Ontario Court of Appeal Recognizes a Cause of Action for Invasion of Privacy: Jones v. Tsige
We presented this case at our Privacy Law Update last fall. The Ontario Court of Appeal reversed the trial court last week and we wanted to draw this important case to your attention.
Jones v. Tsige1 was an appeal from a decision granting summary judgment and dismissing a claim for damages. The motion judge had held that Ontario does not recognize a cause of action for invasion of privacy.2
The Respondent, Ms. Tsige, a Bank of Montreal (Bank) employee, had accessed the financial records of the Appellant, Ms. Jones, also an employee of the same bank approximately 174 times over a span of four years. Although Ms. Tsige viewed the information, she did not publish, distribute or record the information. There was no business or employment related reason for Ms. Tsige to access these records. As it turns out, Ms. Tsige later indicated that she was reviewing this information in order to determine whether or not her common law spouse had made, or was making, any support payments to Ms. Jones, who is his ex-wife. The Bank disciplined Ms Tsige for this.3
The Court of Appeal acknowledged that the question of whether a common law cause of action for invasion of privacy had been debated for the "past one hundred and twenty years" and set out to settle the debate. After a thorough review of Canadian common law and statutes, as well as U.S. and Commonwealth jurisprudence, the Court held that it was appropriate "to confirm the existence of a right of action for intrusion upon seclusion" or common law action for breach of privacy.
The Court put forward three rationales in support of their decision. Firstly, the case law supports the existence of such a cause of action. Secondly, changes in technology have brought about an "enormous change in the way we communicate and in our capacity to capture, store and retrieve information." Finally, the Court felt that they were presented "with facts that cry out for a remedy."4
Elements of the Cause of Action
The Court adopted the elements from the U.S. Restatement (Second) of Torts (2010) which are as follows:
- the defendant’s conduct must be intentional and this includes recklessness;
- the invasion must be of the plaintiffs’ private affairs or concerns and without lawful justification; and
- a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish, but proof of harm to a recognized interest is not an element of the cause of action.5
The Court noted some important limitations:
- A claim for intrusion upon seclusion will arise only for deliberate and significant invasions of personal privacy.6 Claims from individuals who are sensitive or unusually concerned about their privacy are excluded.7
- Only intrusions into "financial or health records, sexual practices and orientation, employment, diary or private correspondence that, viewed objectively on the reasonable person standard, can be described as highly offensive."8
- Privacy claims may give rise to competing claims such as freedom of expression and freedom of the press. In such cases the protection of privacy "will have to be reconciled with, and even yield to, such competing claims."9
The Court held that "proof of actual loss is not an element of the cause of action for intrusion upon seclusion" and that in a case, such as the one before the court, where there was no actual loss the damages must be "symbolic" or "moral" damages.10 Furthermore, aggravated or punitive damages may be appropriate in exceptional cases.11
Regarding quantum, the Court held that an appropriate cap would be $20,000 and the Court adopted the following guiding factors from the Manitoba Privacy Act when assessing damages:
- the nature, incidence and occasion of the defendant’s wrongful act;
- the effect of the wrong on the plaintiff’s health, welfare, social, business or financial position;
- any relationship, whether domestic or otherwise, between the parties;
- any distress, annoyance or embarrassment suffered by the plaintiff arising from the wrong; and
- the conduct of the parties, both before and after the wrong, including any apology or offer of amends made by the defendant.12
The Court considered that the case before it fell in the middle of the range and assessed damages at $10,000.13
Implications of Decision
This case, absent leave to appeal to the Supreme Court of Canada, likely determines that a common law claim for intrusion upon seclusion or the tort of breach of privacy exists and is actionable.
Although the range of damages is modest this case will render class actions related to breaches of privacy easier to advance.
This case likely does not cap damages in all privacy breach cases. Rather, it leaves open the possibility that damages may be higher where actual harm can be demonstrated.
It is interesting to note that the Court accepted Professor William L. Prosser’s classification of privacy torts, which delineates a "four-tort catalogue" as follows:
- intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs;
- public disclosure of embarrassing private facts about the plaintiff;
- publicity which places the plaintiff in a false light in the public eye; and
- appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness.
The Court rightly focused on the first category as that was the only one before the Court on the facts of this case. On different facts however, the Court of Appeal may be willing to explore the creation of other "right of privacy" torts in appropriate cases.14
This decision does not just open the door to actions against individuals for alleged invasion of privacy. It may also increase the risk of class actions based on invasion of privacy. What can organizations do to protect themselves? It is important for organizations to make sure they have obtained consent from individuals for the collection, use and disclosure of their personal information as a defence to such potential claims. To decrease their vulnerability to employees who may unlawfully access personal information collected by organizations, organizations should continue to train their employees on an on-going basis on the importance of following their privacy policies.
2 Para 3.
3 Paras 4-7
4 Paras 66-69
5 Para 70
6 Para 71
7 Para 72
8 Para 72
9 Para 73
10 Paras 74-76
11 Para 88
12 Para 87
13 Paras 87, 91
14 Paras 16-21