With the certification of Evans v. The Bank of Nova Scotia, the newly introduced tort of intrusion upon seclusion has become another weapon in the arsenal for the class action plaintiffs’ bar.
But while Evans has gotten the lion’s share of attention, other developments in privacy law are also portending an increase in privacy class actions.
The tort of intrusion upon seclusion emerged in Ontario in Jones v. Tsige, a 2012 case involving a bank employee who accessed a colleague’s personal information for her own purposes.
In that decision, the Ontario Court of Appeal reviewed the American Law Institute’s Restatement of the Law Second, Torts from 2010. It included four torts related to privacy breaches. The Ontario judges believed the tort of intrusion upon seclusion could apply to the case and found Ontario common law should recognize it.
“A right of action for intrusion upon seclusion should be recognized in Ontario,” wrote Justice Robert Sharpe.
“The case law supports the existence of such a cause of action.”
The court outlines three key features of the tort: the alleged conduct must be intentional and reckless; the defendant must have unlawfully invaded the plaintiff’s privacy; and the invasion must be offensive, humiliating or anguishing.
Roland Hung, an associate with McCarthy Tétrault LLP, says that when the tort first emerged, he expected the courts to limit its use. “Many lawyers in discussing that case were thinking the courts are probably going to try to limit this case to its own facts,” he says.
“But actually now that it’s been almost three years after, it would appear that the courts have not limited that case to its own facts and have broadened and widened this case.”
He pointed to Hopkins v. Kay, a case from January of this year, as an example.
“I am not satisfied from a review of Jones that it should be, as suggested by counsel for the Hospital, restricted to the facts of that case,” wrote Superior Court Justice Mark Edwards.
“Rather, I am of the view that the Court of Appeal in Jones has determined that the common law right to proceed with a claim, based on the tort of breach of privacy, as alleged in the plaintiff’s statement of claim is a claim that should be allowed to proceed.”
Federal Court Justice Jocelyne Gagné relied on this reasoning to determine that intrusion upon seclusion was a common question in Condon v. Canada, a case certified three months before Evans.
Condon relates to the loss of a hard drive from Human Resources and Skills Development Canada containing student loan data on 583,000 people. The data included names, birth dates, addresses, the balance of student loans, and even social insurance numbers.
To this day, no one knows where the hard drive ended up, but there hasn’t been any evidence someone used it for nefarious purposes.
Molly Reynolds, a litigator with Torys LLP, says that when she heard about the lost hard drive, she checked to see if the incident had affected her student loans.
“And mine were on there,” she says.
According to Reynolds, Condon differs from Evans because while the latter case deals more with the vicarious liability of the employer, Condon focuses more on the issue of recklessness.
“The question is whether the employee was reckless or otherwise negligent in having lost the USB key in the first place,” she says.
The fact that it’s not clear what happened to the hard drive or whether anyone else had ever accessed the private information further complicates the case.
“It was a breach; we just don’t know if there were any consequences or any harm stemming from the breach,” says Reynolds.
“But what’s interesting about the damages issue here is that you can’t necessarily identify whether anybody has been the victim of identity theft and they’re going to have a struggle, I think, with causation.”
Reynolds says that even if the plaintiffs are unable to prove harm, the judge could still award nominal damages to them, as happened in Jones and numerous cases dealing with the Personal Information Protection and Electronic Documents Act in the federal courts.
“When you have a class as big as 500,000 class members, $5,000 in nominal damages times 500,000 or 600,000 could actually be a pretty hefty damage award against the government,” she says.
Ontario is the only province so far that has adopted the tort of intrusion upon seclusion. In Demcak v. Vo, the Supreme Court of British Columbia reaffirmed that no common law privacy tort exists in that province. Instead, British Columbia has a statutory remedy for breach of privacy under that province’s privacy legislation.
Hung expects Alberta to veer closer to British Columbia than Ontario since that province, unlike Ontario, also has provincial privacy legislation. “Of course, it’s not the same test as the tort of intrusion upon seclusion, but nonetheless there is a remedy for privacy breaches,” he says.
Despite the fact that British Columbia doesn’t have a common law privacy tort, Hung says class actions stemming from privacy breaches are likely to become more numerous even there.
He points to Douez v. Facebook Inc., a British Columbia-based class action certified in May against Facebook for alleged privacy breaches. “Despite the fact that the B.C. courts have indicated they’re not going to adopt the Jones intrusion-upon-seclusion tort, they still allowed the certification of a privacy violation,” he says.
“So they’re basically following their statutory regime instead of following a common law tort.”
And if judges decide to adopt any of the other American privacy torts, there may be further potential for the expansion of privacy class actions.
“That is one thing that commentators are expecting to see happen, depending on the facts of future cases, that we may continue to borrow and import the other three U.S. privacy torts,” says Reynolds.
Those torts are the public disclosure of embarrassing private facts, publicity that places a person in a false light, and appropriation of a person’s name or likeness.
Reynolds, however, says cases that fall under the second tort could be actionable under defamation and libel laws while those involving the third tort may fall under copyright protections.
Both Hung and Reynolds say that even without new legal developments, because of the vast quantities of data now stored on the computers of companies and government agencies, an increase in privacy class actions is almost inevitable.
Hung says he has noticed that clients, especially the big banks and retailers, have become increasingly concerned about liability in the case of a privacy breach.
“The potential risk that they might be sued, whether through class action or by just a commencement of a claim by one of the individuals that suffered identity theft, is quite real,” he says.
Reynolds thinks these cases will send a message to companies and governments that store large amounts of personal data.
“I think these kinds of cases, even if they don’t get as far as trials and decisions and damage awards, will be sending a message internally at a lot of large institutions to make sure they’re minimizing employees’ access to records that they don’t need for the purposes of their job and probably supplementing their ability to monitor whether employees are misusing their internal systems,” she says.
For more, see "Court certifies class action under tort of inclusion upon seclusion."
But while Evans has gotten the lion’s share of attention, other developments in privacy law are also portending an increase in privacy class actions.
The tort of intrusion upon seclusion emerged in Ontario in Jones v. Tsige, a 2012 case involving a bank employee who accessed a colleague’s personal information for her own purposes.
In that decision, the Ontario Court of Appeal reviewed the American Law Institute’s Restatement of the Law Second, Torts from 2010. It included four torts related to privacy breaches. The Ontario judges believed the tort of intrusion upon seclusion could apply to the case and found Ontario common law should recognize it.
“A right of action for intrusion upon seclusion should be recognized in Ontario,” wrote Justice Robert Sharpe.
“The case law supports the existence of such a cause of action.”
The court outlines three key features of the tort: the alleged conduct must be intentional and reckless; the defendant must have unlawfully invaded the plaintiff’s privacy; and the invasion must be offensive, humiliating or anguishing.
Roland Hung, an associate with McCarthy Tétrault LLP, says that when the tort first emerged, he expected the courts to limit its use. “Many lawyers in discussing that case were thinking the courts are probably going to try to limit this case to its own facts,” he says.
“But actually now that it’s been almost three years after, it would appear that the courts have not limited that case to its own facts and have broadened and widened this case.”
He pointed to Hopkins v. Kay, a case from January of this year, as an example.
“I am not satisfied from a review of Jones that it should be, as suggested by counsel for the Hospital, restricted to the facts of that case,” wrote Superior Court Justice Mark Edwards.
“Rather, I am of the view that the Court of Appeal in Jones has determined that the common law right to proceed with a claim, based on the tort of breach of privacy, as alleged in the plaintiff’s statement of claim is a claim that should be allowed to proceed.”
Federal Court Justice Jocelyne Gagné relied on this reasoning to determine that intrusion upon seclusion was a common question in Condon v. Canada, a case certified three months before Evans.
Condon relates to the loss of a hard drive from Human Resources and Skills Development Canada containing student loan data on 583,000 people. The data included names, birth dates, addresses, the balance of student loans, and even social insurance numbers.
To this day, no one knows where the hard drive ended up, but there hasn’t been any evidence someone used it for nefarious purposes.
Molly Reynolds, a litigator with Torys LLP, says that when she heard about the lost hard drive, she checked to see if the incident had affected her student loans.
“And mine were on there,” she says.
According to Reynolds, Condon differs from Evans because while the latter case deals more with the vicarious liability of the employer, Condon focuses more on the issue of recklessness.
“The question is whether the employee was reckless or otherwise negligent in having lost the USB key in the first place,” she says.
The fact that it’s not clear what happened to the hard drive or whether anyone else had ever accessed the private information further complicates the case.
“It was a breach; we just don’t know if there were any consequences or any harm stemming from the breach,” says Reynolds.
“But what’s interesting about the damages issue here is that you can’t necessarily identify whether anybody has been the victim of identity theft and they’re going to have a struggle, I think, with causation.”
Reynolds says that even if the plaintiffs are unable to prove harm, the judge could still award nominal damages to them, as happened in Jones and numerous cases dealing with the Personal Information Protection and Electronic Documents Act in the federal courts.
“When you have a class as big as 500,000 class members, $5,000 in nominal damages times 500,000 or 600,000 could actually be a pretty hefty damage award against the government,” she says.
Ontario is the only province so far that has adopted the tort of intrusion upon seclusion. In Demcak v. Vo, the Supreme Court of British Columbia reaffirmed that no common law privacy tort exists in that province. Instead, British Columbia has a statutory remedy for breach of privacy under that province’s privacy legislation.
Hung expects Alberta to veer closer to British Columbia than Ontario since that province, unlike Ontario, also has provincial privacy legislation. “Of course, it’s not the same test as the tort of intrusion upon seclusion, but nonetheless there is a remedy for privacy breaches,” he says.
Despite the fact that British Columbia doesn’t have a common law privacy tort, Hung says class actions stemming from privacy breaches are likely to become more numerous even there.
He points to Douez v. Facebook Inc., a British Columbia-based class action certified in May against Facebook for alleged privacy breaches. “Despite the fact that the B.C. courts have indicated they’re not going to adopt the Jones intrusion-upon-seclusion tort, they still allowed the certification of a privacy violation,” he says.
“So they’re basically following their statutory regime instead of following a common law tort.”
And if judges decide to adopt any of the other American privacy torts, there may be further potential for the expansion of privacy class actions.
“That is one thing that commentators are expecting to see happen, depending on the facts of future cases, that we may continue to borrow and import the other three U.S. privacy torts,” says Reynolds.
Those torts are the public disclosure of embarrassing private facts, publicity that places a person in a false light, and appropriation of a person’s name or likeness.
Reynolds, however, says cases that fall under the second tort could be actionable under defamation and libel laws while those involving the third tort may fall under copyright protections.
Both Hung and Reynolds say that even without new legal developments, because of the vast quantities of data now stored on the computers of companies and government agencies, an increase in privacy class actions is almost inevitable.
Hung says he has noticed that clients, especially the big banks and retailers, have become increasingly concerned about liability in the case of a privacy breach.
“The potential risk that they might be sued, whether through class action or by just a commencement of a claim by one of the individuals that suffered identity theft, is quite real,” he says.
Reynolds thinks these cases will send a message to companies and governments that store large amounts of personal data.
“I think these kinds of cases, even if they don’t get as far as trials and decisions and damage awards, will be sending a message internally at a lot of large institutions to make sure they’re minimizing employees’ access to records that they don’t need for the purposes of their job and probably supplementing their ability to monitor whether employees are misusing their internal systems,” she says.
For more, see "Court certifies class action under tort of inclusion upon seclusion."