Making it harder (and easier?) to sue for data breaches

In which we continue to explore important internet and privacy law developments from the “dark 9 months” period of this little corner of the internet. And in this post I tackle three court cases for the price of one, and talk about an important potential federal law and talk about an enacted provincial law! Talk about efficiency!

So today we start with three Ontario Court of Appeal decisions that came out in November 2022. Not that long ago. They made it harder to sue for data breaches. But then we’ll take a look at the part of the Federal Bill C-27 which may make it easier, and Quebec’s newly-updated privacy law which does kind of sorta possibly make it easier. How’s that sound?

The Case(s)

So as mentioned we have 3 cases, all related, and all heard together. They are: (1) Owsianik v. Equifax; (2) Obodo v. Trans Union of Canada; and (3) Winder v. Marriott International. All three had their decisions released on November 25th. Here is the Court in Obodo summarizing the situation:

This appeal was heard with the appeals in Owsianik … and Winder… All three appeals raise the applicability of the tort of intrusion upon seclusion, recognized in Jones v. Tsige, …to defendants who collected and stored the private information of others and whose failure to take adequate steps to secure that information allowed independent third-party “hackers” to access and/or use that private information. These defendants are referred to as “Database Defendants”.

I will explain all that soon, pinky swear. The “Court” in Obodo is the same 3 judges as in all the cases – Doherty, Tulloch and Miller. All three cases are at the same stage, where a potential class action is being proposed, what we call the “certification” stage. The court has to “certify” a class action lawsuit before it can go forward. The Obodo court goes on:

The appellant (Mr. Obodo) on behalf of himself and the proposed class raised many of the same issues and made many of the same arguments as were advanced by the appellant in Owsianik. I have addressed those arguments in my reasons in Owsianik, and will not repeat my analysis here.

So you are saying we should just ignore this decision and go read Owsianik? Ok then! What about the Winder case?

the issues raised on this appeal are addressed in my reasons in Owsianik. I will not repeat that analysis and these reasons should be read with the reasons given in Owsianik

Ok then! So basically the Court has said twice I should just go read Owsianik. I have lied to my loyal readers Steve and C. Miner that I would be covering three cases. Bad blogger!

In fairness, in both Obodo and Winder the court does basically say “well in these cases there are a couple of different arguments besides the Owsianik but they also fail, we just want to be complete.” So that’s my summary of those two cases, on to the important one!

Owsianik v. Equifax Canada

The Court opens the decision with “In Jones v. Tsige this court recognized the tort of intrusion upon seclusion.” Oh fuck me. Let’s take a step back here.

Jones v. Tsige

This was a very important Ontario Court of Appeal case from 2012. I teach it all the time in my Internet Law class. But it has nothing to do with the internet. But it’s important. Even very important; I just said so! Here are the facts which I like to cut and paste from the case so you know I am not lying (this time):

appellant, Sandra Jones, discovered that the respondent, Winnie Tsige, had been surreptitiously looking at Jones’ banking records. Tsige and Jones did not know each other despite the fact that they both worked for the same bank and Tsige had formed a common-law relationship with Jones’ former husband. As a bank employee, Tsige had full access to Jones’ banking information and, contrary to the bank’s policy, looked into Jones’ banking records at least 174 times over a period of four years

Tsige should not have done that! Bad Tsige! Jones was right to sue, her privacy (in the form of her bank records) was clearly violated. The problem was that in Ontario at the time there was no real “right to privacy” you could sue on. So the Court found one! It looked at all four of the torts (the basis for lawsuits) that were privacy invasion torts in the USA and said “we like one let’s use it”!

it is appropriate for this court to confirm the existence of a right of action for Intrusion Upon Seclusion. Recognition of such a cause of action would amount to an incremental step that is consistent with the role of this court to develop the common law in a manner consistent with the changing needs of society

The Court did a good thing. Privacy invasions are bad, and people should be able to sue because of them. So what is this “Intrusion Upon Seclusion” tort we can now use to sue someone for invasion of privacy?

One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person

I bolded that phrase for a reason, remember it. Foreshadowing!

So because of Jones v. Tsige, in Ontario you could now sue for the invasion of privacy. Why is that important in my internet law class? Well, what would you say if I told you that the tort of intrusion upon seclusion was successfully applied in a case where a woman was filmed jogging and the video was used in a promotional video for a condo project without her permission? Or that once the Court adopted one of those four privacy torts, it was very easy for them to adopt a second one (“public disclosure of private facts” if you are scoring at home) in a landmark case about non-consensual distribution of intimate images (aka “revenge porn”) online? Important (nay, very important) stuff!

Anyway, intrusion upon seclusion was now a tort in Ontario, and we are back to…

Owsianik v. Equifax Canada for realz this time

So where were we? The Court says that in the 3 cases (see I am talking about all 3 cases and you called me a liar):

the plaintiffs sought to apply the tort of intrusion upon seclusion, first recognized in Jones, to defendants who, for commercial purposes, collected and stored the personal information of others (“Database Defendants”), and whose failure to take adequate steps to protect that information allowed third-party “hackers” to access and/or use the personal information.

Can you see the problem here? The plaintiffs are suing (or at least “wanting to sue”, remember the stage we are at) the big companies (the “Database Defendants”) who “failed to take adequate steps” to prevent hackers from doing what they do (hacking!). Remember the bolded phrase I told you to remember four paragraphs ago? The defendants sure do:

Database Defendants submitted that the tort as defined in Jones targeted those who, like the defendant in Jones, had actually invaded or intruded upon the privacy of a plaintiff, by accessing that plaintiff’s private information. The tort could not reach Database Defendants whose inadequate security measures may have allowed others, with no connection to the Database Defendants, to access the private information stored in the databases

Basically over the next seventy paragraphs the Court agrees. And we’re done!

I keed, I keed. Let’s discuss just a tiny bit, some of you have been waiting all month for this post. Let’s start with some pretty bad facts. What did the hackers get access to? Only “social insurance numbers, names, dates of birth, addresses, driver’s licence numbers, credit card numbers, email addresses, and passwords.” Yeesh. That’s not good. People should be able to sue for having that stuff stolen!

The problem is, as a lower court noted – “The tort is a new tort, whose limits have not been fully developed at common law in Canada.” So the Court of Appeal did a good job here, setting some limits. The Court goes on for many paragraphs basically saying “there are lots of cases with these issues, we gotta sort this shit out already!” (not a direct quote). These cases (privacy class actions wanting to use the tort) are “consuming valuable litigation resources, no one [can] say with any certainty whether the cause of action asserted in these claims existed as a matter of law” (actual quote).

The Court then gets into the details. It goes over the individual requirements for the intrusion upon seclusion tort, and the first one is:

the defendant must have invaded or intruded upon the plaintiff’s private affairs or concerns, without lawful excuse [the conduct requirement]

The conduct was clear in Jones v Tsige – 174 instances of looking at bank records without permission! But here we have an argument. The Court notes that the tort “requires an act by the defendant which amounts to a deliberate intrusion upon, or invasion into, the plaintiffs’ privacy.” DELIBERATE ACT, aka our bolded phrase “intentionally intrudes, physically or otherwise”. Owsianik argues that Equifax (and the other Database Defendants) were being “reckless” when they had crappy security and let the hackers hack. The Court says fuck off, being “reckless” is not a deliberate act, and concludes:

Equifax’s negligent storage of the information cannot in law amount to an invasion of, or an intrusion upon, the plaintiffs’ privacy interests in the information. Equifax’s recklessness as to the consequences of its negligent storage cannot make Equifax liable for the intentional invasion of the plaintiffs’ privacy committed by the independent third-party hacker […]

To impose liability on Equifax for the tortious conduct of the unknown hackers, as opposed to imposing liability on Equifax for its failure to prevent the hackers from accessing the information, would, in my view, create a new and potentially very broad basis for a finding of liability for intentional torts

The final point here, also very important, is that in Jones v. Tsige, Jones had no other options, as there was no basis for any claim in existing torts or law. As the Court in Jones stated “we are presented in this case with facts that cry out for a remedy”, so the Court had to do something dammit! But here, Owsianik (and the class) has a shitload of options as the Court points out. They can sue the hackers (good luck with that), and more importantly they can sue Equifax on a number of other bases – other torts like negligence, contracts, various laws, etc. Yes, they have some higher standards (because you have to show some actual damages for those) but there is still a possible remedy, unlike in Jones v. Tsige.

The Court concludes with the following:

Parliament and provincial legislatures have enacted legislation intended to protect informational privacy. It is certainly open to Parliament and the legislatures to expand these protections to provide for what Parliament and the legislatures might regard as more effective remedies against Database Defendants who do not take proper steps to secure the information under their control.

Parliament and the legislatures enact / try to enact more effective remedies against Database Defendants who do not take proper steps to secure the information under their control

Look at the way this post flows! I’m very clever if I do say so myself.

So here in Quebec, we recently updated our main privacy law, the Act Respecting the Protection of Personal Information in the Private Sector. As of September 2023, individuals (and thus presumably classes of Individuals) will be able to sue organizations for not taking care of personal information if they are “grossly negligent”. That’s a high standard, but it’s still something! It’s called a “private right of action.”

At the Federal level, the government keeps trying to enact updated privacy legislation. 100th time’s the charm! The current version is Bill C-27, which is currently in second reading in the House of Commons. Bill C-27 does a bunch of stuff (maybe in the next post I’ll talk more about it) but for now I want to discuss one thing. Bill C-27 creates the Consumer Privacy Protection Act (the CPPA), which kind of replaces PIPEDA. In the CPPA, there is also a private right of action:

107 (1) An individual who is affected by an act or omission by an organization that constitutes a contravention of this Act has a cause of action against the organization for damages for loss or injury that the individual has suffered as a result of the contravention if …

Note the “omission” part here. Like in our Owsianik case having crappy security to let hackers hack would certainly be an omission.

Superterrific Happy Hour Analysis

So the Ontario Court of Appeal was very right (imho) in denying the intrusion upon seclusion tort in the circumstances. You could just tell from what I wrote above with all the hints and so forth. That tort was designed for intentional acts and Equifax (and the other Database Defendants) did nothing intentional. So that’s cool.

And you would think I would be happy the legislatures stepped in, and I am, but I am not happy enough! The problem is both of the private rights of action I discussed here are insanely limited. As mentioned “grossly negligent” in the Quebec law is a high standard. Not sure the Database Defendants in our 3 cases would meet that. Furthermore, even if you find gross negligence, the law requires that said gross negligence “cause(d) an injury.” In a data breach situation you quite often cannot show that at all.

And let’s talk about the CPPA provision. First, again it requires “damages for loss or injury” which can be hard to show in data breach situations. That was the point of Owsianik when they wanted to use the intrusion upon seclusion tort which does not really require that.

AND AND AND. You may have noticed I cut off the CPPA provision at the word “if”. What comes after the “if”? Here:

(a) the Commissioner has made a finding under paragraph 93(1)‍(a) that the organization has contravened this Act (…); or

(b) the Tribunal has made a finding under subsection 103(1) that the organization has contravened this Act.

Point is, you gotta go through a while shitload of “channels” (and I edited out the “appeals” channels) and “authorities” before you can sue. And those authorities must show the CPPA was violated before you can sue. That’s pathetic, and frankly kind of useless.

And no substitute for really being able to sue a company who left the keys to the car in the ignition, so to speak.

One Comment

steve

Hi Allen, this was something even the writers of the paper chase would have passed on . If you are writing about it I am sure its important now. Tommorw we could be like Isreali where the ruling party rules laws are really not that important. Same down south. I axe you. How many practicing lawyers are there in the Zombie Apoclyse?

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *