees.

The Claims

In this case, the Defendant, assistant manager at the grocery store, Red Barn at Mattick’s Ltd.’s (“RBM”) took covert photographs and video of the Plaintiffs in the women’s washroom or staff room, and uploaded the images to pornographic websites. After the Defendant was criminally prosecuted, the Plaintiffs made a claim against the individual Defendant (and RMB, vicariously) for breach of privacy contrary to s. 1 of the Privacy Act, R.S.B.C. 1996, c. 373, and for negligence directly against RBM. The Plaintiffs, who were themselves employees of RBM, sought to certify a class action on behalf of all those recorded in the washroom or staff room at RBM.

The breach of privacy claim was grounded in the statutory tort created by BC’s Privacy Act, which states:

1(1) It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another.

(2) The nature and degree of privacy to which a person is entitled in a situation or in relation to a matter is that which is reasonable in the circumstances, giving due regard to the lawful interests of others.

(3) In determining whether the act or conduct of a person is a violation of another’s privacy, regard must be given to the nature, incidence and occasion of the act or conduct and to any domestic or other relationship between the parties.

(4) Without limiting subsections (1) to (3), privacy may be violated by eavesdropping or surveillance, whether or not accomplished by trespass.

The Plaintiffs claimed that they had a reasonable expectation of privacy in the store’s washroom and staff room and the Defendant wilfully violated that reasonable expectation of privacy by surreptitiously recording them. The Plaintiffs also claimed that RBM was  vicariously liable for the Defendant’s invasion of their privacy, and also claimed negligence against the store. The Plaintiffs claimed that RBM knew or should have known about the Defendant’s inappropriate behavior which ultimately evolved into criminal activities.

Vicarious Liability for Privacy Breach

The Plaintiffs claimed that the “structural elements” in the employment relationship  “supported [the Defendant’s] ability and opportunity to carry out the surreptitious recording and create the required nexus between the harm suffered and RBM.” These structural elements identified by the Plaintiffs included the following:

  1. Relationships. The Defendant was the owner’s son.
  2. Culture. The RBM culture condoned sexually inappropriate behavior among owners and managers (e.g, inappropriate sexualized comments and actions), giving the Defendant the authority and opportunity to commit the wrongful acts.
  3. Vulnerability of Plaintiffs. The representative Plaintiffs were teenage employees at the time of the events.
  4. Complaints. Complaints made by the Plaintiffs to their manager were ignored or dismissed. Further complaint’s to the manager’s manager were similarly dismissed.

The Court agreed that the Plaintiffs had shown that the cause of action for vicarious liability was properly pled and was supported by the evidence and was able to proceed.

Conclusion

While this case may only be an application for certification of a class action, it is instructive on the Court’s stance on vicarious liability. It shows that employers will be at increased risk of  vicarious liability for the environment that they create at work, and actions that they permit their employees to do, intentionally or inadvertently, that allow employees to violate the privacy of others. Overall, the British Columbia Court appears to be expanding the net on how vicarious liability is established against employers especially in privacy breaches.

For more information on employer vicarious liability in privacy breach actions, please reach out to Melika Mostowfi.

Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
, , ,
Melika Mostowfi

About Melika Mostowfi

Melika Mostowfi is an associate in the Litigation & Dispute Resolution group of Dentons’ Calgary office. She assists clients on a variety of commercial and civil litigation matters and is experienced in incident response in the areas of cybersecurity and privacy law.

Full bio

RELATED POSTS