It is an ordinary practice for corporations, government agencies, and other entities to collect the personal information of their customers and personnel. When individuals agree to provide their personal information to these entities, they trust that their information will be protected and will not be shared with unauthorized third parties. Unfortunately, this data has become a big target for many hackers, leading to a vast amount of class actions against entitles who fail to protect personal data.
The tort of intrusion upon seclusion was recognized in the Ontario case Jones v. Tsige, 2012 ONCA 32. In this case, the defendant, who was an employee of a bank, repeatedly accessed the private banking records of the plaintiff without a valid reason. The court found that an intentional or reckless invasion of the private affairs of another, without lawful justification, in circumstances in which a reasonable person would regard the invasion as highly offensive and causing distress, humiliation, or anguish, was a viable lawsuit even though there wasn’t any proof of any financial loss provided.
In a recent decision, the Ontario Court of Appeal addressed whether the claim of intrusion upon seclusion is valid against entities who fail to protect personal information from hackers.
Owsianik v. Equifax Canada Co., 2022 ONCA 813
In this decision, the Ontario Court of Appeal addressed three appeals arising out of separate class actions. In each case, the plaintiffs sought to apply the tort of intrusion upon seclusion to defendants who collected and stored the personal information of others and whose failure to take adequate steps to protect that information allowed third party hackers to access and use that information. For the purposes of addressing the issues and arguments in all three cases, the court focused on one of the three class actions, Owsianik v. Equifax Canada Co.
The Ontario Court of Appeal found there was not a valid claim against Equifax for the tort of intrusion upon seclusion as the test to prove this case requires that:
- the defendant must have invaded or intruded upon the plaintiff’s private affairs or concerns, without lawful excuse;
- the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly; and
- a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation or anguish.
The court found that the lawsuit failed to meet the first branch of the test. Equifax stored, used, and accessed the personal data for commercial purposes; however, this conduct did not amount to an invasion or intrusion of the plaintiff’s private affairs or concerns and did not apply to the failure to protect customer data from security breaches.
Conclusion
While individuals may not have a claim of intrusion upon seclusion against entities, individuals do have other possible claims such as negligence for the failing to protect an individual’s privacy interests and meet the common law duty of care. They may also be liable for failure to meet their statutory and/or contractual obligations in collecting and protecting data.
If you are an individual whose personal information was unlawfully accessed by a third party, or you are an entity who is being sued for individuals’ personal information being unlawfully accessed from your database, please contact Walker Law for advice on your legal position from one of our commercial litigators.