Background
On November 25, 2022, the Ontario Court of Appeal released a trilogy of decisions which held that the tort of intrusion upon seclusion could not be claimed against a defendant who had suffered a cyberattack.[1] All three matters involved class actions that were at the certification stage. The plaintiffs in each action were alleging that the defendants had committed the tort of intrusion upon seclusion. The defendants were entities who stored the personal information of the plaintiffs for commercial purposes and had failed to protect that information from third-party hackers.
Given the similarity in the proceedings, the court designated Owsianik v. Equifax Canada Co., 2022 ONCA 813 as the lead decision. The court found that the defendants in all three claims could not be held to have committed the tort of intrusion upon seclusion. It found that the hackers’ intrusive actions could not be attributed to the defendants. The court stated that the defendants’ liability would properly be pursued under a claim for negligence, or breach of contractual or other statutory duties.
Legal Framework
The tort of intrusion upon seclusion was first recognized in Jones v. Tsige, 2012 ONCA 32. [2] The defendant in Jones had unlawfully accessed the banking records of the plaintiff, who was the former wife of the defendant’s common-law partner. The court held that intentional or reckless intrusion of another’s private affairs was actionable, even where there were no pecuniary losses, if the intrusion would be considered to be highly offensive by a reasonable person.
In Jones, the court stated that the tort of intrusion upon seclusion must include three elements:
- Conduct: an invasion or intrusion by the defendant upon the plaintiff’s private affairs or concerns, without lawful excuse
- State of Mind: intent or recklessness in conducting the intrusion or invasion
- Consequence: a reasonable person would find the invasion as highly offensive, causing distress, humiliation, or anguish
The test for certification of a class action is found in s. 5(1) of the Class Proceedings Act, 1992. S. 5(1)(a) states that a class proceeding cannot be certified unless the pleadings or notice of application disclose a cause of action. According to Babstock, the court should only dismiss a claim for disclosing no reasonable cause of action if it is “plain and obvious” that it cannot succeed.
In considering whether the plaintiffs had correctly plead intrusion upon seclusion, the court applied the rule from Bowman v. Ontario, 2022 ONCA 477 to assume that the facts alleged by the plaintiffs were true.[3]
Analysis and Decision
The court held that the plaintiffs’ claim failed at the “Conduct” stage of the analysis. It found that the defendants had not committed any conduct that amounted to an invasion or intrusion of the plaintiff’s privacy. The defendants’ wrongdoing, if any, rested in their failure to prevent hackers from carrying out an invasion of privacy. The court reasoned that liability would properly be pursued under the tort of negligence, or under a breach of contract or other statutory duty.
The plaintiff Owsianik argued that an expansion of the tort to parties that failed to protect information was a natural development of the common law. She argued that modern technology and the accumulation of personal information by entities such as the defendant Equifax meant that there was a constant threat of breaches to privacy, with no effective remedy for victims whose information had been compromised.
The court rejected the plaintiff’s argument. It warned that an expansion of the law in this direction would mean that a defendant could be held liable for a third-party’s intentional tort, as long as the defendant owed a legal duty to the plaintiff to protect them from the type of conduct that had been committed. The court also noted that, contrary to Ms. Owsianik’s assertion and unlike the plaintiff in Jones, the plaintiffs in these actions had an adequate remedy available to them. They were able to sue for an invasion of privacy. The court held that the difficulty in locating the third-party hacker(s) did not justify the expansion of a different tort to defendants who were not liable for a third-party’s wrongful conduct.
The court dismissed the plaintiffs’ appeals, and in Owsianik, awarded $25,000.00 in costs to Equifax.
[1] Owsianik v Equifax Canada Co., 2022 ONCA 813 [Owsianik]; Obodo v TransUnion of Canada, Inc., 2022 ONCA 814 [Obodo]; Winder v Marriott International, Inc., 2022 ONCA 815 [Winder]
[2] [Jones].
[3] [Bowman].