Republished from the Ontario Bar Association (February 14, 2022)
The common law tort of intrusion upon seclusion continues to develop, as does its use in the class action context. In the last year, there have been four decisions that have challenged, and in the process allowed, courts to clarify its use in class actions involving data breaches that involved a third party hacking or otherwise obtaining access to the defendants’ databases of employee or customer information. While this tort may continue to develop in the coming years, these cases mark an important turning point for the use of the tort in large data breach cases.
Owsianik v Equifax Canada Co., 2021 ONSC 4112
In June 2021, the Divisional Court released its decision in Owsianik, addressing the scope of the tort in the context of a third-party data breach and its application to the company that suffered the breach. It was an appeal from a decision certifying the class action on this issue. The Divisional Court held that the accessing of the data, which in this case was done by third-party criminals, was ” the central element of the tort” (para. 55). The court held the lack of intrusion on the part of the defendant meant that there was no reasonable cause of action against the defendant. It was the hackers, not the defendant, who were the intruders and who would be liable for an intrusion upon seclusion.
This case was the first appellate decision on the issue and an important development in Canadian privacy law. Previously, numerous class actions had been certified on the basis of intrusion upon seclusion claims in the data breach context – the majority confirming the status of intrusion upon seclusion as an intentional tort, not to be conflated with negligence. Intrusion upon seclusion is not a viable cause of action where the plaintiff alleges that the defendant only failed to act to prevent a cyberattack. The proper cause of action in that case is negligence.
Del Giudice v Thompson, 2021 ONSC 5379
There was a similar result in Del Giudice. In that decision, released in August 2021, Justice Perell dismissed a certification motion in the context of a data breach class action in which the plaintiffs had alleged an intrusion upon seclusion grounded in the defendants’ failure to prevent a data breach. The court held, among other things, that a failure to prevent an intrusion does not itself constitute intrusion that can give rise to an intrusion upon seclusion. The court relied on the Owsianik decision to find that the claim for intrusion upon seclusion was not “legally viable” (paras. 135-139).
Obodo v Trans Union of Canada, Inc., 2021 ONSC 7297
In November 2021, Justice Glustein (previously the motions judge in Owsianik) was again asked to certify a class action involving a claim for intrusion upon seclusion. In Obodo, the plaintiff specifically asked the court to (i) find that Owsianik was wrongly decided; and (ii) “conclude that it is not settled law that database defendants cannot be liable for hacker attacks under the tort of intrusion upon seclusion, for intentional or reckless conduct enabling the data breach” (para. 112). However, while Justice Glustein referred to the dissenting judgment in Owsianik, he ultimately held that he was bound by the Divisional Court decision, which held that the tort of intrusion upon seclusion “has nothing to do with a database defendant” (para. 114). He refused to certify the claim on the basis of intrusion upon seclusion, though other causes of action and common issues were certified, including negligence.
Winder v Marriott International, Inc., 2022 ONSC 390
Finally, new year – same outcome. In January 2022, on a strike motion in Winder, Justice Perell, who decided Del Giudice, struck out a claim of intrusion upon seclusion in the data breach context on the basis that it did not disclose a reasonable cause of action. Following the decisions discussed above, Justice Perell found that while the hacker was “most certainly liable for the commission of the tort of intrusion on seclusion”, it does not apply to defendants who are themselves victims of the hacker. Justice Perell also returned to the language in Jones v. Tsige (2012 ONCA 32) that warns against opening the floodgates of liability and held that the tort does not extend to constructive intruders (an argument made in that case) and is instead “limited to real ones”. The case could be addressed by other existing causes of action, including negligence (Winder, paras. 13-15).
Impact on privacy class actions
We expect that the tort will continue to develop, including through further appellate guidance on these issues. However, this tetralogy of cases marks an important turning point for the availability of the intrusion upon seclusion tort (or lack thereof) in the data breach class action context.
If you have any questions about this article, please reach out to Chloe Snider.