Log in
Log in

“Intrusion” privacy tort does not apply to third party hacking claims

12 Dec 2022 9:04 AM | CAN-TECH Law (Administrator)

“Intrusion” privacy tort does not apply to third party hacking claims

Ontario CA determines that the defendant must be the party who did the intruding

The Ontario Court of Appeal, in considering a trilogy of cases together, has definitively determined that the privacy tort of “intrusion upon seclusion” does not apply to a defendant whose information systems were intruded by a malicious third party. The three cases were heard together with three sets of reasons issued: Winder v Marriott International, Inc., Obodo v Trans Union of Canada, Inc. and Owsianik v Equifax Canada Co.

In the landmark case of Jones v Tsige, the Ontario Court of Appeal had determined that the “Prosser privacy torts” exist in Ontario common law, including the tort of intrusion upon seclusion. Since then, numerous privacy class actions have been brought, many of which have pled this privacy tort. The question of whether this tort can be the basis of liability for a company that is itself a victim of a third party’s act has rested on the meaning of the word “reckless” in the articulation of the elements of the cause of action from Jones:

[71] The key features of this cause of action are, first, that the defendant's conduct must be intentional, within which I would include reckless; second, that the defendant must have invaded, without lawful justification, the plaintiff's private affairs or concerns; and third, that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. However, proof of harm to a recognized economic interest is not an element of the cause of action. I return below to the question of damages, but state here that I believe it important to emphasize that given the intangible nature of the interest protected, damages for intrusion upon seclusion will ordinarily be measured by a modest conventional sum. [emphasis added]

Plaintiffs in such data breach class actions have argued that the breaches are the result of the defendant’s recklessness, usually with respect to the handling or safeguarding of personal information. 

The most extensive reasons in the trilogy of cases were given by Justice Doherty in Owsianik. In all three cases, the question before the courts below was whether to certify the proposed class actions, which requires that there be a legally viable claim. The plaintiffs had experienced varied success in the courts below. 

In its analysis of the intrusion tort, the Court summarized the elements and explicitly categorized the conduct, state of mind and consequences requirements:

[54] The elements of the tort of intrusion upon seclusion are laid down in Jones, at para. 71. I would describe them as follows:

  • the defendant must have invaded or intruded upon the plaintiff’s private affairs or concerns, without lawful excuse [the conduct requirement];
  • the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly [the state of mind requirement]; and
  • a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation or anguish [the consequence requirement].

The plaintiff argued that the state of mind requirement was applicable to the defendant, Equifax in this case. The Court disagreed: The state of mind requirement applies to the “intruder”. 

[59] Ms. Owsianik’s submission misunderstands the relationship between the two elements of the tort. The first element, the conduct requirement, requires an act by the defendant which amounts to a deliberate intrusion upon, or invasion into, the plaintiffs’ privacy. The prohibited state of mind, whether intention or recklessness, must exist when the defendant engages in the prohibited conduct. The state of mind must relate to the doing of the prohibited conduct. The defendant must either intend that the conduct which constitutes the intrusion will intrude upon the plaintiffs’ privacy, or the defendant must be reckless that the conduct will have that effect. If the defendant does not engage in conduct that amounts to an invasion of privacy, the defendant’s recklessness with respect to the consequences of some other conduct, for example the storage of the information, cannot fix the defendant with liability for invading the plaintiffs’ privacy.

The Court noted that Equifax may be liable to the plaintiff on some other basis, but not as an intruder of the plaintiff’s privacy. 

[61] …. Equifax’s negligent storage of the information cannot in law amount to an invasion of, or an intrusion upon, the plaintiffs’ privacy interests in the information. Equifax’s recklessness as to the consequences of its negligent storage cannot make Equifax liable for the intentional invasion of the plaintiffs’ privacy committed by the independent third-party hacker. Equifax’s liability, if any, lies in its breach of a duty owed to the plaintiffs, or its breach of contractual or statutory obligations.

The plaintiffs argued that the tort of intrusion upon seclusion should be extended to clearly be applicable to the “Database Defendants”, otherwise the plaintiffs would be without a remedy in these circumstances. This was dismissed by the Court of Appeal:

[79] The plaintiffs’ “no remedy” argument really comes down to the assertion that because the remedies available in contract and negligence require proof of pecuniary loss, the plaintiffs who cannot prove pecuniary loss are left with no remedy. With respect, this is not what the court meant in Jones when it described the plaintiff as being without remedy. The plaintiffs here are in the same position as anyone else who advances the kind of claim the plaintiffs have advanced here. Because the claim sounds in negligence and contract, the plaintiffs must prove pecuniary loss. The plaintiffs’ position is miles away from the predicament faced by the plaintiff in Jones.

[80] While it cannot be said the plaintiffs are left without a remedy, it is true that the inability to claim moral damages may have a negative impact on the plaintiffs’ ability to certify the claim as a class proceeding. In my view, that procedural consequence does not constitute the absence of a remedy. Procedural advantages are not remedies.

The court finally noted, before dismissing the appeal, that if parliament or the provincial legislatures wanted to extend the law so far as to provide moral damages in cases like this, they are able to do so. 


Canadian Technology Law Association

1-189 Queen Street East

Toronto, ON M5A 1S2

Copyright © 2024 The Canadian Technology Law Association, All rights reserved.