Negligence Not Sufficient: The ONCA Narrows the Intrusion Upon Seclusion Tort in Owsianik v Equifax Canada Co

In Owsianik v Equifax Canada Co., 2022 ONCA 813 [Equifax], the Ontario Court of Appeal (“ONCA”) clarified the scope of the intrusion upon seclusion tort. In dismissing three separate appeals to certify class proceedings, the Court held that negligence leading to a third party committing intrusion upon seclusion does not itself amount to the tort (Equifax, paras 7–8).

Equifax delineates the precise contours of intrusion upon seclusion—a relatively new tort—as well as the standard to be met at the certification stage of class proceedings. The decision should not be understood as an attack on personal privacy rights. In limiting the scope of the tort to direct violations only, the Court did not extinguish individuals’ ability to seek redress for privacy violations. Rather, the Court clarified that certain grievances are better addressed using pre-existing tort frameworks such as negligence. This limitation ensures that this new and conceptually distinct tort is not improperly expanded beyond its intended scope. 

Background

In Jones v Tsige, 2012 ONCA 32 [Tsige], the ONCA recognized a new tort of intrusion upon seclusion. The Court described the elements of the tort as follows:

The key features of this cause of action are, first, that the defendant’s conduct must be intentional, within which I would […] include reckless; second, that the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and third, that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. However, proof of harm to a recognized economic interest is not an element of the cause of action (Tsige, para 71, emphasis added).

In Equifax, the three appellants attempted to certify class proceedings against defendants who had negligently stored information for commercial purposes (“Database Defendants”), thereby allowing a third party of unidentified hackers to obtain that information (Equifax, paras 2–3). Their chosen cause of action was the tort of intrusion upon seclusion, as laid out in Tsige (Equifax, para 2). 

The standard for certifying class proceedings is well-settled. Pursuant to s. 5(1) of the Class Proceedings Act, 1992, SO 1992, c 6, certification requires, among other things, the pleadings to disclose a cause of action. This low threshold requirement asks whether it is “plain and obvious” that a plaintiff has disclosed no cause of action against a defendant (Equifax, para 36, citing R v Imperial Tobacco Canada Ltd., 2011 SCC 42, para 17). This is a question of law and must be answered with the assumption that the pleaded facts are true (Equifax, paras 35–36). It is not a fact-finding or interpretive exercise.

Issue

The issue before the Court in Equifax was whether to certify the class proceedings against the Database Defendants, specifically concerning the tort of intrusion upon seclusion.

Decision

The ONCA dismissed all three appeals and refused to certify the proceedings.

The Court recognized that the issue before it was novel (Equifax, para 40). It had not yet been settled whether or not the tort of intrusion upon seclusion could apply to negligent or reckless storage of information by Database Defendants (Equifax, para 40). In other words, there was no clear existence of the particular cause of action pursued by the appellants. However, relying on Atlantic Lottery Corp. Inc. v Babstock, 2020 SCC 19 [Babstock], the Court held that novel legal issues can and should be settled at the certification stage if they are purely questions of law (Equifax, paras 42, 46). In other words, it can be “plain and obvious” that there is no cause of action, even if the legal existence of the cause of action is unsettled.

The Court further noted that the uncertainty or novelty of the legal question favoured its resolution at the certification stage since, among other reasons, proceedings would otherwise expend resources and proceed toward trial without any clarity as to whether a cause of action even existed (Equifax, paras 46-48, 50). This occurred in several prior cases where cases against similar defendants were certified without resolution of the particular legal issue (see: Equifax, para 40). Since in such cases, “the trial judge would be in no better position to resolve [the] question than the motion judge,” the Court in Equifax felt it proper and even beneficial to rule on the issue at the certification stage (Equifax, paras 48–50).

In addressing the scope of intrusion upon seclusion, the Court found it plain and obvious that the Database Defendants did not commit the tort—or in other words, that there was no cause of action (Equifax, para 81). This decision hinged upon the “conduct” element of the tort, which requires the alleged tortfeasor to have invaded the plaintiff(s)’ privacy (Equifax, para 61). The Database Defendants did not themselves invade the appellants’ privacy (Equifax, paras 56–57). The Database Defendants’ negligence allowed the hackers to obtain the information, but the hackers themselves were responsible for the invasion of privacy (Equifax, paras 56–57). 

Therefore, the intrusion upon seclusion proceeding could not be certified against the Database Defendants since there was no legal cause of action.

Analysis

Certification: The Right Place to Define Legal Frameworks?

The Court’s review of the jurisprudence, including Babstock, is thorough. It is indisputable that novel legal issues can be addressed and settled at the certification stage of class proceedings. This is consistent with r. 21.01(1)(b) of Ontario’s Rules of Civil Procedure, RRO 1990, Reg. 194, which provides that, on a motion, a judge may “strike out a pleading on the ground that it discloses no reasonable cause of action or defence.” This ability to pre-determine complex issues of law is likely a manifestation of the growing concern for judicial efficiency. The Court’s understandable question in this case was: Why not address the issue presently if it could prevent the waste of time, money, and judicial resources?

In any event, plaintiffs should know that if they pursue novel causes of action via class proceedings, the existence of those causes of action may be resolved as early as the certification stage. A lack of certainty in the law will not preclude them from a finding that it is plain and obvious for the proceeding to fail. They should be prepared to make full legal argument with respect to the novel cause of action at the certification stage.

Intrusion Upon Seclusion: Intentionally Narrow

The Court took a strong stance in defending the narrowness of the intrusion upon seclusion tort, stating:

To impose liability on Equifax for the tortious conduct of the unknown hackers, as opposed to imposing liability on Equifax for its failure to prevent the hackers from accessing the information, would, in my view, create a new and potentially very broad basis for a finding of liability for intentional torts. A defendant could be liable for any intentional tort committed by anyone, if the defendant owed a duty, under contract, tort, or perhaps under statute, to the plaintiff to protect the plaintiff from the conduct amounting to the intentional tort (Equifax, para 65, emphasis added).

The Court further noted that the negligent storage of information which leads to intrusion upon seclusion, is covered by the long-standing negligence tort (Equifax, para 68). 

The Court’s assessment of the scope of the tort is sound. The decision should not be read as a rejection of remedies for those whose privacy is invaded but rather as a recognition that different tort frameworks exist for different types of conduct. To blur the line between intentional torts and negligence is to render the unique contours of each pointless. It is not that people cannot seek redress for invasions of privacy, but that in the case of database defendants, the intrusion upon seclusion tort cannot be manipulated to fit their reckless conduct. Standard negligence actions are more appropriate to handle this sort of wrongful conduct.

The ONCA did note, however, that the decision not to expand the intrusion upon seclusion tort to include database defendants could have a negative procedural impact on prospective plaintiffs (Equifax, para 80). Plaintiffs would lose the ability to claim “moral damages” against database defendants, which are available as a remedy for intentional torts, and would instead need to prove pecuniary loss (Equifax, paras 79–80). This is certainly a disadvantage, especially given that moral damages may be hard to pursue against actual hackers who are difficult to identify. Nonetheless, the Court’s point stands. The tort should not be improperly expanded such that the entire concept of intentional torts is altered to include negligent or reckless acts that are, by definition, not intentional. 

Conclusion

Equifax is a difficult decision to grapple with. Its treatment of the standard to be met at the certification stage, as well as the scope of the intrusion upon seclusion tort, is sound and based in law. Yet the decision is troubling, as it disadvantages plaintiffs who wish to seek moral damages. Ultimately, moral damages will be unavailable in any cases where hackers are unidentified, and this is likely to amount to many cases. A more comprehensive comment from the Supreme Court of Canada would be beneficial.