Fairness or Flaw: Ontario PHIPA Orders and Issue Estoppel in Privacy Breach Cases
On October 25, 2018, Perell J. of the Ontario Superior Court of Justice released a decision in Broutzas v. Rouge Valley Health System, 2018 ONSC 6317. Broutzas raises some important considerations for the health law field pertaining to medical records and privacy under the Ontario Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A (“PHIPA”), and the role, if any, played by Orders of the Information and Privacy Commissioner (“PHIPA Orders”) in pre-determining civil liability for alleged violations relating to the PHIPA. As Broutzas demonstrates, these issues can be particularly important in the context of large-scale class actions for alleged privacy breaches.
In Ontario, the PHIPA establishes a set of rules regarding the privacy rights attached to personal health information in the possession of “health information custodians”. It provides, among other things, an avenue to bring a civil action for damages for actual harm suffered after a PHIPA Order has been issued or a person has been convicted of an offence under the PHIPA (s. 65). The Information and Privacy Commissioner in Ontario has jurisdiction under a variety of Acts, including the PHIPA and its related regulation, to oversee Ontario’s access and privacy laws. Health information custodians must proactively notify the Information and Privacy Commissioner about certain privacy breaches. Moreover, it has wide powers to issue formal Orders pertaining to alleged privacy breaches and their amelioration as it generally sees fit (s. 61). These administrative decisions can then typically be subject to judicial review in the normal course.
In Broutzas, the plaintiffs advanced causes of action alleging: (a) intrusion on seclusion; (b) breach of the PHIPA; (c) negligence; (d) breach of contract and warranty; and (e) vicarious liability. Their claim alleges unauthorized access to hospital records about patients who had given birth at Rouge Valley Hospital, information from which was then used to solicit sales for Registered Education Savings Plans for the newborns. The plaintiffs moved for a determination of law under Ontario’s Rule 21 that PHIPA Order HO-013, which had previously found violations, already determined Rouge Valley Hospital’s liability in the civil matter on the basis of issue estoppel. The motion was brought in tandem with the certification motion in the class action (2018 ONSC 6315). The plaintiffs claim damages in excess of $400 million.
It is well-settled that the requirements for an issue estoppel are: (1) the parties must be the same; (2) the same question must be involved in the initial and subsequent hearing; (3) the question must have been actually litigated and determined in the first hearing and its determination must have been necessary to the result; and (4) the decision on the issue must have been final. But on top of that legal analysis rests an added discretionary power by which the court can refuse to apply issue estoppel. As Perell J. put it: “The court should stand back and, taking into account the entirety of the circumstances … consider whether an estoppel in the particular case would work an injustice.”
The Motion Decision
On the motion before him, Perell J. recognized that a host of potentially novel issues arose: “In the case at bar, there were fulsome arguments about: (a) whether and how Rule 21 of the Rules of Civil Procedure applied; (b) whether the preconditions for an issue estoppel could be found in the proceedings of the Information and Privacy Commissioner, which have been described as informal and highly discretionary; (c) whether the Commissioner made determinations that actually addressed the issues that arise for a perfected statutory claim; and (d) whether the Commissioner could or did make determinations that actually addressed the issues that arise in the intrusion on seclusion, negligence, breach of contract, and vicarious liability causes of action of the Plaintiffs.”
But in the course of determining whether issue estoppel could be triggered in the circumstances on account of the PHIPA Order, Perell J. sidestepped the legal assessment and went straight to discretion to dismiss the motion, even if an issue estoppel may have existed, chiefly because:
- “[I]t would not be in the interests of justice to resolve a $400 million class action (over $450 million if a companion class action is taken into account) against a public institution, based on the decision of an informal proceeding before an administrative tribunal dealing with its own privacy law mandate and not the intricacies of a newly developing area of substantive civil law about the protection of privacy”; and
- “[I]t would complicate the good work done by the Information and Privacy Commissioner. This follows because if exposed to issue estoppels with an attendant liability in the multi-millions of dollars, a respondent to a complaint, in what is intended to be an informal procedure, would be compelled to litigate and never settle the complaint with the Commissioner. In the immediate case, the hospital ultimately settled by improving its information technology.”
Some important observations emerge from Perell J.’s relatively short shrift of the plaintiffs’ novel motion. For example:
- Perhaps most importantly on a legal front, Perell J. notably left open the question of whether a PHIPA Order can be sufficient for the purposes of pre-determining civil liability in a PHIPA/privacy matter as an issue estoppel. In an age of increasing privacy litigation, this remains an interesting issue that may receive further treatment.
- While Perell J.’s point about the informal nature of Information and Privacy Commissioner proceedings is well-taken, he is also effectively saying that the size of the case and amount at issue can determine how/if the court exercises its discretion in the course of an issue estoppel. But what is too big or too little? Do such sentiments favour large-scale litigation like class actions over smaller, more individually-focused cases for the purposes of dismissing an issue estoppel? Would parties in one type of case find themselves at a disadvantage as compared to the other? If so, does this amount to a de facto provision of substantive rights in a class action when it is supposed to function strictly as a procedural vehicle? Questions remain.
- Perell J. also seems to be saying that fear of impeding the mandate of, or reporting obligations to, the Information and Privacy Commissioner can determine whether issue estoppel should be invoked. This consideration smacks of a hypothetical of potential outcome divorced from the reality of the record before the court on the motion. It also places the operation of the Information and Privacy Commissioner (a non-party), cloaked under the “due administration of justice”, above the actual parties’ potential legal right to issue estoppel if indeed made out, the latter of which itself is equally grounded in the administration of justice. Does a conflict of considerations then emerge, resulting in an unintended hierarchy in the administrations of justice in such circumstances? It is unclear at best.
Ultimately, this all may beg for appellate scrutiny. The exercise of discretion could be tough to touch on appeal. Yet if the discretion is predicated upon incorrect legal principles, then deference begins to fade away. In any event, it is unlikely that we have seen the last of these issues.
Visit our Cybersecurity, Privacy & Data Management page and contact us with any questions or for assistance.