On July 13, 2023, the Supreme Court of Canada denied leave to appeal from three Ontario Court of Appeal decisions declining to apply the tort of intrusion upon seclusion to “database defendants” (i.e., organizations that collect and store personal information in the course of carrying on a commercial activity and whose databases are “hacked” by unauthorized third parties). The Supreme Court of Canada’s denial of leave is a significant development for database defendants, as data breach plaintiffs must now prove compensable loss to make out a claim against such defendants in connection with a breach by an unauthorized third party. This can pose a substantial challenge for plaintiffs, particularly in class actions, where the plaintiff class has not incurred sufficiently serious or compensable losses rising above everyday reasonable expenses or inconveniences.
The tort of intrusion upon seclusion is a common law breach of privacy cause of action first adopted by the Ontario Court of Appeal in 2012 in Jones v Tsige to recognize moral harm stemming from the intentional invasion of a plaintiff’s privacy. The tort has three elements:
As the tort recognizes the moral wrong, it does not require proof of pecuniary loss in order to generate an award of damages. This potential for an award of damages without proof of pecuniary loss made the tort an appealing cause of action for plaintiffs in privacy breach class actions against database defendants.
Following Jones v Tsige, there was uncertainty in Ontario’s case law concerning the application of intrusion upon seclusion to database defendants. In that context, three privacy class actions were initiated in the Ontario Superior Court, and ultimately came before the Ontario Court of Appeal in 2022: Owsianik v Equifax Canada Co. (Equifax), Obodo v Trans Union of Canada Inc. (Trans Union), and Winder v Marriott International Inc. (Marriott) (collectively the Trilogy). Bennett Jones acted for Marriott.
The Trilogy cases each involved database defendants that collected and stored some form of personal information belonging to Canadian customers including names, birth dates, addresses and/or credit or payment card information. In each case, those databases were breached by unknown and unauthorized third-party hackers. In Equifax, the plaintiff argued that Equifax committed the alleged intrusion upon seclusion by recklessly storing the personal information it had collected. In Trans Union, the plaintiff argued that Trans Union committed the alleged intrusion upon seclusion by enabling the third-party hack. And in Marriott, the plaintiff argued that Marriott committed the asserted intrusion upon seclusion when it allegedly failed to protect the information in its database in accordance with its representations and legal obligations.
In Equifax (the lead decision in the Trilogy), the Ontario Court of Appeal held that intrusion upon seclusion does not apply to database defendants because they do not commit the requisite “intrusion” identified as the first element of the tort in Jones v Tsige. Regardless of how each plaintiff tried to frame the database defendants’ alleged misconduct, the Court held that there were no facts to demonstrate that they directly committed an “intrusion”. The intentionality or recklessness of the defendants’ actions under the tort must relate to the prohibited conduct, which is the actual intrusion upon the plaintiffs’ private affairs—in each case the Court found that the intrusion was committed by the unknown and unauthorized third-party hackers, not by the database defendants. The Court also declined to expand the tort in order for it to apply to the alleged conduct of the database defendants.
In finding that the tort of intrusion upon seclusion does not apply to database defendants, the Ontario Court of Appeal reaffirmed the principles enunciated by the Supreme Court of Canada in 2020 in Atlantic Lottery Corp Inc v Babstock (Babstock) regarding the “plain and obvious” standard used to assess whether pleadings disclose a tenable cause of action and the importance of disposing of claims at an early stage if appropriate. In Babstock, the cause of action at issue was waiver of tort. The Supreme Court of Canada held that a claim will not survive an application to strike simply because it is novel; if a court would not recognize a novel claim even when the facts as pleaded are taken to be true, then the claim is plainly doomed to fail and should be struck.
In Equifax, the Ontario Court of Appeal added to the Babstock principles by holding that a court may determine the validity of a claim on a pleadings motion even where the legal question to be answered is complex, policy-laden and open to some debate. Early resolution of the legal viability of claims—particularly those plainly doomed to fail—serves judicial efficiency, enhances access to justice and promotes certainty in the law. The Court held that this approach would also minimize the unfairness arising from any legal uncertainty that could exacerbate the defendants’ potential liability and provide the plaintiffs with a “leg up” in the certification process.
The tort of intrusion upon seclusion—like the waiver of tort doctrine that came before it—was useful for plaintiffs seeking certification. Plaintiffs were able to utilize the novelty of the alleged causes of action and the courts’ reluctance to dismiss claims on the basis of motions to strike pleaded cause of actions in order to advance class proceedings by eliminating the need for individualized inquiries which degraded their ability to satisfy the commonality requirement. This strategy is now far less available to plaintiffs.
While businesses that collect and store their customers’ personal information remain subject to statutory, contractual and other legal obligations (including the tort of negligence), the Supreme Court of Canada’s denial of leave to appeal the Trilogy brings welcome certainty and predictability for these companies facing claims for moral damages under the tort of intrusion upon seclusion, if the tort is pleaded at all. The Supreme Court of Canada’s denial of leave to appeal also affirms the law, as reiterated and advanced by the Ontario Court of Appeal, that courts may (and should) resolve seemingly complex claims early in the proceeding where those claims are clearly doomed to fail—a principle that will reduce cost and uncertainty in litigation going forward.