By: Thomas Russell
In November of the past year, the Ontario Court of Appeal (the court of appeal) released a trio of decisions that marked an important development in Ontario privacy law: Owsianik v Equifax; Obodo v Trans Union of Canada, Inc; and Winder v Marriot International, Inc. In these three decisions, the court of appeal determined that database defendants (companies that collect and store private information) who have been subject to third-party breaches (e.g. outside hackers) cannot be held liable under the tort of intrusion upon seclusion. This is an important development for privacy law because it may leave victims without adequate legal recourse in situations of third-party breaches.
To understand the significance of these three cases, it is important to first understand the tort of intrusion upon seclusion. In 2012, the Court of Appeal first recognized the tort of intrusion upon seclusion in the case Jones v Tsige. In Jones, the defendant had repeatedly accessed private banking records of the plaintiff without legal justification but had not caused the plaintiff any additional harm as a result.
The Court of Appeal held that a plaintiff could bring an action against a defendant who infringed their privacy, even when the plaintiff could not prove any additional loss arising from that infringement; this action would be under the new tort of intrusion upon seclusion. The current test for intrusion upon seclusion requires the following:
1. The defendant must have invaded or intruded upon the plaintiff’s private affairs or concerns, without lawful excuse [the conduct requirement];
2. the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly [the state of mind requirement]; and
3. a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation, or anguish [the consequence requirement].
Since Jones, this novel tort has been considered as a possible remedy where an individual’s private information has been improperly accessed a company’s database. In recent years, class actions claiming damages for intrusion upon seclusion have arisen in situations where a database defendant stored the private information of a group of plaintiffs, which was then improperly accessed by employees at the defendant’s company. However, the court had not considered cases of outside breaches by third-parties.
In these sorts of class actions, The tort of intrusion upon seclusion provides an advantage for plaintiffs where they cannot prove financial harm as a result of the intrusion on their privacy. It is an important feature of the tort of intrusion upon seclusion that proof of harm to recognized financial interests is not required.
Facts of the Cases
In the case of Owsianik, Equifax Inc., for the purposes of providing credit ratings to its customers, had collected and aggregated financial and other important information (Social Insurance Numbers, Names, Date of Birth, etc.) relating to millions of individuals. At some time in early summer of 2017, hackers, allegedly due to deficiencies in Equifax’s security system, gained access to this information.
The facts of Obodo and Winder are very similar. In Obodo, the defendant, Trans Union of Canada Inc., accumulated and stored personal information relating to millions of people and, due to alleged negligence, was subsequently hacked in a two-week period in June and July 2019. In Winder, the defendant, Marriott International Inc, stored personal information of customers in a reservation database, and due to alleged negligence, was being hacked between 2014 – 2018.
In all three cases, the plaintiffs were seeking damages for the tort of intrusion upon seclusion and seeking certification to proceed in their respective cases as a class action.  Lower court decisions for each case determined that, although each claim was novel (meaning no court had considered a claim of this sort before), the plaintiffs did not have a cause of action for the tort of intrusion upon seclusion and would not certify a class action on that basis. In all three cases, the plaintiffs appealed to the Court of Appeal, which were then considered by the Court of Appeal as a group.
The Court of Appeal Decision
Primary Argument from Owsianik
The Court of Appeal released its lead decision for the trio in Owsianik, which covered the common issues between the three cases. The Court of Appeal began by considering when a court will refuse to certify a class action for a novel claim on the basis that it does not disclose a cause of action.
The Class Proceedings Act section 5(1)(a) states that the court cannot certify a class action unless the plaintiff’s claim discloses a cause of action. This requirement is a very low threshold; a plaintiff will generally satisfy this requirement unless it is “plain and obvious” that the plaintiff’s claim cannot succeed.
However, the plaintiff argued that this does not apply to novel claims, and they should not have been denied certification on this basis. The Court of Appeal rejected the plaintiff’s argument, citing the recent Supreme Court of Canada decision, Atlantic Lottery Corp Inc v Babstock:
If a court would not recognize a novel claim when the facts as pleaded are taken to be true, the claim is plainly doomed to fail and should be struck.
Therefore, the Court of Appeal held that the “plain and obvious” threshold will apply to this case. The Court of Appeal then went on to assess whether it was “plain and obvious” that the plaintiffs did not have a cause of action for the tort of intrusion upon seclusion.
In Owsianik, the plaintiffs held that the wrong done by Equifax arose out of the company’s failure to protect the privacy interests of the plaintiffs. The Court of Appeal held that this argument ignored the first step in the test to establish the tort of intrusion upon seclusion, which requires that the defendant acted in a way which amounts to a deliberate intrusion upon the plaintiff’s private affairs or concerns. Although the plaintiffs alleged recklessness on the part of the database defendant, this did not displace the requirement for a deliberate action on the part of the defendant. Therefore, the Court of Appeal held that it was, in fact, “plain and obvious” that the plaintiffs did not have a cause of action for the tort of intrusion upon seclusion.
Finally, the Court of Appeal refused the argument of the plaintiff that the scope of the tort of intrusion upon seclusion should be expanded in this case as an “incremental development” in the common law. The Court of Appeal held that the tort of intrusion upon seclusion is an intentional tort, and that extending liability of the defendant to actions of third-party hackers would be an unacceptable change to the intentional nature of the tort.
Additional Arguments in Obodo and Winder
In the Court of Appeal’s decisions in Obodo and Winder, the Court of Appeal considered arguments in both cases which did not arise in Owsianik.
In Obodo, the plaintiff argued that since it has been accepted that the tort of intrusion upon seclusion might apply to situations of vicarious liability, specifically where an employee of a defendant intruded upon the privacy of the plaintiff, then a defendant could similarly be found vicariously liable for the intrusion of a third-party hacker. The Court of Appeal rejected this argument because it ignores the fact that vicarious liability of an employer for the actions of its employees is based on policy considerations which do not exist in the relationship between a defendant and a complete stranger.
In Winder, the plaintiff argued that the intentional intrusion upon their privacy occurred at the moment that Marriott stored their private information and failed to comply with the obligations and standards associated to protect that information. The Court of Appeal rejected this argument because it ignores the rationale for the tort of intrusion upon seclusion, which holds that individuals must be entitled to decide for themselves when, how, and to what extent personal information will be disclosed with others. Since the plaintiffs agreed to disclose to Marriott their personal information for the exact purpose it was used for by Marriott, no wrong could have occurred prior to the moment the information was accessed by a third-party hacker.
It is likely these cases will be appealed to the Supreme Court of Canada. However, until that point, this trio of decisions effectively bars victims of third-party hackers making claims against defendant databases under the tort of intrusion on seclusion.
The Court of Appeal acknowledged that the remaining available common law actions would require plaintiffs to prove financial losses from the data breach, which may impose a challenge for potential class actions to get certified. The Court of Appeal also acknowledged that the existing common law may not adequately encourage companies with databases to take the necessary steps to protect private information held under their control.
In the face of these issues with the common law, the court held that it should be the job for the legislature to now enact appropriate protections for individuals with data stored on large databases in the case of a data breach. It should be noted that, In the federal sphere, action is currently being taken. The proposed Bill C-27, now in its second reading in the house of commons, includes the new Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act. The proposed bill may allow individuals new avenues of recourse for breach of privacy.
Therefore, while victims of third-party hackers may currently be barred from pursuing class action claims against database defendants under the common law, they may expect to soon be provided new statutory protections.
For another great analysis on these decisions, check out the December 2022 article by Sudevi Mukherjee-Gothi, partner at Pallet Valo LLP.
 Owsianik v. Equifax Canada Co., 2022 ONCA 813; Obodo v. Trans Union of Canada, Inc., 2022 ONCA 814; Winder v. Marriott International, Inc., 2022 ONCA 815.
 Jones v. Tsige, 2012 ONCA 32, 2012 CarswellOnt 274,  O.J. No. 148, 108 O.R. (3d) 241
 Ibid at para 2.
 Ibid at paras 70 – 71.
 Owsianik supra note 1 at para 54 interpreting Jones supra note 2 at para 71.
 Evans v Wilson, 2014 ONSC 2135 (bank employee gave private customer information to third-parties); Hynes v Western Regional Integrated Health Authority, 2014 NLTD 137 (unauthorized employee access of health information); Daniells v McLellan, 2017 ONSC 3466 (unauthorized employee access of private health information); MM v Family and Children’s Services of Lanark Leeds and Grenville, 2017 ONSC 7665 (Children’s Aid Society records were distributed online).
 Jones supra note 2 at para 71.
 Owsianik Supra note 1 at para 13.
 Ibid at paras 15 – 20.
 Obodo Supra Note 1 at paras 5 – 9.
 Winder supra note 1 at pars 9 – 12.
 Owsianik; Obodo; Winder supra note 1.
 Owsianik supra note 1 at paras 28 – 32; Obodo supra note 1 at para 4; Winder supra note 1 at para 4; It should be noted that in Winder the plaintiff was appealing a determination under r. 21.01(1)(b) of the Rules of Civil Procedure that there was no cause of action for the tort of intrusion upon seclusion. However, in Owsianik, the Court of Appeal holds that the same test applies for determining whether there is a cause of action under s. 5(1)(a) of the Class Proceedings Act and r. 21.01(1)(b) of the Rules of Civil Procedure.
 Owsianik supra note 1 at para 42 – 46.
 Class Proceedings Act, 1992, SO 1992, c 6, s. 5(1)(a).
 Owsianik supra note 1 at para 37.
 Atlantic lottery Corp Inc. v Babstock, 2020 SCC 19 at para 19.
 Owsianik Supra note 1 at para 51 – 52.
 Ibid at para 57 – 59.
 Ibid at para 59.
 Ibid at para 59.
 Ibid at para 62.
 Ibid at paras 65.
 Obodo supra note 1 at para 21.
 Ibid at para 25.
 Winder supra note 1 at para 14.
 Ibid at para 21.
 Ibid at para 21.
 Owsianik supra note 1 at para 80.
 Ibid at para 81.
 Ibid at para 81.