CAN-TECH Newsletter/Bulletin
November 29, 2018/29 novembre 2018

Tort of “Public Disclosure of Private Facts” Confirmed

Ontario Superior Court confirms tort, gives damages for posting of “revenge porn” on internet

In Jane Doe 72511 v. N.M. [2018 ONSC 6607, released November 2, 2018, no hyperlink available as yet], Justice Gomery of the Ontario Superior Court of Justice presided over a tort action brought by the anonymous plaintiff against her former boyfriend and his parents. A number of causes of action were pleaded that arose from the boyfriend’s abusive behaviour, including his having posted a sexually explicit video of the plaintiff on a pornographic website, without her knowledge or consent. The boyfriend and parents did not file defences and were noted in default. However, Justice Gomery engaged in a thorough discussion of the relatively novel cause of action relating to the posting of the video.

The video explicitly depicted a sexual encounter between the plaintiff and NM, in which her face was clearly visible and his was not. She had consented to the making of the video but not to any subsequent use of it. When the plaintiff learned of the posting from a friend, she contacted the website administrator, who agreed to take it down. However, up to the point of takedown it had been viewed over 60,000 times and was linked to 10 other pornographic websites; it was impossible to determine how often it had been downloaded and shared. When confronted by the plaintiff, the defendant admitted that he had arranged to have the video posted, as an act of revenge for her having reported an incident of physical abuse to the police, which resulted in him having a criminal record.

Justice Gomery began by noting the Ontario Court of Appeal’s decision in Jones v. Tsige, in which the court had created a breach of privacy tort for “intrusion upon seclusion,” and flagged the potential existence of other privacy-based torts, in particular because of the need for the common law to respond to problems raised by technology:

For over 100 years, technological change has motivated the legal protection of the individual's right to privacy. In modern times, the pace of technological change has accelerated exponentially. Legal scholars such as Peter Burns have written of "the pressing need to preserve 'privacy' which is being threatened by science and technology to the point of surrender.... The Internet and digital technology have brought an enormous change in the way we communicate and in our capacity to capture, store and retrieve information. As the facts of this case indicate, routinely kept electronic databases render our most personal financial information vulnerable. Sensitive information as to our health is similarly available, as are records of the books we have borrowed or bought, the movies we have rented or downloaded, where we have shopped, where we have travelled and the nature of our communications by cellphone, e-mail or text message.

Next, Justice Gomery reviewed the 2016 judgment of the Ontario Superior Court in Jane Doe 464533 v. N.D. (reported in an earlier issue of this newsletter), a case factually similar to the instant case in which the defendant had posted an intimate video sent to him by the plaintiff without her knowledge or consent. In that case the court had recognized a privacy tort of “public disclosure of embarrassing private facts.” That judgment had been overturned when the defendant, who had been noted in default, had successfully applied to have the case re-opened, but Justice Gomery relied on the reasoning of Stinson J. in the case nonetheless:

Stinson J. noted that Prosser's description of the tort did not anticipate the development of social media and the internet, but that recognizing it would give courts the necessary remedy for an intentional breach of privacy enabled by these technologies:

Plainly, writing in 1960, Prosser was discussing events that might occur in a pre-Internet world, where the concepts of pornographic websites and cyberbullying could never have been imagined. Nevertheless, the essence of the cause of action he described is the unauthorized public disclosure of private facts relating to the plaintiff that would be considered objectionable by any reasonable person. In the electronic and Internet age in which we all now function, private information, private facts and private activities may be more and more rare, but they are no less worthy of protection. Personal and private communications and the private sharing of intimate details of persons' lives remain essential activities of human existence and day to day living.

To permit someone who has been confidentially entrusted with such details -- and in particular intimate images -- to intentionally reveal them to the world via the internet, without legal recourse, would be to leave a gap in our system of remedies.

Justice Gomery then went on to note that in 2014 Parliament had inserted an offence of publication of an intimate image into the Criminal Code, which “recognizes that this behaviour is highly offensive and should give rise to a civil remedy for a person who suffers damages as a result of it.” The acknowledgment of a civil tort of “public disclosure of private facts” was clearly the best way to accomplish this; it was consistent with Charter values, particularly the protection of privacy, as well as legal protections available to people regarding their images. Despite one province having created a similar cause of action in tort via legislation, the court in Ontario was free to do so of its own accord:

A strength of the common law is its ability to evolve and adapt to changing circumstances. Of course new remedies should not simply be invented willy-nilly. But the tort of public disclosure of private facts is hardly new or novel. It has existed in U.S. law for decades. Despite its vintage, it is well-suited for use in the context of internet posting and distribution of intimate and sexually explicit images and recordings. It is the cousin to another privacy tort already recognized in Ontario, intrusion on seclusion. As such it is an appropriate, proportionate legal response to a growing problem enabled by new technology.

The elements of this tort, as recognized in the earlier Jane Doe decision were:

  1. the defendant publicized an aspect of the plaintiff's private life;
  2. the plaintiff did not consent to the publication;
  3. the matter publicized or its publication would be highly offensive to a reasonable person; and
  4. the publication was not of legitimate concern to the public.

These requirements having clearly been met in this case, the court finally turned to the issue of damages, emphasizing the odious nature of “revenge porn”:

Revenge porn can have devastating consequences. In the most extreme cases, where sexually explicit images of very young people have been shared without their consent, the victims have been driven to suicide because of their feelings of intense shame and social isolation. In every case, the victim is betrayed by someone they trusted. Something that may have been a celebration of their affection or sexual attraction for another person is used against them. They have forever lost their right to control who sees their body. Even if the posting is removed, copies remain as the result of downloads and sharing. They live with the fear that this single event will define how they are perceived and treated by family, friends and strangers for the rest of their lives.

As Justice M.M. Rahman eloquently observed in a case where unauthorized, sexually explicit videos of a young woman, C.S., were posted on the same website that the video of Jane was posted:

There is a popular saying that "the internet never forgets." C.S.'s images became available as torrents. That means they remained available to others even though the offender removed them from the websites to which he had originally uploaded them. There is no way to know how many people have access to the images. Every time someone views one of these images, C.S.'s privacy and dignity are violated. C.S. must live with the knowledge that strangers anywhere in the world may view her private images whenever they choose to. She has lost control over a very private part of her life forever. She faces the potential violation of her privacy, by total strangers, in perpetuity.

In this case, the plaintiff had been significantly affected by the video, which had been made at a time when she was very vulnerable (a teenaged single mother) and circulated within her social circle and could very well be so for years into the future. She suffered distress, constantly worrying that her son, potential employers or others might see the video. It had affected her ability to form relationships and to trust others. Moreover, the defendant’s actions had been malicious, deliberately degrading, high-handed and designed to hurt the plaintiff. He had shown no remorse, and had in fact taunted and insulted her. In the result, Justice Gomery awarded $50,000 in general damages, a further $25,000 in aggravated damages due to the defendant’s conduct, and an additional $25,000 in punitive damages a means of sanctioning the defendant’s malicious conduct and deterring others from acting similarly.

Cannabis Legalization and Privacy

BC warns against breaches, as Ontario suffers them

In light of the recent legalisation of recreational cannabis, the British Columbia Information and Privacy Commissioner has released a guidance document entitled Protecting Personal Information: Cannabis Transactions. The Document provides guidance for both cannabis retailers and customers around the collection of personal information in cannabis transactions. The Commissioner found this particular guidance necessary because, as the document notes,

Cannabis is illegal in most jurisdictions outside Canada. The personal information of cannabis users is therefore very sensitive. For example, some countries may deny entry to individuals if they know they have purchased cannabis.

The theme of the Document is to ‘only collect what is needed’ so as to protect consumer privacy. Recommendations include not recording information unless necessary (e.g. IDs can be checked to verify age requirements without being recorded, or collecting only email addresses for a mailing list without an associated name), or storing identity information separately (e.g. dissociating email addresses for mailing lists from identity / transaction records and credit card information). The Document also recommends minimizing invasive security measures by, for example, using security guards instead of video recordings within the store, and only using video surveillance as a last resort. The Commissioner also notes that where a retailer does use video surveillance:

they must notify individuals with signage that is clearly visible to anyone before entering the store. That way, individuals can choose to shop elsewhere if they do not want the retailer to collect their personal information (emphasis added).

The Document also suggests that consumers not provide more personal information than necessary, and pay with cash rather than by credit card if possible.

In addition, the Commissioner made recommendations around safeguarding the personal information that is collected. These steps include having a privacy officer responsible for ensuring compliance, and taking various security measures: physical (e.g. locked cabinets, shredding), technological (e.g. password protection, encryption), and administrative (e.g. staff training on privacy, regular risk assessments). In particular the Commissioner noted that

…storing data in the Cloud or in proprietary software means there is likely disclosure of that personal information outside of Canada. It is much more privacy protective to store personal information on a server located in Canada to prevent access by unauthorized third parties.

The BC Privacy Commissioner’s Guidance Document is timely, in light of reports of a data breach around the sale of cannabis in Ontario. The Toronto Sun reports that the name or initials, postal code, date of cannabis delivery and Canada Post tracking number of 4500 purchasers were obtained by someone who hacked the Canada Post tracking website. At present in Ontario Cannabis can only legally be purchased through the Ontario Cannabis Store and delivered by Canada Post, making the breach that much more serious.

New Obligation to Report Privacy Breaches

Privacy Commissioner of Canada offers guidance

On November 1 2018, new regulations under the Personal Information Protection and Electronic Documents Act (PIPEDA) came into force. Those regulations will require organizations subject to PIPEDA to:

  • report to the Privacy Commissioner of Canada breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals;
  • notify affected individuals about those breaches, and;
  • keep records of all breaches.

On October 29, the Office of the Privacy Commissioner of Canada (OPC) issued a document entitled What You Need to Know about Mandatory Reporting of Breaches of Security Safeguards, giving guidance to organizations as to how to comply with the new regulations.

The guide notes that not every breach must be reported to the OPC:

The law requires that you report any breach of security safeguards involving personal information under your control if it is reasonable in the circumstances to believe that the breach of security safeguards creates a real risk of significant harm (RROSH) to an individual.

Whether a breach of security safeguards affects one person or a 1,000, it will still need to be reported if your assessment indicates there is a real risk of significant harm resulting from the breach.

The guide also notes that “significant harm”

includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

Part 6 of the guide offers advice for developing a framework to assess whether there is a real risk of significant harm.

The guide also clarifies who is responsible for reporting breaches, and reiterates that a determinative element in whether an organization is responsible for reporting is whether the affected information was under its control. This is especially relevant for arrangements where third parties have been engaged to process data: the principal organization remains responsible for the data while it is with the third party and being used for the intended purposes under the business relationship. Therefore,

the principal organization will need to ensure there are sufficient contractual arrangements in place with the processor to address compliance with the breach provisions set out in PIPEDA. The same would be true for notification and record-keeping obligations.

In addition the guide contains advice about record-keeping by organizations, and the obligation to report breaches to individuals affected. It also observes that “it is an offence to knowingly contravene PIPEDA’s reporting, notification and record-keeping requirements relating to breaches of security safeguards, and doing so could lead to fines” (emphasis in original).

Enregistrement des débats sexuels à l’insu de l’appelante

L’appelante se pourvoit contre un jugement qui, entre autres, condamne Maranda à des dommages moraux de 5 000 $ pour violation de sa vie privée. Maranda a fait un enregistrement sonore d’une durée de 96 minutes, à l’insu de l’appelante, des bruits ambiants de son appartement comprenant les ébats sexuels des parties. De cet enregistrement, Maranda a puisé un extrait de 0,2 seconde d’un cri de jouissance qu’il a intégré à une oeuvre. En appel, l’appelante plaide que la juge devait plutôt conclure à une violation de son droit d’auteur plutôt qu’à une violation de son droit à la vie privée. La juge aurait erré en concluant que Maranda n’avait pas violé son droit d’auteur en « fixant » à son insu son cri de jouissance dans un enregistrement et qu’il n’avait pas volontairement porté atteinte à sa vie privée.

La Cour d’appel conclut que, au-delà du fait que l’appelante soulève cet argument pour la première fois en appel et au-delà des difficultés que pose la qualification d’œuvre protégée qu’elle propose d’un cri de jouissance à la lumière des critères applicables, l’appelante ne fait pas voir en quoi une telle qualification aurait changé quoi que ce soit relativement aux dommages octroyés.

En ce qui concerne les dommages punitifs réclamés, la juge a refusé de les accorder en l’absence de la démonstration d’une atteinte intentionnelle ou malveillante de la part de l’intimé. La juge s’appuie à cet égard sur les courriels échangés par les parties pour conclure que leur relation hautement sexualisée a mené Maranda à croire de manière honnête que l’appelante ne s’opposerait pas à l’enregistrement et à la création de la version intime de l’œuvre (intégrant le cri de jouissance). Or, l’appelante ne fait pas voir en quoi son analyse du caractère intentionnel des gestes posés par Maranda serait différente sous l’angle de la violation du droit d’auteur. La Cour d’appel ajoute que, contrairement à ce que plaide l’appelante, la juge de première instance ne conclut pas au consentement implicite de l’appelante en raison de ses habitudes en matière sexuelle. Elle conclut, au contraire, à une atteinte à sa vie privée et lui accorde des dommages moraux. Ce n’est qu’ensuite, dans l’analyse de la réclamation des dommages punitifs, que la juge évoque le rapport sexuel particulier qu’entretiennent les parties, ce qui l’amène à conclure que Maranda croyait honnêtement que la version intime enregistrée ne déplairait pas à l’appelante et qu’il n’avait pas l’intention de lui nuire. L’appelante ne fait pas voir d’erreur manifeste et déterminante dans l’analyse de la juge à cet égard.