The Tort of Inclusion upon Seclusion: Implications and Recommendations for Canadian Businesses from a Legal Risk

Management Perspective

Abstract The Canadian Charter of Rights and Freedoms is denoted as the basis for privacy

expectations. Reasonable expectations of privacy for Canadians and organizations

are more specifically outlined in sections 7 and 8 of the Charter1. The sections are

inclusive of many areas of political and civil rights, with privacy rights, including life,

liberty and security, often being the most socially acknowledged2,3. Public concerns

over privacy have heightened as technology and social media continue to merge into

daily living. Although the Charter has implied privacy as a fundamental societal

value4, the term is not clearly defined within the document itself and is often

considered a subjective term. The ambiguity of the term has thereby led to

unintentional evolvements and variations in Canadian courts. Personal Information

Protection and Electronic Documents Act (PIPEDA), was one of the first statues to

recognize the issue of privacy policies for organizations. However, this was not

efficient in establishing rights for individuals, which led to the eventual recognition

of the common law privacy tort of intrusion upon seclusion. This tort is now widely

used for protection of individual privacy, but it has large implications on

organizations, who build their privacy policies around consumer/individual privacy.

As such, the implications of this most recent privacy tort, in addition to the

1 Canada, The Department of Justice Canada, Constitution Acts, 1867 to 1982 (Ottawa: The

Department of Justice Canada, 2015) <http://laws-lois.justice.gc.ca/eng/Const/page-15.html> accessed 10 April 2015.

2 Ibid. 3 Ibid. 4 Rosenberg, JA, “Twenty-Five Years Later: The impact of the Canadian Charter of Rights and

Freedoms on the Criminal Law” (2009) 45:2 SCLR at para 52. <http://sclr.journals.yorku.ca/index.php/sclr/article/viewFile/34839/31643> accessed 10 April 2015.

preexisting ambiguity of the privacy in the Charter, warrant a need to provide

recommendations to Canadian organizations5. This paper will delve into three

issues brought forth by the tort of intrusion upon seclusion pertaining to Canadian

organizations, and recommendations to manage the associated legal risks.

Section I: Recognition of the Tort of Intrusion upon Seclusion by

Canadian Law

Earlier definitions of privacy were based on torts pertaining to property, trespass,

nuisance, conversion, and bailment6. However, as technological advancements

continued to pose a threat to privacy, there was greater emphasis on protection of

personal information. These changes then led to the introduction of privacy statues7,

such as the Personal Information Protection and Electronic Documents Act

(PIPEDA). This was one of the first statues stemming from an incrementalist

approach to help organizations create policies around utilizing consumer personal

information8,9.

PIPEDA was effective for organizations, but a gray area still existed between

organizations and individuals breaching privacy10,11. As a result, claims made to the

5 Thomas DC Bennett, “Privacy, Corrective Justice, and Incrementalism: Legal Imagination and the

Recognition of a Privacy Tort in Ontario” (2013) 59:1 McGill LJ 49 [Bennett]. 6 Kelly Nicholson, “Invasion of Privacy as a Common-Law Tort”, online: Field Law Firm

<http://www.fieldlaw.com/PresentationMaterial/KRN_LimitsofthePrivate.pdf> accessed 10 April 2015.

7 Ibid. 8 The Personal Information Protection and Electronics Document Act, SC 2001, c 41, s 103. 9 Bennett, supra note 5 10 Bennett, supra note 5

Privacy Commissioner of Canada against certain individuals were not subject to

further investigation, although some Canadian provinces had privacy laws to

provide remedy to individuals12-13,14, 15, 16.

The issue of the invasion of personal privacy was brought forth to the Court of

Appeal for Ontario in Jones v. Tsige17, a landmark case that defined privacy laws for

individuals in the province of Ontario. The case involves two individuals, Jones and

Tsige, who were both employees at the Bank of Montreal. Tsige launched a case on

the basis of the tort of invasion of privacy18. She claimed that Jones had

intentionally accessed her personal banking activity. When Tsige had discovered the

actions of her colleague, she filed a claim on the basis of the tort invasion of

privacy19. However, her claim was not successful due to the inability of the lower

court to provide a remedy on the basis of the existing legislation of PIPEDA, which is

grounded on an individual breaching privacy, rather than the organization (i.e.,

Bank of Montreal). As a result, Jones applied for an appeal with the Court of Ontario

for Appeals. In making a decision, the Court of Appeals recognized that there were

no pre-existing common law grounds regarding the intentional intrusion of

11 Canada, The Office of The Privacy Commissioner of Canada, Information about privacy breaches

and how to respond (Ottawa: The Department of Justice Canada, 2008) at para 2 <https://www.priv.gc.ca/resource/pb-avp/pb-avp_intro_e.asp> accessed 10 April 2015.

12 Ibid. 13 The Privacy Act, RSBC 1996, c 372 14 The Privacy Act, RSS 1979, c 24 15 The Privacy Act, RSNL 1990, c 22 16 The Privacy Act, CCSM 1998 c 124 17 Jones v. Tsige, 2012 ONCA 32 (CanLII) [“Jones”] 18 Ibid., para. 10 19 Ibid., para. 10

privacy20. An evaluation of legislation, which included PIPEDA21, provincial privacy

acts22, and three privacy Charter values (i.e., personal, territorial, and information

privacy)23 was conducted.

The aforementioned case had eventually led to the recognition of the common law

privacy tort of instruction upon seclusion, which is prescribed by privacy law. The

following commentary was made in the landmark recognition24:

[65] Recognition of such a cause of action would amount to an incremental step that is consistent with the role of this court to develop the common law in a manner consistent with the changing needs of society The prime facie for the tort of intrusion upon seclusion is established by proving

that the alleged intentionally and recklessly invaded the plaintiff’s privacy and in a

manner that would be considered humiliating and offensive to the reasonable

person25. Damages or proof of harm are not recognized elements of the tort and do

not affect the balance of probabilities – key differentiators between the tort and

PIPEDA.

20 Ibid., para 49 21 Ibid., para 50 22 Ibid., para 52 23 Ibid., para 31 24 Ibid., para 65 25 Ibid., para 70

Section II: Introduction to the Tort of Intrusion upon Seclusion

The tort of intrusion upon seclusion provides a remedy for individuals that PIPEDA

may not. Although this highly benefits individuals, there are consequent

implications to organizations brought forth. Since the creditability and stature of an

organization is directly proportional to its ability to satisfy consumers, involvement

in legal disputes is unfavourable because it diminishes the business’ positive image.

As such, businesses must carefully consider developing risk management plans. As a

brief summary, the following are consequences to organizations for recognition of

the tort: firstly, proof of harm is not required as an element, unlike most other

provincial statutes; in addition, there exists greater vicarious liability for employees

who misuse clients’ personal information; and lastly, there is greater accessibility to

justice via class actions that may not have been possible under PIPEDA. This report

is intended to provide a detailed perspective into each of these three issues and

offer associated recommendations from a risk management perspective.

Section III: Action without Evidence of Harm

In comparison to other privacy statues, such as PIPEDA and PHIPA, the tort of

intrusion upon seclusion does not include the element of harm for eligibility of

compensation. Prior to the recognition of the tort, individuals commonly filed for

intrusion under PIPEDA26. Damages were only awarded if distinct harm to the

applicant was outlined. The principle of assigning damages is summarized by Justice

26 Daniel Michaluk, “New Privacy Tort”, online: Hicks Morley Hamilton Stewart Store LLP <http://hicksmorley.com/index.php?name=News&file=article&sid=1107> accessed 10 April 2015.

Zinn in Nammo v. Trans Union of Canada, where the main consideration for harm

was defined to be the “seriousness or impact of the breach on the health, welfare,

social, business or financial position of the applicant”27. The threshold for the

amount of damages awarded under this basis has been low. The maximum amount

that can be awarded is $5,000 CAD28. However, most often damages are not

adequately awarded under PIPEDA because of the difficulty in establishing the

harm.

The decision of Henry v. Bell Mobility29 outlined the issue of compensation on the

basis of PIPEDA. The case involves a customer service representative at Bell

Mobility, who had revealed Mr. Henry’s personal information to a woman insisting

she should have access to his account. The customer service representative failed to

verify the identity of the caller prior to providing personal information via inquiring

about bill charges and payment dates, cell phone plan details and frequently dialed

numbers. In addition, the representative allowed the woman to change Mr. Henry’s

personal details, which included the identification number association with the

account and the account holder name. To the reasonable individual, this would seem

adequate evidence for remedy, specifically aggravated and punitive damages30.

However, the Court ruled that damages were to be applied in compliance with one

of the objectives of the statute and the fact that there was no evidence of harm

27 Alberta v. Alberta Union of Provincial Employees, 2012 GAA 47215 (CanLII) at para. 87 28 Kelly, Friedman, “Privacy Law Litigation in Ontario”, online: Davis Law <http://www.davis.ca/drive/uploads/2014/11/privacy-law-litigation-in-ontario-from-the-bank to-the-hospital-and-beyond_en.pdf> 29 Henry v. Bell Mobility, 2014 FC 555 (CanLII) [“Henry”] 30 Ibid., para 16

prohibited Mr. Henry from further claims. The following is noted from the Court’s

Judgment31:

[19] In considering these various factors, damages should be awarded to Mr. Henry to further the general objects of PIPEDA. However, the evidence was scant at best regarding any adverse effects on Mr. Henry’s health, welfare, social, business or financial position If the tort of intrusion upon seclusion were to be loosely applied to the case, it is

more likely than not that further damages would have been awarded. Because

evidence is not a compulsory requirement, the distress associated with the breach

would be sufficient for consideration of damages. The basis of this reasoning is

highlighted in the decision of Jones v. Tsige, in which Justice Sharpe stated, “the law

of this province would be sadly deficient if [it] were required to send Jones away

without a legal remedy”32. The intrusion into Jones’ personal information was

sufficient for damages of $10,00033. This increases the prospect of individuals

making a claim on the basis of the tort, as the law makes it easier for the

establishment.

In addition to the difference in the degree of evidence required, damages are

significantly higher for claims on the basis of the tort. The damages awarded under

PIPEDA do not likely compensate for legal fees and the emotional impact of the

breach. However, the maximum threshold of $20,000 for claims of the tort tends to

31 Ibid., para 19 32 Jones, supra note 16, para 69 33 Jones, supra note 16, para 90

provide a better remedy34. It is noted above that the decision of Henry v. Bell Motility

had resulted in an award of $2 50035, while a fairly similar breach in Jones v. Tsige,

without a lack of evidence of harm, was significantly higher at $10,000 36. The

potential of the award would further increase the incentive for individuals to make

claims against organizations, as the law now accommodates for a greater reward.

Organizations are now faced with mounting implications, as the balance of

probabilities based on the tort will typically favor the plaintiffs. Although for large

corporations, the sum of the damages may not be detrimental to their financial

position, it may be injurious to their reputation. From a risk management

perspective, and a weighing of the pros and cons of the aforementioned points, it is

typically best to avoid a formal litigation. Alternative dispute resolution methods are

rather suggested, such as arbitration.

Arbitration is a method in which a third party, referred to as the arbitrator, makes a

binding, non-biased ruling 37. This method is ideal for parties who are unable to

reach a mutually agreeable consensus to resolve the dispute. This alternative

dispute resolution strategy seen in privacy breaches, where the plaintiff is in

distress as a result of the defendant’s actions and is unwilling to negotiate.

Arbitration is recommended, as opposed to formal litigation, because the degree of

privacy is much greater. For example, organizations can benefit from creating an

34 Dana Schindelka, “The Tort of Intrusion upon Seclusion”, online: Davis Law

<http://www.davis.ca/uploads/publications/the-tort-of-intrusion-upon-seclusion> accessed 10 April 2015

35 Henry, supra note 27, para 25 36 Jones, supra note 16, para 90 37 Dorothy Duplessis et al., eds, Canadian Business and the law, (NY: Nelson College, 2013).

agreement between the plaintiff and arbitrator to ensure absolute privacy and

confidentiality. The general public would not be exposed to the breach, preserving

the reputation of the company38. It also protects the company from market

reactions, including reduction in sales, greater employee turnover and decrease in

stock price, as was seen after a litigation involving Home Depot.39 Furthermore,

arbitration may result in the use of few resources, such as time and human

resources, when compared to typical litigation cases. This is not a prime concern for

larger organizations, which typically have a legal department to handle such

strenuous disputes, but rather for organizations that may be constrained in their

resource capacity. Depending on the geographical location, a claim in the Small

Claims Court can take up to six months.25 On the other hand, an arbitration hearing

can occur within a few weeks and also occurs at the convenience of the parties.

However, before most definitely selecting arbitration as a course of action to resolve

a legal matter, organizations should weigh the benefits and costs of partaking in

litigation.

It is highly evident that a plaintiff would have a greater incentive in using the tort as

a basis for commencing legal action. Looser evidentiary requirements under the tort

provide the plaintiff with a greater degree of flexibility when attempting to justify

their case. This may result in a greater damage award. As such, it is essential for

38 Jim McCartney, “Are Arbitrations Private and Confidential?”, online: ADR Institute of Canada Inc. <

http://www.adrcanada.ca/resources/documents/McCartney_Jim_AreArbitrationsPrivateandConfidential_000.pdf> accessed 10 April 2015

39 Richard Blackwell, “Home Depot breach prompts class action”, The Globe and Mail (18 Sept 2014) online: < http://www.theglobeandmail.com/report-on-business/data-breach-spurs-lawsuit-on-behalf-of-home-depots-canadian-customers/article20664105/>.

businesses to resolve the dispute prior to the plaintiff commencing litigation to

avoid high costs and potential harm to the reputation of the business.

Section IV: Greater Shift towards Vicarious Liability

As employers are more prone to being involved in the tort of intentional intrusion,

the issue of vicarious liability must be addressed. Vicarious liability is defined as the

“legal liability imposed on one person for torts or crimes committed by another,

usually an employee”40.

An employer is liable if the employee’s conduct is within the course of the

employment, whether it is an authorized, or unauthorized, mode of doing

performing their work-related obligatory duties41. According to the Ontario

Superior Court of Justice, the recognition of the inclusion upon seclusion tort can

now potentially hold employers liable for breach of privacy laws by their

employees42. The application of vicarious liability is based on the following:

1. “opportunity that the employer afforded the employee to abuse power; 2. extent to which the wrongful act may have furthered the employer’s aims 3. extent to which the wrongful act was related to friction, confrontation or

intimacy inherent in the employer’s enterprise; 4. the extent of power conferred on the employee in relation to the victim; and, 5. the vulnerability of the potential victim to the wrongful exercise of the

employee’s power” 43

40 Christine Carron, Pamela Sidey, Randy Sutton, “Privacy class action for tort of intrusion upon

seclusion certified in Ontario”, online: Norton Rose Fulbright <http://www.nortonrosefulbright.com/knowledge/publications/117697/privacy-class-action-for-tort-of-intrusion-upon-seclusion-certified-in-ontario>.

41 Dorothy Duplessis et al., eds, Canadian Business and the law, (NY: Nelson College, 2013). 42 Evans v. The Bank of Nova Scotia, 2014 ONSC 2135 (CanLII) [“Evans”] 43 Ibid.

A significant case that highlights the application of these factors in establishing

vicarious liability is Evans v. Bank of Nova Scotia44, which was a certified class action.

Richard Wilson was employed as a manger at the Bank of Nova Scotia. During the

course of his employment, he intentionally accessed the personal information of

more than 643 clients. He shared this information with his partner, who then

further circulated it to third parties. The Bank began to investigate further as the

number of customer files accessed by Wilson had become increasingly copious.

Once the investigation was completed, the Bank notified all affected individuals and

offered complimentary protection programs. However, 138 of the individuals later

notified the Bank that they had been victims of identity theft or fraud. The affected

parties filed to certify as a class action. The case was made on the basis of

negligence, breach of fiduciary duty, breach of good faith, and intrusion upon

seclusion45.

The Bank had opposed the notion to become certified and stated the following:

[6] The Bank cannot be held vicariously liable for the tort of intrusion upon seclusion for a deliberate breach of customers’ privacy rights by one of its employees 46

The Court justified Wilson’s tort on the basis of the decision of Jones v. Tsgie. The

following statement was made:

[23] The plaintiffs have pleaded, and the Bank has acknowledged, a complete lack of oversight by the Bank of its employees, including Wilson, with regard to improper access to personal and financial customer information. While the Bank itself was not directly involved in the improper access of customer information, vicarious liability “is strict, and does not

44 Evans, supra note 40 45 Evans, supra note 40, para 7a 46 Ibid., para 6a

require any misconduct on the part of the person who is subject to it” 47

An application of the vicarious liability factors demonstrate that the Bank had

created the opportunity for Wilson to access the personal information as a result of

improper monitoring practices. Furthermore, the Bank failed to extend the scope of

its security practices to Wilson. The power exercised to Wilson was not of

understandable terms as he was not restricted to accessing personal client

information. Finally, there is a great deal of vulnerability of the victims to the

wrongful exercise of Wilson’s power.

As the tort increases the risk of organizations being held vicariously liable, it is

essential to develop practices from a risk management perspective. One

recommendation is the revision of internal privacy policies. Organizations will

highly benefit from the limited use of ambiguous terms, as this ensures employees

are well aware of expectations. For example, according to the privacy policy of the

General Bank of Canada, “employees are given limited access to customer

information in so far as their duties require”48. The Privacy Principles stated on the

Royal Bank of Canada’s client webpage do not address limited access, but are more-

so general guidelines that state their information will be protected; there is no

mention of specific employee guidelines49. Furthermore, organizations can benefit

from strict-access programs that prohibit employees from accessing information of

individuals whom are not a part of their clientele, consumer, or patient base. This

47 Ibid., para 49 48 “Privacy Policy”, online: The General Bank of Canada

<https://www.generalbank.ca/privacy_policy.html> accessed 10 April 2015 49 “Our Privacy Principles”, online: The Royal Bank of Canada

<http://www.rbc.com/privacysecurity/ca/our-privacy-principles.html> accessed 10 April 2015

gives employees the notion that they are “leaving their footprint”. As an example,

consider eHealth Ontario’s Patient Results Online application50. In order to

download files from the server, the healthcare professional must indicate the reason

for retrieval, which electronically gets associated with the professional’s username.

Hardcopy materials of information accessed through the database will indicate the

username of the individual who had downloaded the information, which increases

responsible practices when accessing private data. Therefore, from a risk

management perspective, it is highly essential for organizations to incorporate the

aforementioned practices to reduce the likelihood of breach by employees.

Section V: Greater Accessibility to Justice via Class Action

Organizations storing high volumes of personal data that can be easily accessed by

employees are becoming certified in class actions at an increasing rate51. Individuals

who are making privacy breach claims for a modest amount of recovery (e.g., $1

000) will typically choose not to pursue a lawsuit because of the costs associated

with litigation. However, if two or more individuals feel that a breach has been

committed by an organization, the incentive to pursue class action is greater

because costs and resources can be split amongst the individuals. In addition, prior

to the recognition of the tort, individuals making claims against organizations had

limited recourse. They had to rely on statues such as PIPEDA, for which proof of

50 Ontario, eHealth Ontario, Health Care Provider Guide (Toronto: eHealth Ontario, 2014) at s7 51 Teresa Scassa, “Class Action Law Suits for Privacy Breaches in Canada: A Useful Tool in a Half-Full

Toolbox?” online: Teresa Scassa LLP <http://www.teresascassa.ca/index.php?option=com_k2&view=item&id=176:class-action-law-suits-for-privacy-breaches-in-canada-a-useful-tool-in-a-half-full-toolbox?&Itemid=80?> accessed 10 April 2015

damages were required. However, the tort does not require proof of damage and

generally, almost any affected party is able to take part of a class action claim (i.e.,

tort on the basis of this element increases the likelihood of becoming certified). As

such, Ontario Courts find it preferable to certify class actions because the

aggregation of the individuals facing privacy breaches enhances the access to justice

that may not have been otherwise possible.

A noteworthy case that highlights the aforementioned argument is Hopkins v. Kay52,

a certified federal class action. The Plaintiffs in the case are patients whose privacy

rights were violated when employees of Peterborough Hospital accessed medical

records without consent. The Defendant argued that the case was based on a statute

similar to PIPEDA but pertaining to medical records (PHIPA), and therefore did not

qualify as a class action53. However, the recognition of the tort of inclusion upon

seclusion within the Court of Appeals of Ontario allowed the individuals to pursue

the class action suit. It is likely now that the large scope of this case will be injurious

to the reputation of the hospital, which may also incur a financial loss as well.

Although the cited class action was pertaining to the public sector, the same

ideology can be applied to private sector organizations that store large amounts of

personal information.

The increased probability of a class action suit creates a need for organizations to

track breaches on a large-scale. One efficient way to address this issue is through

strict internal auditing. The objective of an audit plan is to ensure that employees 52 Hopkins v. Kay, 2014 ONSC 321 (CanLII) [“Hopkins”] 53 Hopkins, supra 50, para 5

are in compliance with the preset standards. Employee activity is monitored to

verify that only personal information within the scope of their role and

responsibilities is accessed. The healthcare industry is exemplary in highlighting the

necessity of audit plans. A study showed that out of 24 Ontario hospitals, 3 do not

have an internal audit process in place and 1 uses a paper-based system (i.e.,

prohibiting it from conducting an electronic analysis)54. Furthermore, the

frequencies of the investigations highly differ. Almost half of the hospitals conduct

an audit every three months, two conduct one every four months, six do not have a

set frequency, and only four conduct one every week. The dormant nature of the

audits has led to more than 14,000 reported breaches over the past fiscal year. If

there were requirements as per PHIPA, it is more likely than not there would be

fewer privacy issues. Although this example is pertaining to the public sector, a

similar ideology can be applied to corporations that store large amounts of personal

data. The enforcement of a strict auditing policy deviates the likelihood of abrupt

crises involving large number of individuals and allows for the identification of

employees or departments abusing their power.

54 Olivia Carville, “Hundreds of hospital privacy violations go unreported”, The Toronto Star (13 Jan 2015) online: <http://www.thestar.com/life/health_wellness/2015/01/13/hundreds_of_hospital_privacy_violations_go_unreported.html>

Conclusion

The recognition of the tort of intrusion upon seclusion is the result of incremental

change towards privacy rights in Ontario. It is highly beneficial to individuals

making claims for intentional intrusion, which may otherwise be overlooked on the

basis of PIPEDA. Its applicability also extends to businesses that may use it as a basis

of claims. However, organizational entities should focus on using it to reevaluate

their current policies and practices instead. Failure to take such actions may lead to

involvement in litigation, which is injurious from a financial and reputational

standpoint. It is recommended organizations employ the following risk

management techniques to minimize the impact of the tort of intrusion upon

seclusion:

Revision of privacy policies by limiting the use of non-ambiguous terms and creating clarity; this ensures employees have a good understanding of their limitations;

implementation of strict-access programs; this gives employees the notion they are “leaving their footprint”;

routinely auditing as opposed to performing a check annually; this eliminates abrupt crises and identifies employees with atypical activity ; and

consideration of alternative dispute resolution methods if litigation is likely.

These recommendations cumulatively strengthen the position of the business from

a legal risk management perspective. It is advised that businesses routinely monitor

changes in the legal environment, as the tort of intrusion upon seclusion may be a

mere framework for the recognition and development of further privacy rights55.

55 Lesley Dolding & Richard Mullender, “Tort Law, Incrementalism, and the House of Lords” (1996)

sec 47 at para 1. Note that although this is referring to the incremental changes in tort law within the context of jurisdictions in the United States, a similar ideology can be applied to the Canadian legal environment. The tort of intrusion upon seclusion is based on the same principles as the

Second Restatement of Torts in the United States. There is also parallelism evident in the privacy laws between the United States and Canada, leading to a very vague statement of the tort as a mere framework for the development of future privacy laws (as was seen in the United States).