the tort of inclusion upon seclusion: implications and … management... · the prime facie for the...
TRANSCRIPT
The Tort of Inclusion upon Seclusion: Implications and Recommendations for Canadian Businesses from a Legal Risk
Management Perspective
Abstract The Canadian Charter of Rights and Freedoms is denoted as the basis for privacy
expectations. Reasonable expectations of privacy for Canadians and organizations
are more specifically outlined in sections 7 and 8 of the Charter1. The sections are
inclusive of many areas of political and civil rights, with privacy rights, including life,
liberty and security, often being the most socially acknowledged2,3. Public concerns
over privacy have heightened as technology and social media continue to merge into
daily living. Although the Charter has implied privacy as a fundamental societal
value4, the term is not clearly defined within the document itself and is often
considered a subjective term. The ambiguity of the term has thereby led to
unintentional evolvements and variations in Canadian courts. Personal Information
Protection and Electronic Documents Act (PIPEDA), was one of the first statues to
recognize the issue of privacy policies for organizations. However, this was not
efficient in establishing rights for individuals, which led to the eventual recognition
of the common law privacy tort of intrusion upon seclusion. This tort is now widely
used for protection of individual privacy, but it has large implications on
organizations, who build their privacy policies around consumer/individual privacy.
As such, the implications of this most recent privacy tort, in addition to the
1 Canada, The Department of Justice Canada, Constitution Acts, 1867 to 1982 (Ottawa: The
Department of Justice Canada, 2015) <http://laws-lois.justice.gc.ca/eng/Const/page-15.html> accessed 10 April 2015.
2 Ibid. 3 Ibid. 4 Rosenberg, JA, “Twenty-Five Years Later: The impact of the Canadian Charter of Rights and
Freedoms on the Criminal Law” (2009) 45:2 SCLR at para 52. <http://sclr.journals.yorku.ca/index.php/sclr/article/viewFile/34839/31643> accessed 10 April 2015.
preexisting ambiguity of the privacy in the Charter, warrant a need to provide
recommendations to Canadian organizations5. This paper will delve into three
issues brought forth by the tort of intrusion upon seclusion pertaining to Canadian
organizations, and recommendations to manage the associated legal risks.
Section I: Recognition of the Tort of Intrusion upon Seclusion by
Canadian Law
Earlier definitions of privacy were based on torts pertaining to property, trespass,
nuisance, conversion, and bailment6. However, as technological advancements
continued to pose a threat to privacy, there was greater emphasis on protection of
personal information. These changes then led to the introduction of privacy statues7,
such as the Personal Information Protection and Electronic Documents Act
(PIPEDA). This was one of the first statues stemming from an incrementalist
approach to help organizations create policies around utilizing consumer personal
information8,9.
PIPEDA was effective for organizations, but a gray area still existed between
organizations and individuals breaching privacy10,11. As a result, claims made to the
5 Thomas DC Bennett, “Privacy, Corrective Justice, and Incrementalism: Legal Imagination and the
Recognition of a Privacy Tort in Ontario” (2013) 59:1 McGill LJ 49 [Bennett]. 6 Kelly Nicholson, “Invasion of Privacy as a Common-Law Tort”, online: Field Law Firm
<http://www.fieldlaw.com/PresentationMaterial/KRN_LimitsofthePrivate.pdf> accessed 10 April 2015.
7 Ibid. 8 The Personal Information Protection and Electronics Document Act, SC 2001, c 41, s 103. 9 Bennett, supra note 5 10 Bennett, supra note 5
Privacy Commissioner of Canada against certain individuals were not subject to
further investigation, although some Canadian provinces had privacy laws to
provide remedy to individuals12-13,14, 15, 16.
The issue of the invasion of personal privacy was brought forth to the Court of
Appeal for Ontario in Jones v. Tsige17, a landmark case that defined privacy laws for
individuals in the province of Ontario. The case involves two individuals, Jones and
Tsige, who were both employees at the Bank of Montreal. Tsige launched a case on
the basis of the tort of invasion of privacy18. She claimed that Jones had
intentionally accessed her personal banking activity. When Tsige had discovered the
actions of her colleague, she filed a claim on the basis of the tort invasion of
privacy19. However, her claim was not successful due to the inability of the lower
court to provide a remedy on the basis of the existing legislation of PIPEDA, which is
grounded on an individual breaching privacy, rather than the organization (i.e.,
Bank of Montreal). As a result, Jones applied for an appeal with the Court of Ontario
for Appeals. In making a decision, the Court of Appeals recognized that there were
no pre-existing common law grounds regarding the intentional intrusion of
11 Canada, The Office of The Privacy Commissioner of Canada, Information about privacy breaches
and how to respond (Ottawa: The Department of Justice Canada, 2008) at para 2 <https://www.priv.gc.ca/resource/pb-avp/pb-avp_intro_e.asp> accessed 10 April 2015.
12 Ibid. 13 The Privacy Act, RSBC 1996, c 372 14 The Privacy Act, RSS 1979, c 24 15 The Privacy Act, RSNL 1990, c 22 16 The Privacy Act, CCSM 1998 c 124 17 Jones v. Tsige, 2012 ONCA 32 (CanLII) [“Jones”] 18 Ibid., para. 10 19 Ibid., para. 10
privacy20. An evaluation of legislation, which included PIPEDA21, provincial privacy
acts22, and three privacy Charter values (i.e., personal, territorial, and information
privacy)23 was conducted.
The aforementioned case had eventually led to the recognition of the common law
privacy tort of instruction upon seclusion, which is prescribed by privacy law. The
following commentary was made in the landmark recognition24:
[65] Recognition of such a cause of action would amount to an incremental step that is consistent with the role of this court to develop the common law in a manner consistent with the changing needs of society The prime facie for the tort of intrusion upon seclusion is established by proving
that the alleged intentionally and recklessly invaded the plaintiff’s privacy and in a
manner that would be considered humiliating and offensive to the reasonable
person25. Damages or proof of harm are not recognized elements of the tort and do
not affect the balance of probabilities – key differentiators between the tort and
PIPEDA.
20 Ibid., para 49 21 Ibid., para 50 22 Ibid., para 52 23 Ibid., para 31 24 Ibid., para 65 25 Ibid., para 70
Section II: Introduction to the Tort of Intrusion upon Seclusion
The tort of intrusion upon seclusion provides a remedy for individuals that PIPEDA
may not. Although this highly benefits individuals, there are consequent
implications to organizations brought forth. Since the creditability and stature of an
organization is directly proportional to its ability to satisfy consumers, involvement
in legal disputes is unfavourable because it diminishes the business’ positive image.
As such, businesses must carefully consider developing risk management plans. As a
brief summary, the following are consequences to organizations for recognition of
the tort: firstly, proof of harm is not required as an element, unlike most other
provincial statutes; in addition, there exists greater vicarious liability for employees
who misuse clients’ personal information; and lastly, there is greater accessibility to
justice via class actions that may not have been possible under PIPEDA. This report
is intended to provide a detailed perspective into each of these three issues and
offer associated recommendations from a risk management perspective.
Section III: Action without Evidence of Harm
In comparison to other privacy statues, such as PIPEDA and PHIPA, the tort of
intrusion upon seclusion does not include the element of harm for eligibility of
compensation. Prior to the recognition of the tort, individuals commonly filed for
intrusion under PIPEDA26. Damages were only awarded if distinct harm to the
applicant was outlined. The principle of assigning damages is summarized by Justice
26 Daniel Michaluk, “New Privacy Tort”, online: Hicks Morley Hamilton Stewart Store LLP <http://hicksmorley.com/index.php?name=News&file=article&sid=1107> accessed 10 April 2015.
Zinn in Nammo v. Trans Union of Canada, where the main consideration for harm
was defined to be the “seriousness or impact of the breach on the health, welfare,
social, business or financial position of the applicant”27. The threshold for the
amount of damages awarded under this basis has been low. The maximum amount
that can be awarded is $5,000 CAD28. However, most often damages are not
adequately awarded under PIPEDA because of the difficulty in establishing the
harm.
The decision of Henry v. Bell Mobility29 outlined the issue of compensation on the
basis of PIPEDA. The case involves a customer service representative at Bell
Mobility, who had revealed Mr. Henry’s personal information to a woman insisting
she should have access to his account. The customer service representative failed to
verify the identity of the caller prior to providing personal information via inquiring
about bill charges and payment dates, cell phone plan details and frequently dialed
numbers. In addition, the representative allowed the woman to change Mr. Henry’s
personal details, which included the identification number association with the
account and the account holder name. To the reasonable individual, this would seem
adequate evidence for remedy, specifically aggravated and punitive damages30.
However, the Court ruled that damages were to be applied in compliance with one
of the objectives of the statute and the fact that there was no evidence of harm
27 Alberta v. Alberta Union of Provincial Employees, 2012 GAA 47215 (CanLII) at para. 87 28 Kelly, Friedman, “Privacy Law Litigation in Ontario”, online: Davis Law <http://www.davis.ca/drive/uploads/2014/11/privacy-law-litigation-in-ontario-from-the-bank to-the-hospital-and-beyond_en.pdf> 29 Henry v. Bell Mobility, 2014 FC 555 (CanLII) [“Henry”] 30 Ibid., para 16
prohibited Mr. Henry from further claims. The following is noted from the Court’s
Judgment31:
[19] In considering these various factors, damages should be awarded to Mr. Henry to further the general objects of PIPEDA. However, the evidence was scant at best regarding any adverse effects on Mr. Henry’s health, welfare, social, business or financial position If the tort of intrusion upon seclusion were to be loosely applied to the case, it is
more likely than not that further damages would have been awarded. Because
evidence is not a compulsory requirement, the distress associated with the breach
would be sufficient for consideration of damages. The basis of this reasoning is
highlighted in the decision of Jones v. Tsige, in which Justice Sharpe stated, “the law
of this province would be sadly deficient if [it] were required to send Jones away
without a legal remedy”32. The intrusion into Jones’ personal information was
sufficient for damages of $10,00033. This increases the prospect of individuals
making a claim on the basis of the tort, as the law makes it easier for the
establishment.
In addition to the difference in the degree of evidence required, damages are
significantly higher for claims on the basis of the tort. The damages awarded under
PIPEDA do not likely compensate for legal fees and the emotional impact of the
breach. However, the maximum threshold of $20,000 for claims of the tort tends to
31 Ibid., para 19 32 Jones, supra note 16, para 69 33 Jones, supra note 16, para 90
provide a better remedy34. It is noted above that the decision of Henry v. Bell Motility
had resulted in an award of $2 50035, while a fairly similar breach in Jones v. Tsige,
without a lack of evidence of harm, was significantly higher at $10,000 36. The
potential of the award would further increase the incentive for individuals to make
claims against organizations, as the law now accommodates for a greater reward.
Organizations are now faced with mounting implications, as the balance of
probabilities based on the tort will typically favor the plaintiffs. Although for large
corporations, the sum of the damages may not be detrimental to their financial
position, it may be injurious to their reputation. From a risk management
perspective, and a weighing of the pros and cons of the aforementioned points, it is
typically best to avoid a formal litigation. Alternative dispute resolution methods are
rather suggested, such as arbitration.
Arbitration is a method in which a third party, referred to as the arbitrator, makes a
binding, non-biased ruling 37. This method is ideal for parties who are unable to
reach a mutually agreeable consensus to resolve the dispute. This alternative
dispute resolution strategy seen in privacy breaches, where the plaintiff is in
distress as a result of the defendant’s actions and is unwilling to negotiate.
Arbitration is recommended, as opposed to formal litigation, because the degree of
privacy is much greater. For example, organizations can benefit from creating an
34 Dana Schindelka, “The Tort of Intrusion upon Seclusion”, online: Davis Law
<http://www.davis.ca/uploads/publications/the-tort-of-intrusion-upon-seclusion> accessed 10 April 2015
35 Henry, supra note 27, para 25 36 Jones, supra note 16, para 90 37 Dorothy Duplessis et al., eds, Canadian Business and the law, (NY: Nelson College, 2013).
agreement between the plaintiff and arbitrator to ensure absolute privacy and
confidentiality. The general public would not be exposed to the breach, preserving
the reputation of the company38. It also protects the company from market
reactions, including reduction in sales, greater employee turnover and decrease in
stock price, as was seen after a litigation involving Home Depot.39 Furthermore,
arbitration may result in the use of few resources, such as time and human
resources, when compared to typical litigation cases. This is not a prime concern for
larger organizations, which typically have a legal department to handle such
strenuous disputes, but rather for organizations that may be constrained in their
resource capacity. Depending on the geographical location, a claim in the Small
Claims Court can take up to six months.25 On the other hand, an arbitration hearing
can occur within a few weeks and also occurs at the convenience of the parties.
However, before most definitely selecting arbitration as a course of action to resolve
a legal matter, organizations should weigh the benefits and costs of partaking in
litigation.
It is highly evident that a plaintiff would have a greater incentive in using the tort as
a basis for commencing legal action. Looser evidentiary requirements under the tort
provide the plaintiff with a greater degree of flexibility when attempting to justify
their case. This may result in a greater damage award. As such, it is essential for
38 Jim McCartney, “Are Arbitrations Private and Confidential?”, online: ADR Institute of Canada Inc. <
http://www.adrcanada.ca/resources/documents/McCartney_Jim_AreArbitrationsPrivateandConfidential_000.pdf> accessed 10 April 2015
39 Richard Blackwell, “Home Depot breach prompts class action”, The Globe and Mail (18 Sept 2014) online: < http://www.theglobeandmail.com/report-on-business/data-breach-spurs-lawsuit-on-behalf-of-home-depots-canadian-customers/article20664105/>.
businesses to resolve the dispute prior to the plaintiff commencing litigation to
avoid high costs and potential harm to the reputation of the business.
Section IV: Greater Shift towards Vicarious Liability
As employers are more prone to being involved in the tort of intentional intrusion,
the issue of vicarious liability must be addressed. Vicarious liability is defined as the
“legal liability imposed on one person for torts or crimes committed by another,
usually an employee”40.
An employer is liable if the employee’s conduct is within the course of the
employment, whether it is an authorized, or unauthorized, mode of doing
performing their work-related obligatory duties41. According to the Ontario
Superior Court of Justice, the recognition of the inclusion upon seclusion tort can
now potentially hold employers liable for breach of privacy laws by their
employees42. The application of vicarious liability is based on the following:
1. “opportunity that the employer afforded the employee to abuse power; 2. extent to which the wrongful act may have furthered the employer’s aims 3. extent to which the wrongful act was related to friction, confrontation or
intimacy inherent in the employer’s enterprise; 4. the extent of power conferred on the employee in relation to the victim; and, 5. the vulnerability of the potential victim to the wrongful exercise of the
employee’s power” 43
40 Christine Carron, Pamela Sidey, Randy Sutton, “Privacy class action for tort of intrusion upon
seclusion certified in Ontario”, online: Norton Rose Fulbright <http://www.nortonrosefulbright.com/knowledge/publications/117697/privacy-class-action-for-tort-of-intrusion-upon-seclusion-certified-in-ontario>.
41 Dorothy Duplessis et al., eds, Canadian Business and the law, (NY: Nelson College, 2013). 42 Evans v. The Bank of Nova Scotia, 2014 ONSC 2135 (CanLII) [“Evans”] 43 Ibid.
A significant case that highlights the application of these factors in establishing
vicarious liability is Evans v. Bank of Nova Scotia44, which was a certified class action.
Richard Wilson was employed as a manger at the Bank of Nova Scotia. During the
course of his employment, he intentionally accessed the personal information of
more than 643 clients. He shared this information with his partner, who then
further circulated it to third parties. The Bank began to investigate further as the
number of customer files accessed by Wilson had become increasingly copious.
Once the investigation was completed, the Bank notified all affected individuals and
offered complimentary protection programs. However, 138 of the individuals later
notified the Bank that they had been victims of identity theft or fraud. The affected
parties filed to certify as a class action. The case was made on the basis of
negligence, breach of fiduciary duty, breach of good faith, and intrusion upon
seclusion45.
The Bank had opposed the notion to become certified and stated the following:
[6] The Bank cannot be held vicariously liable for the tort of intrusion upon seclusion for a deliberate breach of customers’ privacy rights by one of its employees 46
The Court justified Wilson’s tort on the basis of the decision of Jones v. Tsgie. The
following statement was made:
[23] The plaintiffs have pleaded, and the Bank has acknowledged, a complete lack of oversight by the Bank of its employees, including Wilson, with regard to improper access to personal and financial customer information. While the Bank itself was not directly involved in the improper access of customer information, vicarious liability “is strict, and does not
44 Evans, supra note 40 45 Evans, supra note 40, para 7a 46 Ibid., para 6a
require any misconduct on the part of the person who is subject to it” 47
An application of the vicarious liability factors demonstrate that the Bank had
created the opportunity for Wilson to access the personal information as a result of
improper monitoring practices. Furthermore, the Bank failed to extend the scope of
its security practices to Wilson. The power exercised to Wilson was not of
understandable terms as he was not restricted to accessing personal client
information. Finally, there is a great deal of vulnerability of the victims to the
wrongful exercise of Wilson’s power.
As the tort increases the risk of organizations being held vicariously liable, it is
essential to develop practices from a risk management perspective. One
recommendation is the revision of internal privacy policies. Organizations will
highly benefit from the limited use of ambiguous terms, as this ensures employees
are well aware of expectations. For example, according to the privacy policy of the
General Bank of Canada, “employees are given limited access to customer
information in so far as their duties require”48. The Privacy Principles stated on the
Royal Bank of Canada’s client webpage do not address limited access, but are more-
so general guidelines that state their information will be protected; there is no
mention of specific employee guidelines49. Furthermore, organizations can benefit
from strict-access programs that prohibit employees from accessing information of
individuals whom are not a part of their clientele, consumer, or patient base. This
47 Ibid., para 49 48 “Privacy Policy”, online: The General Bank of Canada
<https://www.generalbank.ca/privacy_policy.html> accessed 10 April 2015 49 “Our Privacy Principles”, online: The Royal Bank of Canada
<http://www.rbc.com/privacysecurity/ca/our-privacy-principles.html> accessed 10 April 2015
gives employees the notion that they are “leaving their footprint”. As an example,
consider eHealth Ontario’s Patient Results Online application50. In order to
download files from the server, the healthcare professional must indicate the reason
for retrieval, which electronically gets associated with the professional’s username.
Hardcopy materials of information accessed through the database will indicate the
username of the individual who had downloaded the information, which increases
responsible practices when accessing private data. Therefore, from a risk
management perspective, it is highly essential for organizations to incorporate the
aforementioned practices to reduce the likelihood of breach by employees.
Section V: Greater Accessibility to Justice via Class Action
Organizations storing high volumes of personal data that can be easily accessed by
employees are becoming certified in class actions at an increasing rate51. Individuals
who are making privacy breach claims for a modest amount of recovery (e.g., $1
000) will typically choose not to pursue a lawsuit because of the costs associated
with litigation. However, if two or more individuals feel that a breach has been
committed by an organization, the incentive to pursue class action is greater
because costs and resources can be split amongst the individuals. In addition, prior
to the recognition of the tort, individuals making claims against organizations had
limited recourse. They had to rely on statues such as PIPEDA, for which proof of
50 Ontario, eHealth Ontario, Health Care Provider Guide (Toronto: eHealth Ontario, 2014) at s7 51 Teresa Scassa, “Class Action Law Suits for Privacy Breaches in Canada: A Useful Tool in a Half-Full
Toolbox?” online: Teresa Scassa LLP <http://www.teresascassa.ca/index.php?option=com_k2&view=item&id=176:class-action-law-suits-for-privacy-breaches-in-canada-a-useful-tool-in-a-half-full-toolbox?&Itemid=80?> accessed 10 April 2015
damages were required. However, the tort does not require proof of damage and
generally, almost any affected party is able to take part of a class action claim (i.e.,
tort on the basis of this element increases the likelihood of becoming certified). As
such, Ontario Courts find it preferable to certify class actions because the
aggregation of the individuals facing privacy breaches enhances the access to justice
that may not have been otherwise possible.
A noteworthy case that highlights the aforementioned argument is Hopkins v. Kay52,
a certified federal class action. The Plaintiffs in the case are patients whose privacy
rights were violated when employees of Peterborough Hospital accessed medical
records without consent. The Defendant argued that the case was based on a statute
similar to PIPEDA but pertaining to medical records (PHIPA), and therefore did not
qualify as a class action53. However, the recognition of the tort of inclusion upon
seclusion within the Court of Appeals of Ontario allowed the individuals to pursue
the class action suit. It is likely now that the large scope of this case will be injurious
to the reputation of the hospital, which may also incur a financial loss as well.
Although the cited class action was pertaining to the public sector, the same
ideology can be applied to private sector organizations that store large amounts of
personal information.
The increased probability of a class action suit creates a need for organizations to
track breaches on a large-scale. One efficient way to address this issue is through
strict internal auditing. The objective of an audit plan is to ensure that employees 52 Hopkins v. Kay, 2014 ONSC 321 (CanLII) [“Hopkins”] 53 Hopkins, supra 50, para 5
are in compliance with the preset standards. Employee activity is monitored to
verify that only personal information within the scope of their role and
responsibilities is accessed. The healthcare industry is exemplary in highlighting the
necessity of audit plans. A study showed that out of 24 Ontario hospitals, 3 do not
have an internal audit process in place and 1 uses a paper-based system (i.e.,
prohibiting it from conducting an electronic analysis)54. Furthermore, the
frequencies of the investigations highly differ. Almost half of the hospitals conduct
an audit every three months, two conduct one every four months, six do not have a
set frequency, and only four conduct one every week. The dormant nature of the
audits has led to more than 14,000 reported breaches over the past fiscal year. If
there were requirements as per PHIPA, it is more likely than not there would be
fewer privacy issues. Although this example is pertaining to the public sector, a
similar ideology can be applied to corporations that store large amounts of personal
data. The enforcement of a strict auditing policy deviates the likelihood of abrupt
crises involving large number of individuals and allows for the identification of
employees or departments abusing their power.
54 Olivia Carville, “Hundreds of hospital privacy violations go unreported”, The Toronto Star (13 Jan 2015) online: <http://www.thestar.com/life/health_wellness/2015/01/13/hundreds_of_hospital_privacy_violations_go_unreported.html>
Conclusion
The recognition of the tort of intrusion upon seclusion is the result of incremental
change towards privacy rights in Ontario. It is highly beneficial to individuals
making claims for intentional intrusion, which may otherwise be overlooked on the
basis of PIPEDA. Its applicability also extends to businesses that may use it as a basis
of claims. However, organizational entities should focus on using it to reevaluate
their current policies and practices instead. Failure to take such actions may lead to
involvement in litigation, which is injurious from a financial and reputational
standpoint. It is recommended organizations employ the following risk
management techniques to minimize the impact of the tort of intrusion upon
seclusion:
Revision of privacy policies by limiting the use of non-ambiguous terms and creating clarity; this ensures employees have a good understanding of their limitations;
implementation of strict-access programs; this gives employees the notion they are “leaving their footprint”;
routinely auditing as opposed to performing a check annually; this eliminates abrupt crises and identifies employees with atypical activity ; and
consideration of alternative dispute resolution methods if litigation is likely.
These recommendations cumulatively strengthen the position of the business from
a legal risk management perspective. It is advised that businesses routinely monitor
changes in the legal environment, as the tort of intrusion upon seclusion may be a
mere framework for the recognition and development of further privacy rights55.
55 Lesley Dolding & Richard Mullender, “Tort Law, Incrementalism, and the House of Lords” (1996)
sec 47 at para 1. Note that although this is referring to the incremental changes in tort law within the context of jurisdictions in the United States, a similar ideology can be applied to the Canadian legal environment. The tort of intrusion upon seclusion is based on the same principles as the
Second Restatement of Torts in the United States. There is also parallelism evident in the privacy laws between the United States and Canada, leading to a very vague statement of the tort as a mere framework for the development of future privacy laws (as was seen in the United States).