The ability of victims of data theft in Ontario to sue organizations for failing to protect their information under a fledgling privacy right has been almost eliminated by a ruling of the province’s appeal court.
However, in a decision that will be of interest to data privacy officers, chief information security officers, chief executive officers and lawyers, the Court of Appeal also said victims still have the ability to sue for other reasons, including negligence and breach of contract.
“It’s somewhat a win for companies,” privacy lawyer Barry Sookman of the McCarthy Tetrault law firm, said in an interview Wednesday.
But businesses shouldn’t necessarily be cheering. If Parliament passes the proposed private sector privacy legislation overhaul known as the Consumer Privacy Protection Act (CPPA, or Bill C-27), he pointed out, firms in provinces that come under the federal law will see a new right to sue for not protecting personal data. The CPPA gives individuals the right to sue firms for violating the CPPA if the federal privacy commissioner has made a finding of wrongdoing. Firms would still have a defence that they did everything reasonable to protect data.
The Ontario appeal court decision, released last week, involved a class action lawsuit against credit rating agency Equifax Canada following a huge 2017 data breach. Victims were trying to sue under a civil tort, or wrong, called intrusion upon seclusion — a legal way of saying intrusion upon personal privacy.
Briefly, the appeal court said this tort can’t be used for an organization’s alleged failure to prevent an intrusion by an independent third party such as a hacker. A hacker could be sued for intrusion upon seclusion — if they could be found. In essence, said Sookman, those suing Equifax Canada argued organizations would be liable for intrusion upon seclusion without having to prove liability.
Sookman’s firm wrote this analysis of the Ontario appeal court’s decision.
Not only did the court disagree in the Equifax Canada case, for the same reasons it simultaneously dismissed the use of intrusion upon seclusion in two other proposed Ontario class action data breach lawsuits, one against credit rating agency TransUnion Canada for a 2019 hack, the other against hotel chain Marriott International stemming from a 2018 hack.
Some background: A civil tort is a wrong created by a Common Law court or statute. No Canadian jurisdiction that follows the Common Law — all provinces and territories except Quebec — has created a civil right to privacy. But intrusion upon seclusion was recognized by the Ontario Court of Appeal in 2012 involving the case of a bank employee who, without authorization, repeatedly used their computer access to look up the financial records of another person. Since then, other provincial courts have recognized intrusion upon seclusion, or provinces have recognized a form of invasion of privacy. In a 2020 case the B.C. Court of Appeal expressed the wish that it had the opportunity to deal with the issue.
In a commentary on last week’s Ontario Court of Appeal decision the Fasken Martineau DuMoulin law firm noted the 2012 ruling approving intrusion upon seclusion created a narrow and limited intentional tort intended to provide a remedy to individuals where a defendant had deliberately and significantly intruded upon a plaintiff’s private affairs.
That wasn’t the case in the Equifax Canada hack. Last week’s Court of Appeal decision made it clear, Fasken said, that anyone suing an organization for a data breach had to show that the organization committed an intrusive or invasive act, not a hacker.
“The Court held that to award “moral damages” against Database Defendants for what is essentially an allegation of negligence or breach of contract would run contrary to the very purposes underlying such damages, namely: to vindicate the rights infringed and to recognize the intentional harm caused by the defendant,” the commentary says.
The appeal court also notes that victims can still sue for negligence, breach of contract, and possibly other torts if they can show they suffered actual financial loss as a result of a data breach.
The Ontario decision only applies in that province, but it will be watched by courts in other Common Law provinces.
The victims suing in the Equifax, TransUnion and Marriott cases could appeal the Ontario ruling to the Supreme Court.