The Ontario Court of Appeal Refuses to Extend Tort of Intrusion Upon Seclusion to Cases of Third-party Hackers

  • January 12, 2023
  • Thomas Russell

Introduction

In November of the past year, the Ontario Court of Appeal (the court of appeal) released a trio of decisions that marked an important development in Ontario privacy law: Owsianik v Equifax; Obodo v Trans Union of Canada, Inc; and Winder v Marriot International, Inc.[1] In these three decisions, the Ontario Court of Appeal determined that database defendants (companies that collect and store private information) who have been subject to third party breaches (e.g. outside hackers) cannot be held liable under the tort of intrusion upon seclusion. This is an important development for privacy law because it may leave victims without adequate legal recourse in situations of third-party breaches.

Background

To understand the significance of these three cases, it is important to first understand the tort of intrusion upon seclusion. In 2012, the Court of Appeal first recognized the tort of intrusion upon seclusion in the case Jones v Tsige.[2] In Jones, the defendant had repeatedly accessed private banking records of the plaintiff without legal justification but had not caused the plaintiff any additional harm as a result.[3]

The Court of Appeal held that a plaintiff could bring an action against a defendant who infringed their privacy, even when the plaintiff could not prove any additional loss arising from that infringement; this action would be under the new tort of intrusion upon seclusion.[4] The current test for intrusion upon seclusion requires the following:[5]

  1. The defendant must have invaded or intruded upon the plaintiff’s private affairs or concerns, without lawful excuse [the conduct requirement];
  2. the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly [the state of mind requirement]; and
  3. a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation, or anguish [the consequence requirement].

Since Jones, this novel tort has been considered as a possible remedy where an individual’s private information has been improperly accessed in a company’s database. In recent years, class actions claiming damages for intrusion upon seclusion have arisen in situations where a database defendant stored the private information of a group of plaintiffs, which was then improperly accessed by employees at the defendant’s company.[6] However, the court had not considered cases of outside breaches by third parties.

In these sorts of class actions, the tort of intrusion upon seclusion provides an advantage for plaintiffs where they cannot prove financial harm as a result of the intrusion on their privacy.  It is an important feature of the tort of intrusion upon seclusion that proof of harm to recognized financial interests is not required.[7]