In a trilogy of rulings released on November 25, 2022, the Ontario Court of Appeal (“Court”) has ruled that the tort of intrusion upon seclusion cannot extend to companies that collect and store personal information and fall victim to data breaches perpetrated by third-party hackers. Intrusion upon seclusion was first recognized in 2012 by the Court, which defined it at that time as “an intentional or reckless invasion of the private affairs or concerns of a person which would be viewed by a reasonable person as highly offensive, resulting in distress, humiliation or anguish.”

The cases in the trilogy are Owsianik v. Equifax Canada Co., 2022 ONCA 813 (“Owsianik”), Obodo v. TransUnion of Canada, Inc., 2022 ONCA 814 (“Obodo”) and Winder v. Marriott International Inc., 2022 ONCA 815) (“Winder”).

Background

The three proposed class actions arose from three separate cyberattacks. In each case, a third-party hacker (or hackers) had gained unlawful access to personal information collected and stored by one of the defendants:

• In Owsianik, third-party hackers gained unlawful access to the personal information of approximately 20,000 Canadians that were stored by a credit reporting agency.
• In Obodo, third-party hackers used stolen credentials of a credit bureau’s customer to improperly access the bureau’s database and gain access to the personal information of approximately 37,000 Canadians.
• In Winder, third-party hackers unlawfully accessed the reservation data of a large hotel chain containing personal data of millions of customers around the world for purposes associated with reserving and using the hotel facilities.

The pIaintiffs in each of the three cases argued, inter alia, that the respective defendants (collectively, the “Database Defendants”) had committed the tort of intrusion upon seclusion as a result of their alleged failure to take adequate steps to protect the personal information from being accessed and used by third-party hackers. In each case, the Database Defendants argued that the intrusion upon seclusion claim should not be certified as pleaded, as it did not disclose a cause of action as required under section 5(1)(a) of the Class Proceedings Act, 1992, S.O. 1992, c. 6.

The lower courts refused to certify the intrusion upon seclusion claims as part of the class proceedings against the Database Defendants, and the plaintiffs sought to appeal those decisions to the Court, which heard the cases together in June 2022.

Ruling of the Court of Appeal

Given the similar facts in all three appeals, the Court addressed the issues and arguments common to all three appeals in the context of the Owsianik appeal and addressed any discrete issues applicable to the other cases in the reasons for the other two appeals.

The Court dismissed all three appeals, holding that the intrusion upon seclusion claims in the proposed class actions cannot be certified against the Database Defendants. It began its analysis by reiterating the elements necessary to establish the tort of intrusion upon seclusion:

(1) the conduct requirement (the defendant must have invaded or intruded upon the plaintiff’s private affairs or concern, without lawful excuse);
(2) the state of mind requirement (the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly); and
(3) the consequence requirement (a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation, or anguish).

Conduct requirement not satisfied

The Court held that the conduct requirement was not satisfied as the Database Defendants did not do anything that could constitute an act of intrusion or invasion into the privacy of the plaintiffs. Rather, the intrusions were committed by unknown third-party hackers, acting independently, and to the detriment of, the interests of the Database Defendants.

Rejecting the plaintiffs’ argument that recklessness can suffice on its own to establish liability, the Court held that if the defendant does not engage in conduct that amounts to an invasion of privacy, the defendant’s recklessness (state of mind requirement) with respect to the consequences of some other conduct (i.e., the storage of information), cannot fix the defendant with liability for the tort.

The plaintiff in Winder argued, in a somewhat similar way, that the defendant had knowingly or recklessly failed to keep customer information safe, contrary to the representations it had made to obtain the information, thus exposing the customers’ information to access by unauthorized third parties. The plaintiff argued that the invasion of privacy was therefore complete when the defendant took possession of the personal information and did not depend on any unauthorized third party accessing the information. The Court rejected this submission and reiterated that the ambit for the tort of intrusion upon seclusion is narrow. There were no allegations that the defendant had stored or used personal information of its customers for any purpose that would not have been reasonably contemplated by the customers. As such, the Court found that there could be no intrusion or breach of the customer’s privacy.

Vicarious liability analysis rejected

In Osodo, the plaintiff argued that the defendant should be vicariously liable for the hackers’ acts on the basis that the defendant “enabled” the hackers’ intrusion upon seclusion. The Court reiterated that the doctrine of vicarious liability is predicated on the existence of an employer-employee relationship and connection between the relationship and the employee’s tortious misconduct. As no such relationship existed on the facts of this case, the Court held that there was no basis to render the defendant vicariously liable.

Proposed extension of the tort too “radical”

The plaintiffs also argued that the extension of the tort of intrusion upon seclusion from the actual intruder to entities that fail to adequately protect information in their possession would be a fully justified and incremental development in the law. However, the Court disagreed and held that such an extension would “radically reconfigure” the boundary between the defendant’s liability for the tortious conduct of third parties, and the defendant’s direct liability for its own actions.

The Court rejected the plaintiffs’ submission that the remedies available for breach of contract, negligence, or breach of statute claims are inadequate. While noting that the inability to claim moral damages may negatively impact the plaintiffs’ ability to certify the claim as a class proceeding, the Court ultimately held that a procedural consequence “does not constitute the absence of a remedy”.

Key Takeaways

• The tort of intrusion upon seclusion does not extend to defendants who, like the Database Defendants in the Trilogy cases, have been subject to a cyberattack by a third-party hacker. Rather, the trilogy of cases reinforces that the ambit of the tort is meant to be narrow and apply to cases where the defendant deliberately invades or intrudes upon a plaintiff’s privacy.
• Courts will not find defendants vicariously liable for enabling a hacker’s intrusion upon seclusion absent the requisite relationship that may give rise to such liability.
• However, depending on the circumstances, defendants in a similar position to the Database Defendants in the Trilogy cases may still be liable, on any of a number of different legal bases, following a data breach. Specifically, the law may impose liability where the plaintiff can establish that the defendant had an obligation at tort, under contract or statute, to protect the private information in its database and failed to do so, causing economic harm to the plaintiffs.
• More broadly, the trilogy of cases highlights the Court’s willingness to screen out unmeritorious claims at an early stage and may diminish the prospects of moral damages awards in privacy breach class actions.