Overview of Jones v. Tsige
In the case of Jones v. Tsige, the Ontario Court of Appeal confirmed the existence of a tort of intrusion upon seclusion, a civil action for damages for invasion of privacy, at common law in Ontario. This decision stemmed from an incident in which Ms. Tsige, who was involved with Ms. Jones’ former husband, accessed Ms. Jones’ personal bank accounts 174 times over a four year period without Ms. Jones’ knowledge.
The court stated that this tort has three specific elements: (i) the defendant’s conduct must be intentional or reckless (the state of mind requirement); (ii) the defendant must invade, without lawful justification, the plaintiff’s private affairs (the conduct requirement); and (iii) a reasonable person would regard the invasion as highly offensive, causing distress, humiliation, or anguish (the consequence requirement). Invasions of privacy that would meet this reasonable person standard include: a ccess to information pertaining to one’s finances, place of employment, or health; access to information pertaining to one’s sexual practices and orientation; and, access to a diary or private correspondence. (A subjective sensitivity or concern about one’s privacy would not be sufficient.)
The court also noted that while proof of harm to a recognized economic interest is not an element of the cause of action, damages in cases of intrusion upon seclusion are generally described as “symbolic damages,” meant to recognize the harm caused to the plaintiff’s dignity and autonomy.
The Case of Owsianik v. Equifax Canada Co.
In the case of Owsianik v. Equifax Canada Co., the Ontario Court of Appeal was asked to consider an appeal by Owsianik, who sought certification for an intrusion upon seclusion claim against Equifax Canada Co. and Equifax Inc. (collectively referred to as Equifax). Equifax is a credit reporting and credit protection company that operates worldwide and collects and aggregates financial and other information about millions of individuals and corporate entities.
The lawsuit originated from a data breach that took place in 2017, during which hackers got unauthorized access to sensitive financial information stored in Equifax’s database. This information included credit card numbers, Social Security numbers, and more. These details included people’s names, social security numbers, dates of birth, residences, driver’s license numbers, credit card numbers, email addresses, and passwords for their email accounts. In September 2017, Equifax disclosed the data breach to the public.
Owsianik alleged that Equifax’s failure to take appropriate steps to guard against this unauthorized access constituted an intentional or reckless intrusion upon her privacy. However, the court found that Equifax’s conduct could not be considered an invasion of, or an intrusion upon, the plaintiff’s privacy interests. The wrong done by Equifax arose out of its failure to meet its obligations to protect the privacy interests of its customers, rather than any direct invasion of privacy. In point of fact, the primary complaint levelled against Equifax was that the company did not adequately protect the information that it was obligated to protect.
The court also pointed out that if it were to impose extended liability on Equifax for the tortious conduct of the unknown hackers rather than for its failure to prevent the hackers from accessing the information, it would create a new and potentially very broad basis for finding liability for intentional torts. A defendant could potentially be held liable for any intentional tort committed by anyone if the defendant owed a duty to the plaintiff to protect them from the conduct amounting to the intentional tort.
Important Things to Draw From Owsianik: Clarity on the State of Mind Requirement
The Court of Appeal in Owsinik provided further clarity on the first element of the tort of intrusion upon seclusion: the state of mind requirement. The prohibited state of mind, whether intention or recklessness, must exist when the defendant engages in the prohibited conduct. The state of mind must relate to the doing of the prohibited conduct. The defendant must either intend that the conduct which constitutes the intrusion will intrude upon the plaintiffs’ privacy, or the defendant must be reckless that the conduct will have that effect.
Intention is established if the defendant meant to intrude upon the privacy of the plaintiff or knew that it was a substantially certain consequence of the act which constitutes the intrusion: see Piresferreira v. Ayotte, at paras. 72-75.
Recklessness, also a subjective state of mind, refers to the realization at the time the prohibited conduct is being done that there is a risk that the conduct will intrude upon the privacy of the plaintiffs, coupled with a determination to nonetheless proceed with that conduct: see Demme v. Healthcare Insurance Reciprocal of Canada, at paras. 62-64.
Otherwise, a defendant could be liable for any intentional tort committed by anyone, if the defendant owed a duty, under contract, tort, or perhaps under statute, to the plaintiff to protect the plaintiff from the conduct amounting to the intentional tort. For example, the security guard who fell asleep on the job, recklessly allowing an assailant to assault the person who the security guard was obliged to protect, would become liable for battery. The garage operator who negligently, and with reckless disregard to the risk of theft, left the keys in a vehicle entrusted to his care, would become a thief if an opportunistic stranger stole the car from the garage parking lot. This would create a new and potentially very broad basis for a finding of liability for intentional torts.
As such, if the defendant does not engage in conduct that amounts to an invasion of privacy, the defendant’s recklessness with respect to the consequences of some other conduct, for example the storage of the information, cannot fix the defendant with liability for invading the plaintiffs’ privacy.