Owsianik v. Equifax: Divisional Court Curtails Scope of Privacy Breach Class Actions in Ontario

Owsianik v. Equifax: Divisional Court Curtails Scope of Privacy Breach Class Actions in Ontario

Megan A. Percy, Davies Ward Phillips & Vineberg LLP[1]

In an age where significant volumes of personal information are collected and stored electronically by healthcare organizations, government agencies and businesses, the risk of privacy breaches has increased dramatically. High-profile data breaches and cyberattacks continue to make headlines—think of the cyberattacks on Newfoundland and Labrador’s health system data centres, the Canada Revenue Agency, and LifeLabs, to name a few recent examples.

Organizations targeted by high-profile cyberattacks resulting in data breaches frequently face privacy breach class actions. Following the Ontario Court of Appeal’s recognition of the common law tort of intrusion upon seclusion in 2012,[2] many of those privacy breach class actions have included claims for this tort (as well as the “symbolic” or “moral” damages available with it). However, the Divisional Court’s decision in Owsianik v. Equifax Canada Co., 2021 ONSC 4112 (“Equifax”) has now called the viability of this cause of action into question.

In Equifax, the majority of the Divisional Court held that organizations that collect and store private information cannot be liable for the tort of intrusion upon seclusion when third parties steal or access that information. While it will not be the final word on the subject,[3] this decision significantly curtails the scope of privacy breach class actions in Ontario that arise out of third-party hacking and cyberattacks.