On November 25, 2022, the Ontario Court of Appeal (the Court) released a trilogy of decisions, bringing clarity as to whether the tort of intrusion upon seclusion is a viable cause of action against entities who collect personal information for commercial purposes and suffer an external, third-party cyberattack. In the leading case, Owsianik v Equifax Canada Co., 2022 ONCA 813 (Owsianik; previously reported on by the E-TIPS® Newsletter here), the Court unanimously held that the tort of intrusion upon seclusion was not a viable cause of action against a defendant who fell victim to a cyberattack, nor could such a claim arise on the basis of the defendant’s alleged failure to prevent the cyberattack.
Each of Owsianik, Obodo v TransUnion of Canada, Inc., 2022 ONCA 814 (Obodo), and Winder v Marriott International, Inc., 2022 ONCA 815 (Winder), was at the class action certification stage and arose from the alleged failure of the respective defendants to adequately protect the personal information they collected and stored, which was accessed by malicious third-parties without authorization. Each respective class action alleged intrusion upon seclusion among other claims.
In Owsianik, the Court found that there was no conduct on the part of Equifax Canada Co. and Equifax Inc. (collectively, the Defendants) that amounted to an intrusion because the Defendants did not unlawfully access any information, no one acted on behalf of or in consort with the Defendants to unlawfully access any information, and no one for whom the Defendants could be held vicariously liable accessed any private information.
The Court set out the test for the tort of intrusion upon seclusion from Jones v Tsige, 2012 ONCA 32, defining each requirement as:
Ms. Owsianik, on behalf of the identified class of plaintiffs, alleged that the conduct requirement was met by the Defendants’ failure to safeguard sensitive financial information and this failure constituted intentional or reckless intrusion upon seclusion. The Court disagreed with Owsianik’s allegation, explaining that the Defendants’ failure to meet its obligations to protect the class of plaintiffs’ privacy interests did not constitute conduct capable of amounting to intrusion.
The Court further explained that the state of mind requirement must exist when a defendant engages in the prohibited conduct. The Court clarified that since the Defendants did not engage in conduct that amounted to an invasion of privacy, the Defendants’ recklessness with respect to any other conduct, such as its method of storing personal information, would not suffice to meet this requirement.
The Court therefore concluded that the Defendants’ negligent storage of personal information did not amount to an intrusion upon the plaintiffs’ privacy interests in the information, noting that the Defendants’ liability, if any, would lie in its breach of a duty owed to the plaintiffs, or of contractual or statutory obligations.
In Obodo and Winder, the Court applied its findings in Owsianik to reject class certification in each case. In Obodo, the Court explained that the defendant, Trans Union of Canada, Inc., could not be held vicariously liable for intrusion upon seclusion for the actions of an independent, third-party intruder. Similarly, in Winder, the Court found that the allegation that the defendants invaded its customers’ privacy when it stored their personal information in a manner that did not reflect the representations it had made to its customers was not a basis for a viable intrusion upon seclusion claim.
Ultimately, the Court dismissed each appeal with costs.
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.