The following was written by my friend Patrick Cruikshank, Underwriting Manager, Specialty Risk – Professional Liability at Northbridge Insurance in Toronto. Thanks to Patrick for his contribution. Relevant articles are always welcome for publication.
In the 2012 case of Jones v. Tsige, the Ontario Court of Appeal established the new tort of invasion of privacy. For some, this privacy tort has opened a Pandora’s Box. For others, it’s considered legal progress in the modern technological world.
Sandra Jones and Winnie Tsige were employees of the Bank of Montreal (BMO). They worked at different branches and did not know each other. Tsige was in an intimate relationship with Jones’ ex-husband.
Over a period of 4 years, Tsige used her workplace computer to gain access to Jones’ personally identifiable information and personal financial information 174 times. Tsige did not disseminate this information.
When Jones discovered this unauthorized access, she made a formal complaint to her employer, who upon investigation determined that Tsige had accessed Jones’ information and had no legitimate reason to do so. Jones subsequently sued Tsige for invasion of privacy and breach of fiduciary duty. She sought $70,000 in general damages plus $20,000 in punitive damages.
Jones’ claim was dismissed by the Ontario Superior Court because there was no law in Ontario that recognized an invasion of privacy tort.
The Court of Appeal overturned the decision and granted summary judgment in favor of Jones.
Court of Appeal Justice Sharpe juxtaposed American and Canadian jurisprudence, specifically the tort of intrusion upon the plaintiff’s seclusion. He also found that the Canadian Charter of Rights and Freedoms suggests that privacy is worthy of constitutional protection and integral to the relationship between individuals and society.
Justice Sharpe maintained that remedies outlined in the Personal Information Protection and Electronic Documents Act (PIPEDA) were insufficient. PIPEDA holds that a plaintiff would have to file a complaint against the trangressor’s employer, not the transgressor himself or herself. It also does not provide for damages.
“The tort includes physical intrusions into private places as well as listening or looking, with or without mechanical aids, into the plaintiff’s private affairs.” Justice Sharpe highlighted that this new tort also contemplated “other non-physical forms of investigation or examination into private concerns” and that they too may be actionable. This is an important feature in modern times of technological advancement in which personal information is routinely collected and readily available in electronic form.
The key elements of the tort are as follows:
- The defendant’s conduct must be intentional or reckless;
- The defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and
- A reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.
Of critical import, proof of financial loss or economic harm was not identified as an element of the cause of action. This is a notable development in Canada law. Previously, plaintiffs had needed to establish that information was inappropriately accessed and that he or she suffered resulting harm. Under Jones, plaintiffs in Canada now only need to show inappropriate access to support a claim for invasion of privacy.
Notwithstanding its three prong test, the Appeal Court failed to detail the level of scienter required to establish recklessness. This undoubtedly will produce uncertainty until future cases define the level of knowledge and/or intent required. Still, by applying “reasonable person” and “highly offensive” standards, the third element would seemingly function to prevent an opening of the floodgates for privacy tort claims.
As to damages, Justice Sharpe fixed the upper limit at $20,000. He cited the following factors from Manitoba’s Privacy Act as a useful guide to assist in determining the quantum of damages to be awarded:
- The nature, incidence and occasion of the defendant’s wrongful act;
- The effect of the wrong on the plaintiff’s health, welfare, social, business or financial position;
- Any relationship, whether domestic or otherwise, between the parties;
- Any distress, annoyance or embarrassment suffered by the plaintiff arising from the wrong; and
- The conduct of the parties, both before and after the wrong, including any apology or offer of amends made by the defendant.
Punitive and exemplary damages were not excluded from the guidelines. Still absent exceptional circumstances, the maximum recoverable damages is $20,000. Although the $20,000 cap appears relatively low, there is concern that privacy class actions may exploit this amount in the aggregate.
In Jones court the court awarded $10,000 in damages. Although Justice Sharpe found that the defendant’s unauthorized access of plaintiff’s information was deliberate, repetitive and caused emotional harm, there was no public embarrassment and the plaintiff did not suffer financial harm.
British Columbia’s Privacy Law Establishes a Cause of Action for Invasion of Privacy
Unlike Ontario, British Columbia courts have found that B.C.’s provincial Privacy Act established a cause of action for invasion of privacy, among others. As with the tort recognized by the Ontario Court of Appeal, the BC Privacy Act allows individuals to bring an action for damages without proof of loss, provided that the privacy breach was willful Still, those courts did not define the scope of conduct that could constitute an invasion of privacy.
The BC tort is quite similar to Ontario’s except that such actions must be made to the BC Supreme Court. The existence of this tort in Ontario could impact BC and other jurisdictions in Canada by creating uncertainty at the Provincial Court level where rules are typically simpler and easier for an unrepresented person to bring a claim.
It is this ambiguity that frightens many. When Human Rights Tribunals in Ontario were refreshed in 2008, it had a marked impact on civil actions. Claims for discrimination and harassment, even wrongful termination, began to shift from the Courts to the Tribunals, where the rules were very relaxed. If handling of privacy breaches mirrors that of human rights issues, not only will judgments be uncertain or unbalanced, but people will be encouraged to bring more breach of privacy claims, especially if they don’t have to prove financial loss.
What has not been discussed at large are the corporate protections afforded under PIPEDA and other Privacy Acts and the role that those protections will play juxtaposed to personal liabilities. In Jones (and many expect all other comparable proceedings), the entity was protected from liability because a rogue employee caused the harm and had not been authorized to do so. In turn, as referenced earlier, PIPEDA’s remedies were found insufficient.
At this early stage of the privacy tort’s development in Ontario, its impact appears less than significant from a commercial insurance perspective. What will be interesting to monitor over the next few years is the quantum of damages courts will be willing to award as litigation inevitably evolves. Does a personal insurance (homeowners) policy respond and offer a defence? Such loss may not be excluded, except perhaps by utilizing the “intentional acts” exclusion. But as Jones demonstrates, while the court found the plaintiff’s conduct to be intentional, there was no evidence of the plaintiff’s intent to cause harm, disseminate information, etc. In such factual situations, would the “intentional acts” exclusion be found to apply? It likely would not be covered in the United States or Canada, but it will be interesting for insurers, brokers and policyholders to watch as these issues evolve.
Leave a Reply
You must be logged in to post a comment.