Class Actions Seek to Expand Law of Privacy Breaches
Authors
Two recently certified class action lawsuits could expand the scope of the fledgling Ontario tort of "intrusion upon seclusion"—the privacy tort first recognized by the Court of Appeal in 2012.
The two cases—Evans v. The Bank of Nova Scotia1 and Condon v. Canada2 —are notable for being, respectively, the first class action to be certified in Ontario based on the tort of "intrusion upon seclusion" and the largest class action involving a digital privacy breach in Canada. Both cases seek to extend the reach of the privacy tort by claiming that institutions are liable when their actions either directly or indirectly compromise the personal information of their clients.
In Evans, the Ontario Superior Court of Justice will be asked to determine whether an employer is vicariously liable for its employee’s deliberate theft of clients’ personal information. In Condon, the Federal Court will assess the government’s responsibility for allegedly reckless behaviour by its employees, leading to the loss of thousands of student loan records.
Both class actions seek to push the current boundaries of the tort of intrusion upon seclusion. The tort was first recognized by the Court of Appeal in 2012 in Jones v. Tsige.3 In its judgment, the Court of Appeal outlined the following three elements of the tort:
- there is an intentional or reckless intrusion on a person’s private affairs;
- there is no lawful justification for the intrusion; and
- viewed objectively, the intrusion was highly offensive or causing distress, humiliation or anguish.
Evans v. The Bank of Nova Scotia
On June 6, 2014, the Ontario Superior Court of Justice certified Evans as a class action. The claim alleges that the Bank of Nova Scotia (Bank) should be held responsible for an employee’s deliberate breach of customers’ privacy rights. In this case, a mortgage administration officer provided private financial information to his girlfriend, who then passed on the data to third parties for illegal purposes. The Bank notified 643 customers that it was possible there had been unauthorized access to their accounts; 138 of those customers later reported they were victims of fraud or identity theft.
The Court certified the class action in part on the basis that the Bank could be vicariously liable for its employee’s tort of intrusion upon seclusion if it "created the opportunity for [the employee] to abuse his power by allowing him to have unsupervised access to customers’ private information without installing any monitoring system." Although the Bank was not aware of the employee’s activities and did not benefit from the privacy breaches, the Court found that there is a "significant connection" between any risk allegedly created by the Bank and the wrongful conduct of the employee, such that the claim discloses a plausible cause of action against the Bank in vicarious liability. It should be noted that certification of the claim does not involve an assessment on the merits. Whether the Bank is indeed vicariously liable for the privacy tort will be a matter to be decided by the Court at the trial of the class action.
Condon v. Canada
On March 17, 2014, the Federal Court certified a class action related to the loss of a hard drive that contained the dates of birth, addresses, student loan balances, and Social Insurance Numbers of approximately 583,000 student loan recipients.
The claim alleges that the federal government should be held liable for the tort of intrusion upon seclusion on the basis that it failed to adequately protect personal information from a privacy breach. The plaintiffs claim that the federal government failed to comply with both encryption and information storage policies and the Treasury Secretariat and Privacy Commissioner’s recommendation to disclose the loss of sensitive data as soon as possible. On the basis of these allegations, the Court found that "it is not plain and obvious that an action based on the tort of intrusion upon seclusion would fail," and certified the class action on common questions, including pertaining to the federal government’s alleged tort of intrusion upon seclusion. Whether the federal government will be found liable for the privacy tort will be decided by the Federal Court at trial.
The Court also found that the frustration and anxiety experienced by individuals subject to such a data breach could potentially meet the threshold of "distress" required for a privacy breach claim. However, the Court found that there was no evidence to indicate the individuals affected by the hard drive loss were at increased risk of identity theft. As such, the plaintiffs’ claim for compensable damages was dismissed, leaving them to pursue nominal damages for any infringement.
New Paths Toward Privacy Breach Recovery?
The claims in the Evans and Condon class actions attempt to build on the much-analyzed but rarely applied tort of intrusion upon seclusion. Both claims attempt to extend the reach of the tort to institutions who are alleged not to have adequately protected personal information from privacy breaches. However, the claims still have a distance to travel still before the courts will have the opportunity to contribute to the jurisprudence on the tort. At this point, the plaintiffs have met only the relatively low threshold for certification: whether the pleading discloses a recognized cause of action. Statistically, both claims are more likely to settle before trial than to be heard on their merits. And the disparate nature of the class membership—some experienced identity theft and others did not in Evans; hundreds of thousands of people who may have varying entitlements to nominal damages in Condon—will make these difficult test cases for the application of an expanded privacy tort in Canada.
Nevertheless, institutions should review data security policies and practices to ensure that personal information is well protected in the face of what may be a growing trend of privacy class actions.
_________________________
1 2014 ONSC 2135 (CanLII).
2 2014 FC 250 (CanLII).
3 2012 ONCA 32 (CanLII).
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2024 by Torys LLP.
All rights reserved.