This is an update further to the first publication in July 2021 of the same name.
Overview
The Ontario Court of Appeal recently held that the tort of intrusion upon seclusion cannot be used to recover damages from a "database defendant" if the information being stored is accessed by independent third-party hackers. A database defendant is one who, "for commercial purposes, collected and stored the personal information of others."1
Canadians with any form of online presence are at risk of being the victims of data breaches. This can leave their valuable personal information, such as credit card numbers, social insurance numbers and driver's license numbers, in the hands of unknown hackers. There's no doubt that a third-party hacker with access to that information can cause significant harm.
This decision may be interpreted as being helpful for database defendants, a position in which many Canadian corporations may find themselves, and hurtful to consumer rights; however, the Court makes clear that consumers may still recover damages for data breaches in negligence, contract and under various statutes.2
The Facts and Law
In this case, the appellants were attempting to rely on the tort of intrusion upon seclusion as a part of class action proceedings.3 Hackers gained access to information stored by the respondents, Equifax and related companies, containing social insurance numbers, names, dates of birth, addresses, driver's licence numbers, credit card numbers, email addresses, and passwords of an estimated 20,000 Canadians.4
Intrusion upon seclusion is "an intentional or reckless invasion of the private affairs of another, without lawful justification, in circumstances in which a reasonable person would regard the invasion as highly offensive and causing distress, humiliation or anguish, was actionable without proof of any pecuniary loss."5
Its components were outlined by the court as the following:
...the court focused on the state of mind component of intrusion upon seclusion.. |
In denying the certification of the appellants' class action, the court focused on the state of mind component of intrusion upon seclusion. It acknowledged that the database defendants did not take steps to prevent the unauthorized disclosure of the appellants' personal information, but also emphasized that the database defendants, themselves, did not intentionally interfere with the personal information.7
The court further stated, "Equifax's recklessness as to the consequences of its negligent storage cannot make Equifax liable for the intentional invasion of the plaintiffs' privacy committed by the independent third-party hacker."8 Recklessness, "a subjective state of mind, refers to the realization at the time the prohibited conduct is being done that there is a risk that the conduct will intrude upon the privacy of the plaintiffs, coupled with a determination to nonetheless proceed with that conduct."9
Implications on Privacy Law
The tort of inclusion upon seclusion will now be more difficult to prove against a database defendant; however, consumers still have causes of action as a result of privacy breaches through negligence, contract and under various statutes.10
Each database defendant will have unique data protection needs based on many factors, including the sensitivity of the personal information and the risk of harm to the individual. Accordingly, database defendants must ensure they are compliant with all relevant privacy statutes and cases by seeking legal advice, retaining IT companies and training staff to develop and implement the necessary safeguards.
In Owsianik v. Equifax Canada Co (Equifax), 2021 ONSC 4112, the Divisional Court was required to determine the scope of the court to intervene when Equifax's client stored data was hacked by an unknown third party. Specifically, the Court needed to determine whether the Court created tort known as intrusion upon seclusion would include the failure to protect people's private data against a third-party intrusion.
2021-07-15