The common law tort of intrusion upon seclusion continues to develop, as does its use in the class action context. In the last year, there have been four decisions that have challenged, and in the process allowed, courts to clarify its use in class actions involving data breaches that involved a third party hacking or otherwise obtaining access to the defendants’ databases of employee or customer information. While this tort may continue to develop in the coming years, these cases mark an important turning point for the use of the tort in large data breach cases.
Owsianik v Equifax Canada Co., 2021 ONSC 4112
In June 2021, the Divisional Court released its decision in Owsianik, addressing the scope of the tort in the context of a third-party data breach and its application to the company that suffered the breach. It was an appeal from a decision certifying the class action on this issue. The Divisional Court held that the accessing of the data, which in this case was done by third-party criminals, was " the central element of the tort" (para. 55). The court held the lack of intrusion on the part of the defendant meant that there was no reasonable cause of action against the defendant. It was the hackers, not the defendant, who were the intruders and who would be liable for an intrusion upon seclusion.
This case was the first appellate decision on the issue and an important development in Canadian privacy law. Previously, numerous class actions had been certified on the basis of intrusion upon seclusion claims in the data breach context – the majority confirming the status of intrusion upon seclusion as an intentional tort, not to be conflated with negligence. Intrusion upon seclusion is not a viable cause of action where the plaintiff alleges that the defendant only failed to act to prevent a cyberattack. The proper cause of action in that case is negligence.