PIPEDA Compliance Programs
Privacy governance frameworks, policy drafting, consent architecture, and accountability structures for organizations subject to federal private-sector privacy obligations.
Read moreInformation & Data Protection
Privacy Law
Privacy n. [From Latin privatus, "set apart; not public"]
The right to control access to one's personal information and to be free from unreasonable intrusion, with remedies and obligations arising from legislation, common law, and regulatory frameworks.
Grigoras Law acts for clients across Ontario in privacy and data matters, including access-to-information requests, breach response, and disputes involving the collection, use, and disclosure of personal information. We advise on compliance and investigations, act on intrusion-upon-seclusion and related claims, and pursue targeted remedies—injunctions, takedown or de-indexing requests, and regulatory engagement—aimed at efficient, practical outcomes.
What We Do
Privacy Law
Services
PHIPA Access and Correction
Access requests, correction applications, and complaints under the Personal Health Information Protection Act for patients, custodians, and health information networks.
Read moreData Breach Response
Breach containment, mandatory notification to the OPC and affected individuals, regulator engagement, evidence preservation, and civil exposure assessment.
Read moreCross-Border Transfers
Transfer impact assessments, contractual safeguards, and cross-border data flow strategies for organizations transferring personal information outside Canada.
Read morePrivacy Complaints & IPC Appeals
Representation before the Office of the Privacy Commissioner and the Information and Privacy Commissioner of Ontario, from complaint intake through mediation and appeal.
Read morePrivacy Torts & Civil Claims
Claims for intrusion upon seclusion, public disclosure of private facts, false light publicity, and misappropriation of personality under Ontario common law.
Read moreYour Legal Team
Privacy Law
Counsel
Denis Grigoras
Counsel — Civil & Appellate Litigation
- PIPEDA compliance programs, privacy governance frameworks, and breach response strategy
- Privacy torts: intrusion upon seclusion, public disclosure of private facts, and false light
- Data breach notification obligations, regulator engagement, and evidence preservation
- Cross-border transfer impact assessments and contractual safeguards
- IPC complaints, mediation, and appeals before provincial and federal commissioners
Representative Work
Selected Privacy
Matters
- Health Information
PHIPA access complaint — IPC Ontario
Represented a client in a PHIPA-related access complaint, addressing scope, timeliness, and corrections.
- Access to Information
Freedom of information appeal — IPC Ontario
Represented a client on appeal concerning access, exemptions, and severance under applicable legislation.
- Privacy Tort
Intrusion upon seclusion — defence of civil claim
Defended an action alleging unreasonable intrusion; focused on proportional discovery and early resolution.
- Privacy Torts
False light publicity & public disclosure of private facts
Acted for a client in claims arising from alleged misuse and dissemination of personal information.
Insights & Coverage
Media & Publications
Compliance & Frameworks
Table of Contents
Understanding Privacy Law in Canada
What is Privacy Law?
Canada's privacy regime is built on a hybrid statutory and common-law model, combining federal and provincial data protection laws with judge-made torts that protect personal dignity and autonomy. The principal statute, the Personal Information Protection and Electronic Documents Act (PIPEDA), governs private-sector organizations engaged in commercial activities across Canada, except in provinces with substantially similar legislation — namely Alberta, British Columbia, and Québec.
The Fair Information Principles (FIPs)
Each Canadian privacy law embodies the Fair Information Principles: accountability, identifying purposes, consent, limiting collection, limiting use and retention, accuracy, safeguards, openness, individual access, and challenging compliance. These principles shape how organizations collect, use, and disclose personal information in a manner consistent with what a reasonable person would consider appropriate under the circumstances.
Violations of these statutes can result in regulatory investigations, civil suits, and fines of up to $100,000 under PIPEDA. In addition to statutory enforcement, courts have recognized a suite of privacy torts — including intrusion upon seclusion and public disclosure of private facts — that provide recourse even where no legislation applies.
The Legislative Landscape
Canada's privacy framework is built on a layered and cooperative system of federal, provincial, and sector-specific privacy laws that govern how personal information is collected, used, and disclosed across the country. Together, these laws form one of the most comprehensive systems of personal information protection in the world.
While the Canadian Charter of Rights and Freedoms guarantees basic expectations of privacy under sections 7 and 8, the Charter mainly protects against state intrusion. The modern body of privacy legislation establishes clear statutory rights and obligations for private organizations, health custodians, and public institutions that handle personal information.
Public, Private, and Health Sector Privacy Laws
Canada's privacy statutes can be grouped into three main categories, each addressing a distinct sector:
01
Public Sector
Government bodies at the federal and provincial levels. Examples include the federal Privacy Act (R.S.C. 1985, c. P-21) and Ontario's Freedom of Information and Protection of Privacy Act.
02
Private Sector
Organizations engaged in commercial activity. The cornerstone is PIPEDA, which applies across most of Canada. Alberta, BC, and Québec have enacted substantially similar laws within their jurisdictions.
03
Health Sector
Patient data and health information. Ontario's Personal Health Information Protection Act (PHIPA) and Alberta's Health Information Act govern hospitals, clinics, and healthcare professionals.
Each of these frameworks sets out key requirements for collection, consent, disclosure, safeguards, accuracy, retention, and access. They also establish independent oversight bodies — Privacy Commissioners — that investigate complaints and issue recommendations or binding orders.
Federal and Provincial Interplay in Privacy Protection
Canada's privacy legislation reflects its federal constitutional structure. The federal government's authority to legislate privacy arises under its trade and commerce power, while the provinces regulate under property and civil rights. This overlap allows both levels of government to enact privacy laws that coexist. PIPEDA applies to private-sector organizations engaged in commercial activity, while Alberta's and British Columbia's Personal Information Protection Acts cover businesses operating solely within those provinces. Québec's Act Respecting the Protection of Personal Information in the Private Sector provides a similar regime under civil law principles.
Unlike the sector-based approach found in the United States, Canadian privacy law follows a comprehensive, principles-based model. Emerging provincial reforms — such as Québec's Law 25 and Ontario's modernization efforts — continue to align Canadian privacy protection with international standards like the EU's General Data Protection Regulation (GDPR). The result is a harmonized system of rules designed to ensure reasonable, transparent, and accountable handling of personal information across sectors.
Privacy Compliance for Organizations
PIPEDA Compliance Programs
Businesses operating in Canada must treat privacy compliance as a core governance issue. The Office of the Privacy Commissioner of Canada (OPC) has issued extensive guidance emphasizing layered privacy notices, context-sensitive consent, and proactive communication about data uses involving profiling or automated decision-making. Recommended measures include:
- Mapping personal data flows and identifying lawful bases for processing.
- Drafting layered privacy notices in plain language and updating them annually.
- Implementing breach response protocols aligned with the Breach of Security Safeguards Regulations (SOR/2018-64).
- Conducting privacy impact assessments for cross-border transfers and new technologies.
- Engaging with the OPC's Interpretation Bulletins on consent and accountability.
Digital Consent and Transparency in Data Practices
The notion of meaningful consent sits at the heart of Canadian privacy law. Originally designed for an era of paper records, the traditional "notice and choice" model struggles in today's complex data environment. Modern technologies — from cloud services and the Internet of Things (IoT) to algorithmic profiling — require consent mechanisms that are comprehensible, prominent, and ongoing. Recent modernization proposals to PIPEDA, set to become the Consumer Privacy Protection Act, seek to strengthen consent by requiring disclosure of automated decision logic and ensuring that individuals have real control over their personal information.
Cross-Border Data Transfers
Canadian law allows personal data to be transferred abroad for processing, provided the transferring organization ensures a comparable level of protection through contractual, technical, and procedural safeguards. While Parliament chose not to impose EU-style restrictions, the OPC expects organizations to notify individuals if their data may be processed outside Canada and to identify applicable foreign laws. Alberta's PIPA mandates explicit notice where service providers operate outside the country, whereas Québec's reformed privacy law (Law 25) requires a written assessment of privacy risks before any cross-border communication. In practice, privacy lawyers advise clients to incorporate cross-border transfer clauses, breach notification triggers, and audit rights into service agreements to ensure defensible compliance and mitigate liability exposure.
Organizational Accountability
Canadian privacy laws strive to balance individual privacy with legitimate organizational and societal interests such as fraud prevention, security, and business operations. Statutes include specific exceptions for law enforcement, contractual necessity, emergencies, and legal proceedings. The guiding standard is reasonableness: organizations must collect and use personal information only for purposes that a reasonable person would consider appropriate. This test ensures that privacy rights remain adaptable and contextual rather than absolute.
Individual Rights and Complaints
Access, Correction, and Complaints
Under the FIPs and PIPEDA's Division 1, individuals have the right to access personal information held about them, challenge its accuracy, and withdraw consent. Organizations must respond within 30 days, subject to limited exceptions. Refusals can be reviewed by the OPC or the relevant provincial commissioner. The OPC's online resources provide templates for access requests and complaints, emphasizing transparency and accountability. Repeated non-compliance can lead to naming-and-shaming reports, compliance agreements, or Federal Court orders compelling compliance and awarding damages.
PHIPA Access and Correction
Ontario's Personal Health Information Protection Act (PHIPA) provides specific rights for individuals seeking access to or correction of their personal health information. Health information custodians must respond to access requests within prescribed timelines and may only refuse access in limited circumstances, such as where disclosure would pose a serious risk to treatment or safety. Individuals who are denied access or correction may file a complaint with the Information and Privacy Commissioner of Ontario (IPC), which has authority to review custodian decisions, order compliance, and award costs in appropriate cases.
Privacy Complaints & IPC Appeals
Privacy complaints can be filed with federal or provincial privacy commissioners depending on the jurisdiction and sector involved. The complaint process typically begins with an attempt at mediation or early resolution. If unsuccessful, the matter proceeds to investigation and, where warranted, a formal report with findings and recommendations. In Ontario, individuals may appeal IPC decisions to the Divisional Court. Federal PIPEDA complaints may be taken to Federal Court where the OPC has issued a report of findings. Legal representation is strongly advised for navigating these processes, particularly where systemic issues or significant damages are at stake.
Data Breach Response and Remedies
Data Breach Response
Under PIPEDA's Breach of Security Safeguards Regulations, organizations must report breaches involving personal information to the OPC where there is a real risk of significant harm. Affected individuals must also be notified, and organizations must maintain records of all breaches, whether reportable or not. An effective breach response includes:
01
Contain and Assess
Immediately contain the breach and assess its scope — identifying what information was affected, how many individuals are involved, and how the breach occurred.
02
Notify
Report to the OPC and notify affected individuals within prescribed timelines. Provincial health information laws such as PHIPA impose similar obligations on health information custodians.
03
Document and Remediate
Document the breach and all remedial measures taken. Review security safeguards and implement corrective measures to prevent recurrence.
Coordination with legal counsel throughout this process is essential to manage regulatory engagement, assess potential claims from affected individuals, and preserve solicitor-client privilege over internal investigation materials.
Remedies and Damages
Under both statute and common law, damages for privacy violations may include:
- General damages for emotional distress and loss of dignity.
- Aggravated damages for humiliation or reputational harm arising from the manner of the breach.
- Punitive damages for malicious or high-handed conduct that warrants deterrence beyond compensation.
Courts may also issue injunctions to prevent further disclosure or order the destruction of misused data.
Jane Doe 464533 v. D., 2018 ONSC 6607
The court emphasized deterrence and expressive harm in awarding $100,000 in combined damages for the unauthorized publication of intimate images, signalling that privacy violations are not merely technical breaches but affronts to human dignity. This decision has shaped courts' approach to privacy damages across both statutory and tort-based claims, reinforcing the availability of significant non-pecuniary awards.
Litigation Strategy
Privacy litigation requires careful assessment of available causes of action, whether statutory or tort-based. Counsel should evaluate:
- Whether the matter falls under PIPEDA, provincial privacy legislation, or health information laws;
- The viability of privacy torts such as intrusion upon seclusion or public disclosure of private facts;
- The strength of evidence for proving breach, harm, and causation;
- Whether regulatory complaint processes should precede or accompany civil litigation;
- The potential for class action certification where systemic breaches affect multiple individuals.
The Supreme Court of Canada refused to enforce a forum-selection clause favouring California, citing privacy's quasi-constitutional character in Canadian law. This ruling confirms that Canadian courts assert jurisdiction over privacy claims with a real and substantial connection to Canada — even against foreign defendants — and that contractual attempts to strip individuals of Canadian privacy protections will face close scrutiny.
Privacy Torts in Canadian Law
Parallel to the statutory regime, Canadian courts have recognized a suite of common-law privacy torts following the taxonomy first proposed by William Prosser and adapted to Canadian jurisprudence. These torts fill gaps left by legislation and offer remedies for intentional intrusions and disclosures that violate personal dignity.
| Tort | Leading Case | Key Requirements | Typical Remedy |
|---|---|---|---|
| Intrusion Upon Seclusion | Jones v. Tsige, 2012 ONCA 32 | Intentional or reckless intrusion on private affairs; highly offensive to a reasonable person; no proof of economic harm required | Up to $20,000 non-pecuniary damages |
| Public Disclosure of Private Facts | Jane Doe 464533 v. D., 2018 ONSC 6607 | Publicizing truthful but intimate, non-newsworthy information; highly offensive to a reasonable person | Compensatory and aggravated damages; injunction |
| False Light | Y. (V.M.) v. G. (S.H.), 2019 ONSC 7279 | Misleading portrayal damaging reputation or dignity; not necessarily defamatory | Damages for reputational and dignitary harm |
| Appropriation of Personality | Various — Ontario, Québec, Nova Scotia | Unauthorized commercial exploitation of name, likeness, or image | Compensatory damages; accounting of profits; injunction |
| Statutory Privacy Torts | MB, SK, NL, BC Privacy Acts | Wilful and unjustified violation of privacy; defendants may raise good-faith or legal authority defences | Damages, injunctions, delivery or destruction of material |
Intrusion Upon Seclusion
The Ontario Court of Appeal formally recognized this tort where a defendant intentionally or recklessly intrudes upon another's private affairs in a way that a reasonable person would find highly offensive. No proof of economic harm is required — damages up to $20,000 are typical for non-pecuniary loss. Importantly, the tort cannot be used to sidestep defamation defences like qualified privilege, and courts will scrutinize whether the plaintiff's claim is in substance one about reputation rather than privacy.
Public Disclosure of Private Facts
The Ontario Superior Court formally recognized this tort, which arises when a defendant publicizes truthful but intimate and non-newsworthy information that would be highly offensive to a reasonable person. The plaintiff received $100,000 in combined damages for the unauthorized publication of intimate images. The court's emphasis on expressive harm and deterrence signals courts' willingness to award substantial damages to vindicate privacy rights even where the information disclosed is true.
Publicity Placing the Plaintiff in a False Light
The Ontario Superior Court adopted this tort, which protects individuals from misleading portrayals that damage reputation and dignity even where the statements are not strictly defamatory. It fills a gap between defamation and disclosure torts by addressing situations where false impressions — rather than outright false statements — are used to harm a person's standing.
Appropriation of Personality
This longstanding tort prohibits the unauthorized commercial exploitation of an individual's name, likeness, or image, protecting both economic and personal interests. It has been applied in Ontario, Québec (under civil law), and Nova Scotia to cases involving endorsements and unauthorized image use. The tort recognizes that a person's identity carries inherent value and that exploiting it without consent — whether for advertising, merchandise, or other commercial purposes — is actionable.
Statutory Privacy Torts and Remedies
Several provinces — Manitoba, Saskatchewan, Newfoundland and Labrador, and British Columbia — codify privacy torts under their respective Privacy Acts. Plaintiffs must show a wilful and unjustified violation of privacy, and defendants may rely on good-faith or legal authority defences. Remedies include damages, injunctions, and orders for the delivery or destruction of unlawfully obtained information. Courts routinely tailor remedies to the seriousness of the invasion, awarding aggravated and punitive damages where conduct is malicious or repeated.
Practical Guidance
Practical Steps for Organizations
Organizations must treat privacy compliance as a core governance issue. Recommended measures include:
- Mapping personal data flows and identifying lawful bases for processing;
- Drafting layered privacy notices in plain language and updating them annually;
- Implementing breach response protocols aligned with regulatory requirements;
- Conducting privacy impact assessments for cross-border transfers and new technologies;
- Training staff on privacy obligations and incident response procedures;
- Engaging with privacy commissioners' interpretation bulletins and guidance documents;
- Conducting regular audits of data handling practices and third-party vendors.
Practical Steps for Individuals
Individuals can enhance their privacy protection by:
- Exercising their right to access and correct personal information held by organizations;
- Filing complaints with privacy commissioners when consent or access rights are denied;
- Being vigilant about social-media privacy settings and public disclosures;
- Seeking legal advice if facing online harassment, non-consensual image sharing, or data misuse.
For those affected by data breaches or privacy torts, Canadian courts recognize both compensatory and symbolic damages. The OPC's consumer guidance pages provide tools to lodge complaints and request the removal of harmful online content.
Balancing Privacy Rights and Organizational Necessity
Canadian privacy laws strive to balance individual privacy with legitimate organizational and societal interests such as fraud prevention, security, and business operations. Statutes include specific exceptions for law enforcement, contractual necessity, emergencies, and legal proceedings. The guiding standard is reasonableness: organizations must collect and use personal information only for purposes that a reasonable person would consider appropriate.
Where disputes arise, courts and privacy commissioners apply a contextual analysis that considers the nature of the information, the purpose of collection, the reasonable expectations of individuals, and the availability of less intrusive alternatives. This balanced approach reflects Canada's commitment to protecting privacy while enabling legitimate data use that benefits society as a whole.
Common Questions
F.A.Q.
Disclaimer: The answers provided in this FAQ section are general in nature and should not be relied upon as formal legal advice. Each individual case is unique, and a separate analysis is required to address specific context and fact situations. For comprehensive guidance tailored to your situation, we welcome you to contact our expert team.
Based on Canadian law and legal precedents, specifically cases Jane Doe 464533 v. D. (N.) ("Jane Doe 2016") and Jane Doe 72511 v. N.M. ("Jane Doe 2018"), it is highly possible for you to sue someone who recorded a sexually explicit video of you without your consent, especially if it was then distributed on a large scale (such as on the internet). This could be a violation of your privacy rights, and it can potentially qualify as the tort of "Public Disclosure of Private Facts."
According to the Restatement (Second) of Torts (2010) at 652D, this tort is defined as: "One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public."
The key to this tort is the concept of publicity, meaning that the violation has been communicated on a large scale, such as through media to the public at large, rather than just to a small number of individuals. According to the judgments in both Jane Doe 2016 and Jane Doe 2018 cases, the courts recognized this tort and found the defendants liable for the non-consensual recording and public distribution of intimate, sexually explicit videos.
To establish liability for this tort, a plaintiff must prove the following:
- The defendant publicized an aspect of the plaintiff's private life;
- The plaintiff did not consent to the publication;
- The matter publicized or its publication would be highly offensive to a reasonable person; and
- The publication was not of legitimate concern to the public.
In both Jane Doe 2016 and Jane Doe 2018, the courts awarded the plaintiffs substantial damages: $50,000 for general damages, $25,000 for aggravated damages, and $25,000 in punitive damages. It's important to consult with a legal professional who can assess your situation based on the specifics of your case.
While it can be unsettling to learn that you have been secretly recorded by your employer, the legality of this act depends on a number of factors, including jurisdiction, the employer's intent, and the reason for the recording.
Under certain circumstances, it may be legally permissible for an employer to secretly record an employee, particularly if there is a reasonable suspicion of misconduct. This is especially the case in civil proceedings where the results of such surveillance can be considered relevant and admissible evidence unless there's an application of another rule of evidence that excludes it.
The case of Richardson v. Davis Wire Industries Ltd. provides an important precedent in this context. In this wrongful dismissal action, the employer had received reports that an employee was sleeping at work and used surreptitious video surveillance to investigate these allegations. At trial, the plaintiff's lawyer sought to bar the admission of the videotape, citing an invasion of privacy. The court, however, rejected the privacy argument, ruling that the video was admissible as evidence.
That being said, it's important to note that in the Richardson case, the judge expressed regret about the employer's choice to secretly videotape the employee rather than confronting him directly. This suggests that while such secret recordings might sometimes be legally permissible, they may not always be seen as the best or most ethical approach to addressing workplace issues.
However, the circumstances of each case can differ significantly, and laws can also vary by jurisdiction. If you find yourself in such a situation, it would be beneficial to consult with a qualified lawyer who can provide advice based on the specific facts of your case and your local jurisdiction's laws.
Under Canadian law, the simple answer to whether a prospective employer is allowed to Google you is "Yes." This includes Google searching, viewing your Facebook or Twitter feed, or any other form of online search about potential candidates. This is the modern equivalent of the longstanding accepted practice of asking a job candidate for letters of reference. In essence, employers are generally free to learn as much about a candidate as possible.
However, it's important to note that there are privacy-related considerations that may limit these kinds of inquiries. For instance, using British Columbia as an example, the collection, use, and disclosure of personal information retrieved from social media about a job candidate is subject to the province's privacy legislation. This includes the Freedom of Information and Protection of Privacy Act for public bodies, and the Personal Information Protection Act for private employers. Under these types of provincial legislation, employers are only entitled to collect information that a reasonable person would consider appropriate in the circumstances, and they must ensure it is accurate.
Prospective employers can legally review publicly available information about you on the internet, including your social media profiles, photos, written material, and other media, personal websites, including blogs and visual media. This information can provide a detailed glimpse into a candidate's non-work life and may influence hiring decisions.
Employers may glean certain characteristics about a candidate from their social media profiles, such as their community participation, creativity, good judgment, compassion towards public-interest, and social justice issues. Conversely, employers may also find reasons not to hire a candidate based on their social media content, such as inappropriate photos, negative comments about previous employers, illegal drug use or excessive drinking, discriminatory language or affiliations, and others. As long as these considerations are not influenced by factors that form prohibited grounds of discrimination, an employer is entitled to consider them when making a hiring decision.
However, employers should not demand access to a job candidate's social media accounts as part of the interview process. The Ontario Human Rights Commission has issued a statement warning employers that asking candidates for social media passwords may contravene the Human Rights Code provisions that prohibit discrimination arising from a written or oral form of employment application or inquiry.
Yes, Canada has laws that can protect your child against cyberbullying and potentially help prosecute individuals responsible for this behaviour. These laws encompass privacy torts, defamation, and specific anti-cyberbullying and "revenge porn" regulations.
1. Privacy Laws and Torts
Several Canadian provinces have legislation or case law that explicitly recognizes the existence of a tort of violation of privacy. This includes Ontario, British Columbia, Saskatchewan, Manitoba, and Newfoundland and Labrador, each of which have Privacy Acts stating that it's a tort to willfully violate another's privacy without a claim of right. This can include eavesdropping or surveillance, which could apply to cyberbullying in certain contexts.
2. Defamation
Defamation can be another avenue to address cyberbullying, especially when false injurious statements are made online. Even if the harmful information published is true, the Ontario Privacy Commissioner (OPC) has raised concerns about these laws' limitations as a tool to address reputational harm. In Quebec, the legal framework is a little different—the information revealed to the public must not only be true or accurate; it must also be necessary to convey the content in which the public has a "legitimate interest."
3. Anti-Cyberbullying and "Revenge Porn" Laws
Canadian laws have evolved to address the increasing prevalence of cyberbullying and "revenge porn." One landmark case in this area is B. (A.) v. Bragg Communications Inc., in which the Supreme Court of Canada acknowledged the importance of protecting young people's privacy rights due to the extensive, direct, and harmful consequences of cyberbullying.
The Protecting Canadians from Online Crime Act, in force since 2014, amended the Criminal Code to introduce a new offence of non-consensual distribution of intimate images, along with complementary amendments that allow for the removal of such images from the Internet.
Several provinces have also enacted specific laws against "revenge porn" and cyberbullying, including Manitoba, Nova Scotia, Newfoundland, and Alberta. Search engines like Google, Microsoft, and Yahoo have also taken action against revenge porn by allowing victims to have it removed from search results associated with their names. You can read our Blog Post on the topic.
In summary, while there's no specific "cyberbullying" law in Canada, various elements of the Canadian legal system can be used to protect individuals, including minors, from online harassment, defamation, and violation of privacy. Always consult with a legal professional for specific guidance related to your situation.
Often, no. Consent is typically limited to the specific purpose disclosed at the time of collection. If, for example, you agreed to let a company store your data for membership verification, that does not necessarily allow them to sell or share it for targeted advertising. Courts and Privacy Commissioners examine the scope of consent carefully. If usage deviates from what you agreed to, you may have grounds for a privacy complaint or lawsuit.
Yes, organizations in Ontario can be held liable for privacy breaches committed by their employees under certain circumstances. This liability is typically addressed through the doctrine of vicarious liability, where an employer is held responsible for the actions of its employees if those actions occur in the course of their employment.
For an organization to be vicariously liable for a privacy breach, the following conditions generally need to be met:
- Employee-Employer Relationship: There must be a clear employee-employer relationship. This includes situations where the employee was acting within the scope of their employment when the breach occurred.
- Connection to Employment: The privacy breach must be sufficiently connected to the employee's duties or tasks as assigned by the employer. This means the employee's actions were related to their job responsibilities, even if those actions were unauthorized or contrary to the employer's instructions.
- Reasonable Foreseeability: It must be reasonably foreseeable that the employee's actions could result in a privacy breach. If an organization fails to implement adequate safeguards or oversight, it may increase its risk of liability.
Organizations can mitigate potential liability by implementing strong privacy policies, training employees on data protection practices, and establishing procedures for monitoring and auditing access to personal information. If a breach occurs, promptly addressing the issue and taking corrective measures can also influence the extent of liability.
If an individual believes their privacy was breached by an organization's employee, they should document the incident and consult with legal counsel to explore potential claims against the organization for intrusion upon seclusion or any other applicable legal remedies.
Generally, privacy torts are designed to protect individual interests—like personal autonomy or emotional well-being—rather than corporate identity. However, businesses sometimes pursue related claims under trademark, passing off, or breach of confidence if their brand or proprietary information is misused. In rare scenarios, a corporate representative's personal likeness might be at stake, and if so, a combined approach using privacy torts and business torts may be warranted.
Ontario courts often evaluate if the disclosed information contributes meaningfully to public understanding of a significant issue—like political corruption or public health crises. If so, news outlets might invoke the public interest defence, arguing they only revealed essential personal details and avoided sensational or irrelevant material. The threshold involves balancing the article's societal importance against the intrusion's severity. Sensational or prurient revelations with negligible public value usually fail under this defence.
Defamation generally requires a false statement harming someone's reputation. False light can involve inaccuracies or omissions that misrepresent a person's private life, causing distress or humiliation, even if it does not directly harm their standing in the community. A defamation claim focuses on reputational damage, whereas false light zeroes in on the personal affront of being portrayed in a misleading manner—even if the statements do not strictly slander or libel the plaintiff.
If the defendant disregards a court order to remove private material or stop disclosure, they risk being found in contempt of court. This can result in fines or imprisonment. Plaintiffs can return to court to report ongoing violations, potentially receiving further remedial orders. In an online context, plaintiffs may also seek assistance from platforms, hosting services, or domain registrars to remove content or block certain webpages, leveraging the court's injunctive authority.
Privacy Law
Privacy law is either built into how you operate, or it becomes a crisis.
Organizations that treat privacy as an afterthought eventually face a breach, a regulatory complaint, or a civil claim that makes the compliance cost look small. Individuals whose personal information has been collected, disclosed, or weaponized without consent have real legal remedies under PIPEDA, PHIPA, and the common law. Grigoras Law advises on both sides of that equation: building the programs and policies that reduce exposure, and litigating the claims that arise when something goes wrong.
- PIPEDA Compliance
- PHIPA Access
- Data Breach
- Privacy Torts
