By: Mark Hayes, Partner, Hayes eLaw LLP
In an important, and potentially revolutionary, decision issued today in Jones v. Tsige, 2012 ONCA 32, the Ontario Court of Appeal has recognized for the first time a tort of "intrusion upon seclusion”, opening the door to a wide-ranging tort of invasion of privacy not previously recognized in any Canadian jurisdiction.
The facts of the case are not complex. Both Jones and Tsige were employees of the Bank of Montréal. Tsige became involved in a relationship with Jones' former husband and, for reasons that were not entirely clear, over a period of approximately 4 years Tsige repeatedly accessed details about Jones' personal BMO bank accounts using the BMO computer system.
Jones commenced an action against Tsige claiming damages for breach of fiduciary duty and invasion of privacy. Both parties moved for summary judgment, and an Ontario Superior Court judge dismissed Jones’ claim, finding that Tsige did not have a fiduciary duty to Jones, and that Ontario law did not recognize the tort of invasion of privacy.
On the subsequent appeal brought by Jones, the Court of Appeal set aside the dismissal of the action and awarded damages of $10,000 against Tsige. In doing so, the Court accepted into Ontario law the first arm of the American tort of invasion of privacy, summarized in the Restatement (Second) of Torts (2010) as "intrusion upon the plaintiff's seclusion or solitude, or into his private affairs", or the tort of "intrusion upon seclusion". The Court specifically did so in order to "respond to the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form".
The Court put a number of restrictions on the scope of this new tort. The conduct of the defendant must be intentional or reckless, the plaintiff's private affairs or concerns must have been invaded without lawful justification and the invasion of privacy must be objectively regarded as highly offensive and causing distress, humiliation or anguish. The Court made it clear that it is only intrusions into very sensitive information that will be protected by this tort; examples included intrusions into financial or health records, sexual practices or orientation, employment, diary or private correspondence. Lastly, the Court made it clear that the tort of "intrusion upon seclusion" must be balanced against competing interests, most particularly freedom of expression and freedom of the press.
On the question of damages, the Court reviewed the range of damages under similar torts and under provincial invasion of privacy statutes that exist in four provinces (British Columbia, Manitoba, Saskatchewan and Newfoundland), and determined that the maximum damages that could be awarded to any individual for this new tort should be $20,000. On the facts of the case before it, the Court determined the type of tortious behavior to be in the midrange of seriousness, and awarded damages of $10,000.
Although the possibility of the recognition of a tort of invasion of privacy has been the subject of discussion and speculation for many decades, the courts in Ontario and other Canadian provinces have tended to avoid any definitive pronouncements on the existence of such a tort, largely due to the inherent difficulties in defining the limitations and contours of a tort of invasion of privacy in a way that would allow individuals and organizations to understand what uses of private information were permitted and which were prohibited. While the Court of Appeal appears to have been sensitive to such concerns, and attempted to set out the limitations on the scope of the tort in order to avoid "opening the floodgates", the judgment in Jones v. Tsige clearly demonstrates the hazards of creating new and potentially wide-ranging torts in the course of litigation between private parties. It is sufficient to mention only four of the many points that arise:
1. While the requirement that the defendant must have acted intentionally was clearly meant to ensure that claims could not be asserted for accidental or negligent "intrusion upon seclusion", permitting claims based on reckless behavior by the defendant will inevitably lead to a much wider scope of claims being asserted. This will be particularly true in respect of data breaches, where plaintiffs will inevitably allege that the security measures taken by a defendant to protect the sensitive information of the plaintiffs were so insufficient as to be reckless.
2. It is difficult to see how the objective “seriousness” standard envisioned by the Court there will be applied on a case-by-case basis. The case law which has developed under PIPEDA and other personal information privacy statutes over the past 10 years has clearly demonstrated that the sensitivity of personal information will vary from individual to individual, and is highly fact-specific. Privacy advocates routinely argue that the sensitivity of personal information must be determined with reference to the particular situation and sensitivities of the individual involved. As a result, even using an objective standard, it will often be difficult to determine whether accessing and/or disclosing information about an individual will be sufficiently egregious to attract liability for the new "intrusion upon seclusion" tort.
3. While the Court took pains to emphasize that the prohibition on “intrusions into seclusion” would in some circumstances have to yield to freedom of expression and the freedom of the press, those issues did not arise in this case and the Court was unable to provide any guidance as to how those competing rights would be balanced. This leaves great uncertainty whether and in what circumstances a wide range of legitimate activities, including those conducted by journalists, private investigators and others, will be limited or prohibited by the new tort. It will take many cases and a great deal of time to sort out all of the delicate issues that this balancing raises, and in the meantime many businesses and individuals will have to operate in an atmosphere of uncertainty.
4. Lastly, while the Court was clearly concerned about the possibility of large damages awards, and therefore made it clear that the damages in any particular case would be modest, the Court does not address potential liability that could result from class action claims on behalf of large groups of individuals who allege that their sensitive private information has been improperly accessed and/or disclosed publicly. One of the reasons why there have been few class actions pursued in Canada for alleged invasions of privacy is that no appellate court had previously stated that liability for informational invasions of privacy would be recognized, and few class action counsel were willing to take on the risk involved in prosecuting such an uncertain claim. Even with the $20,000 damages Imposed by the Court in Jones v. Tsige, many class action lawyers will now be looking more closely at invasion of privacy claims, and it is entirely possible that the floodgates that the Court attempted to bolster in its decision will be well and truly opened in the relatively near future.
Post date: January 18, 2012
By: Mark Hayes, Partner, Hayes eLaw LLP
The federal government’s new “Guideline for External Use of Web 2.0,” released on November 22, 2011, is intended to “facilitate interactive and rapid communication and engagement between government departments, their partners and their clients.” The bureaucrats, however, have missed the mark badly.
It’s remarkable how terrible this document is. We spend a lot of time working with clients to craft this type of policy, and the government has managed to do pretty much everything wrong.
The length of the guideline (over 12,000 words), the overly technical language (it is written in the absolute worst of bureaucratese and is practically unreadable) and the excessive rules and regulations (for example, every social media undertaking has to satisfy 15 separate elements, in addition to detailed language requirements) means it will likely take weeks or even months to try to get permission to post a note on Facebook or Twitter. This will likely severely curtail public servant use of social media sites and services and make it harder, not easier, to communicate with the federal government in the future.
It is surprising that the Canadian government could get this so wrong since there are other jurisdictions that have already provided templates that could have been followed.
For example, the U.K. government produced “Engaging through social media: A guide for civil servants” in 2009, which is a readable and practical policy that emphasized the benefits and possibilities that social media sites create for engaging with citizens. Clearly the committee which produced the Canadian document either didn’t see or discarded the useful aspects of the U.K. policy. It’s even more surprising that such a restrictive policy would be announced by Tony Clement, the Treasury Board President, who is well known for his active Twitter account @TonyclementCPC.
The failure of the federal government to properly deal with Web 2.0 is something that Canadians should be concerned about. Increasingly, young Canadians will engage primarily through social media and if the federal and provincial governments are not there to engage with them, we are going to have a generation that does not understand or relate to the governmental agencies that shape their lives. The federal government should go back to the drawing board and try to come up with a user-friendly Web 2.0 policy that will actually encourage responsible use of social media instead of erect barriers to such use.
There are lots of experts out there who do this kind of work and know how to produce useful guidelines, and it’s almost unbelievable that the government has produced this kind of document in 2011. It’s going to make Canada a bit of a laughing stock, I’m afraid.
Mark Hayes' commentary can also be found on AdvocateDaily.com
Post date: November 22, 2011
By: Clinton Brown, Student-at-Law, Hayes eLaw LLP
What was slated to be Canada’s comprehensive anti-spam framework may have missed its mark due to the law’s overly broad scope and application to commercial electronic messages (CEMs). The most recent round of public consultation on the regulations proposed by the Canadian Radio-television and Telecommunications Commission (CRTC) and Industry Canada brought further speculation that the law may do more to hinder the promotion and development of Canada’s digital economy than to facilitate its growth.
Post date: November 17, 2011
By: Oana Dolea, Lawyer, Hayes eLaw LLP
On September 29, 2011, the Canadian federal government introduced Bill C-12, “An Act to Amend the Personal Information Protection and Electronic Documents Act” (“Bill C-12”). Among various other proposed amendments to the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the new breach notification requirement would mean nationwide introduction of a concept that is already in place in Alberta through its Personal Information Protection Act (“PIPA”).
Alberta’s PIPA requires that Alberta organizations notify the provincial Privacy Commissioner when a loss, unauthorized access to or disclosure of personal information occurs, but only where a reasonable person would consider that a real risk of significant harm to an individual exists. The Commissioner may direct the organization in question to also inform the affected individual, but it is not required to do so. By contrast, Bill C-12 directly requires notification to both the Privacy Commissioner of Canada (for any material breach) and to the affected individual (if it is reasonable to expect that such a material breach poses a real risk of significant harm to an individual). Private sector organizations all over Canada will now be looking at the Alberta experience to see how this new requirement may affect day to day operations, and to consider whether the mandatory individual notification requirement will add an additional burden.
To date, Alberta organizations that have suffered a security breach have in most cases, in addition to the mandated disclosures to the Privacy Commissioner, voluntarily disclosed breaches to affected individuals prior to being asked to do so by the Commissioner.[i] In security breach situations that can pose a real risk of significant harm to individuals, notifying the individuals affected by such breaches, regardless of the existence of a legal requirement to do so, will often avoid or minimize the potential for negative publicity.
However, under Bill C-12, organizations subject to PIPEDA will be required to make a broader range of disclosures since breaches that risk causing real and substantial harm must also be reported directly to individuals. Organizations governed by federal privacy law will need to better understand the scope of the “real risk of substantial harm” standard – for example how serious a breach does it have to be to require disclosure to individuals and how will the new standard be applied? The Alberta experience may provide some guidance in defining that scope.
Post date: November 2, 2011
By: Mark Hayes, Partner, Hayes eLaw LLP
The Supreme Court of Canada released Crookes v. Newton, a highly-anticipated Internet defamation case, in which the court decided that providing a hyperlink to a defamatory online article does not constitute "publication". As a result, unless the provider of the hyperlink repeats the defamatory content, they will not be liable for defamation.
"This is obviously a very important decision, both in a micro and macro sense,” said Mark Hayes of Hayes eLaw LLP in Toronto. "In terms of the specific defamation issue before the Court, the resolution by the majority of the judges is consistent with the historical principle of ‘publication’ and will ensure that Internet content aggregators will not be faced with unexpected defamation liability.”
But Hayes believes that the Crookes may have a much wider effect on the way that courts approach Internet issues generally. "Everyone knows that the judges of the Supreme Court did not grow up with the Internet. As a result there has always been a concern that some of the members of the Court may not be attuned to practical considerations that flow from the unique nature of Internet communications and community. With this decision, the Court has shown that it will approach Internet liability issues from a practical viewpoint and will take pains to understand the unique context of online business and communication. This is very encouraging and is likely to have a significant impact on the way that lower courts approach Internet issues."
Mark Hayes' commentary on Crookes v. Newton can also be found on AdvocateDaily.com
Post date: November 2, 2011
