Suing for Privacy Violations

Most courts have been reluctant to award damages for privacy violations, but the tide may be turning
Suing for Privacy Violations

It has the cloying rhyme of a bad rap refrain — and a long history in American legal thought as one of four defined torts for invasion of privacy. Depending on your view, the Ontario Court of Appeal either defied or transcended Canadian legal tradition to recognize a new tort of “intrusion upon seclusion” in Jones v. Tsige.

Now the Ontario Superior Court has certified the first class action under the new tort in the case of Evans v. The Bank of Nova Scotia and also rejected a motion to quash a class-action claim in Hopkins v. Kay. In both these cases, large institutions are named as defendants by hundreds of class participants whose personal information was accessed. And the biggest privacy class to date has been certified by the Federal Court in Condon v. Canada, where a hard drive containing the student loan balances of 583,000 borrowers went missing.

While some litigators say every organization collecting the personal information of employees or customers needs to take heed and tighten controls, others predict the new tort will not survive its first encounter with the Supreme Court of Canada. Some say the Ontario Court of Appeal itself may rule against the expansion of the new tort into class actions.

“In Canadian law, there’s been a great reluctance to allow people to sue for damages that aren’t readily quantifiable,” says Toronto lawyer Michael Smith of Borden Ladner Gervais LLP (BLG). “This decision [Jones] goes against that tradition.” Historically, direct financial losses could be tallied up and ill-gotten gains could be ordered disgorged. But until Jones, hurt feelings and emotional distress had not counted for much in Canadian courts.

In Jones, the Ontario Court of Appeal (OCA) found that Bank of Montreal employee Winnie Tsige, the new girlfriend of Sandra Jones’s former husband, had electronically accessed Jones’s bank records 174 times, ostensibly to see whether Jones’s ex was paying child support.

“Technological change poses a novel threat to a right of privacy that has been protected for hundreds of years by common law … and that, since 1982 and the Charter [of Rights and Freedoms], has been recognized as a right that is integral to our social and political order,” the court said in assessing damages of $10,000 against Tsige. The tort of intrusion upon seclusion was established in Ontario if there is an invasion of private affairs without lawful justification; the invasion is intentional or reckless; and, a reasonable person would find the breach both “highly offensive,” and sufficient to cause distress, humiliation or anguish.

In creating the new tort, the OCA said the plaintiff need not prove any financial loss and that — in the absence of aggravating factors — damages should be limited to a maximum of $20,000, an amount the court deemed “symbolic.” The court added that the new tort should not be interpreted to impinge upon freedom of the press or freedom of expression.

In Evans v. The Bank, it has so far been found that 643 customer files were accessed by an employee, whose girlfriend gave information to third parties. As of June 2014, 138 of those customers had advised the bank they’d been victims of identity theft or fraud affecting their credit ratings. The Ontario Superior Court certified the class action against the bank for vicarious liability on the basis that the bank had allowed the employee unsupervised access to customer files, without any monitoring system, and that there was arguably a significant connection between the bank’s level of oversight and the conduct of the employee.

In Hopkins v. Kay, the Ontario Superior Court declined in March 2014 to quash a class action after 280 patient records of Peterborough Regional Health Centre were improperly accessed by hospital employees and distributed to third parties. The court did not certify the claim but found that it was not so plain and obvious that the claim against the hospital should be rejected.

Arrayed against this new tort, the British Columbia courts have consistently ruled, in a series of cases between 2009 and 2013, against a common law tort for breach of privacy (see Demcak v. Vo) and Alberta’s Court of Queen’s Bench has agreed (see Martin v. General Teamsters, 2011). Those courts have cited the primacy of privacy statutes and privacy commissions as part of their reasoning. But in his review of case law in Jones, Justice Sharpe wrote, “existing provincial legislation indicates that when the legislatures have acted, they have simply proclaimed a sweeping right to privacy and left the courts to define the contours of that right.”

“It’s very likely,” Smith predicts, “that, eventually, we’ll see this tort make it to the Supreme Court of Canada.” Provincial differences aside, he says, other forces pushing the issue toward the Supreme Court are the increasing frequency of theft or loss of control of personal data and the likelihood that a large class action will make it worth someone’s time and effort to challenge the OCA ruling.

Meanwhile, he says, to mitigate potential damages for vicarious liability, companies need to review data security measures, implement privacy protection policies, consider whether there’s a need to notify affected customers or employees in the event of a breach and evaluate every incident to prevent recurrence.

On a purely person-to-person level, Smith says, those seeking redress for cyber bullying might consider using this tort in cases such as hacking and dissemination of an electronic diary. He concedes that it’s a conduct typically associated with teens, and it seems very unlikely parents of a teenage defendant could be found liable in such a situation. “But I’ve learned that some teens have more assets than you might expect,” and in other cases, it might not be about the money.

“To some victims, it might be less about the damages than the acknowledgement that they’ve been wronged,” he says. “The fact that the damages are symbolic does reflect the reality that, on a certain level, this is not about the money.”

Smith’s BLG colleague, Barry Glaspell, says money is the least of the reasons he thinks the new tort should be struck down — but it’s still worth considering. After winning her case, Glaspell points out that Jones owed her lawyer $130,000, less the $10,000 court award. Jones then sued her lawyer and he counterclaimed, seeking $68,000 for unpaid fees. Ontario Superior Court found for the lawyer and awarded additional costs of $16,000 against Jones for the second lawsuit.

It all underscores the point that distress and mental anguish are not fit matters to bring before the courts, Glaspell says. “The law doesn’t correct everything by transferring a bit of money from one person to another.

“I think our judges are sufficiently busy with serious cases that they don’t need to consider cases where there’s no cause of action,” Glaspell says. “We can all agree that what happened [in Jones] was wrong, offensive, even ‘highly offensive.’ I just don’t think everything that happens to us should have a remedy in court.”

Furthermore, Glaspell says, the new common law tort intrudes upon an area already occupied by statute law (passed by legislatures), as was decided in BC and Alberta cases. If those laws need to be updated, he says, legislatures should make those decisions.

“There’s no question in my mind that this issue is going to go to the Supreme Court of Canada, at some point.” Glaspell says the Court of Appeal went seriously wrong in interpreting the Charter of Rights and Freedoms as recognizing privacy as a fundamental value worthy of protection. Additionally, he says, the Charter governs the activities of the state and does not apply to the actions of individuals.

“One can understand what was motivating the court,” he says. “It was wrong that [Tsige] was there, looking at those records.” In the end, he says, it comes down to one’s views on judicial activism, and “reasonable people can disagree.”

Justice Sharpe, in the Jones decision, appears to anticipate such objections. He cites case law to find a Charter value upholding “an independent right to privacy, held by all citizens,” and adds that “the Supreme Court has acted on several occasions to develop the common law in a manner consistent with Charter values.”

With regard to existing statutes, he says, “it would take a strained interpretation to infer from these statutes a legislative intent to supplant or halt the development of the common law in this area.” He adds that federal and provincial statutes all focus on state intrusions and have “nothing to do with private rights of action between individuals.” In conclusion, he says, “we are presented in this case with facts that cry out for a remedy…. In my view, the law of this province would be sadly deficient if we were to send Jones away without a legal remedy.”

Peter Ruby, with Goodmans LLP in Toronto, says the biggest unknown surrounding the new tort is its extension into class actions against organizations.

“I don’t view it as surprising that, in this egregious situation [in Jones], the court did what it did,” Ruby says. “This [decision] doesn’t say you get damages for hurt feelings in normal and everyday life,” he says. “In egregious circumstances, reasonable people could come to the conclusion that there should be a remedy. The more interesting question is, to what extent the employer is liable for the actions of an employee.” He notes that, in Jones, the bank was not named as a co-defendant.

“An employer doesn’t have to do anything wrong to be responsible for the actions of an employee,” Ruby says. But there has to be “a sufficient connection between a person’s job description and a misdeed.” In a privacy breach, he says, employer liability might extend to file clerks, but not janitors.

To protect themselves from potential vicarious liability, he says, employers need to have policy, supervision and training in place to prevent abuses of privacy. These should be backed by electronic access controls, such as passwords, and electronic systems monitoring, such as password tracking.

“Don’t keep what you don’t need,” and be sure deleted files are fully destroyed, he advises employers.

Catherine Beagan Flood, a privacy litigation specialist at Blake, Cassels & Graydon LLP in Toronto, says she thinks recent class actions are stretching intrusion upon seclusion to the breaking point, so much so that she expects that the Ontario Court of Appeal, which originally recognized the new tort, may well strike down its extension to class actions through vicarious liability.

“It’s important to recognize that this tort is an extremely narrow one,” Beagan Flood says. The facts in Jones, she says, fell outside all existing statute law in that they dealt with an individual acting without financial motive. In essence, Jones was about pure personal snooping for its own sake. “The Ontario Court of Appeal found this was a gap that needed to be filled.”

In Hopkins, she says, there’s an existing remedy in health privacy legislation, and in Evans the class action relies upon vicarious liability, which she calls a “significant expansion” upon Jones. Beagan Flood notes that, in his Jones decision, Justice Sharpe himself warns against expansion of the tort. “A cause of action of any wider breadth would not only over-reach what is necessary to resolve this case, but could also amount to an unmanageable legal proposition that would … breed confusion and uncertainty,” Sharpe says.

“In my view,” Beagan Flood says, “this recent trend toward class actions is creating exactly the kind of confusion that Sharpe warned against.”

Perhaps the most expansive use of the new tort to date is seen in Condon v. Canada. The Federal Court certified the class action March 17, which alleges the government failed to comply with its own encryption and storage policies and internal advice to disclose the loss. But Beagan Flood notes that no evidence has been presented to show that the lost information has been accessed by anyone, and a claim for compensable damages was dismissed.

Christine Carron, a privacy litigator with Norton Rose Fulbright Canada LLP in Montreal, says she sees the new tort as a potentially useful tool in breach of privacy cases — but only in the common-law provinces. Quebec’s Charter of Human Rights and Freedoms and statutory privacy legislation already recognize compensatory, punitive and moral damages for breach of privacy.

“There’s an evolving tendency, at least in Ontario, to recognize moral damages for breach of privacy,” and in Evans the court found that BC and Nova Scotia case law have not shut the door to this concept, Carron says. Moreover, the federal Personal Information Protection and Electronic Documents Act already allows moral damages up to $5,000 for humiliation, which may be seen as supportive of the new tort.

“It remains to be seen how far you can take that” with regard to class actions for vicarious liability and punitive damages. But she observes that the new Canadian anti-spam legislation (CASL) is definitely a form of privacy protection that provides a private right of action.

She predicts intrusion upon seclusion will combine with CASL and PIPEDA to spawn more breach-of-privacy class actions in the future.