Teresa Scassa - Blog

Displaying items by tag: invasion of privacy

A recent decision of the Ontario Superior Court of Justice has expanded the scope of the tort of invasion of privacy in Ontario. This is an important development, given that the tort was only recognized for the first time by the Ontario Court of Appeal in 2012. The rapid expansion of private recourses for invasion of privacy is not surprising. Technology has amplified privacy risks, and highly publicized incidents of data breaches, snooping, shaming, and identity theft have dramatically increased public awareness of the risks and harms of privacy invasive activity.

Doe 464533 v. D. involved a defendant who posted an intimate video of the plaintiff on a pornography website without her knowledge or consent. The two had been in a relationship which began when they were in high school and ended shortly afterwards. The plaintiff moved away to attend university and remained in regular contact with the defendant. He began pressuring her to send him an intimate video of herself. She refused to do so for a time, but eventually gave in to repeated requests. The defendant had assured her that no one else would see the video. As it turns out, he posted the video to a porn site on the same day he received it. He also showed it to other young men from the high school he had attended with the plaintiff.

The posting of the video and its aftermath were devastating to the plaintiff who suffered from depression and anguish. Justice Stinson observed that at the time of the hearing, 4 years after the incident, she was still “emotionally fragile and worried that the video may someday resurface and have an adverse impact on her employment, her career or her future relationships.” (at para 14)

There are two significant aspects to the court’s decision in this case. The first is that it expands the privacy tort recognized by the Ontario Court of Appeal in Jones v. Tsige. In that case, a bank employee had improperly accessed customer information for her own purposes. The Court of Appeal was prepared to recognize at least one aspect of the broad tort of invasion of privacy – that of “intrusion upon seclusion”. In other words, one who snoops or hacks their way into the personal information of another can be held liable for this invasion. The facts of Doe 464533 did not fit within the boundaries of ‘intrusion upon seclusion’. The defendant did not improperly access the plaintiff’s personal information. She sent it to him directly. However, she did so on the understanding that the material would remain strictly private. In breach of this understanding, the defendant posted the information online and shared it with common acquaintances. Justice Stinson characterized this as another branch of the broad tort of invasion of privacy – the “public disclosure of embarrassing private facts about the plaintiff”. Justice Stinson observed that “[i]n the electronic and Internet age in which we all now function, private information, private facts and private activities may be more and more rare, but they are no less worthy of protection.” (at para 44) He adopted a slightly modified version of the American Restatement (second) of Torts’ formulation of this branch of the tort:

One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of the other’s privacy, if the matter publicized or the act of the publication (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public. (at para 46)

The recognition of this branch of the tort is an important development given that it now clearly provides recourse for those who are harmed by the publication of private facts about themselves. There are limits – the tort will only be available where the material published “would be highly offensive to a reasonable person”. Further, if the facts are ones that there is a public interest in knowing (for example, the publication of information about a person’s involvement in corrupt or illegal activity), there will be no liability. However in an era in which “revenge porn” is a known phenomenon, the tort may provide a deterrent effect in some instances, and a basis for recourse in others.

The other interesting aspect of this decision is the damage award. The plaintiff had decided to commence her action under the Court’s Simplified Procedure. This meant that the maximum she could ask for in damages was $100,000. Justice Stinson ordered the maximum amount with little hesitation – which suggests that he might have awarded even more extensive damages had there been no cap. This is surely interesting, as damage awards for breach of privacy (either the tort or recourses under private sector data protection laws in Canada) have been generally quite small. In Jones v. Tsige, the Court had awarded only $10,000 in damages and had indicated that the normal range for such damages would be up to a maximum of $20,000 where no direct financial losses could be shown. In Doe 464533, Justice Stinson found the harm suffered by the plaintiff by the publication of the video to be analogous to the harm suffered in cases of sexual assault and battery. He fixed an amount of $50,000 in general damages for the past and ongoing effects of the defendant’s actions. He also awarded $25,000 in aggravated damages relating to the particularly offensive behavior of the defendant. According to Justice Stinson, the defendant’s breach of trust was “an affront to their relationship that made the impact of his actions even more hurtful and painful for the plaintiff.”(at para 59). He also awarded $25,000 in punitive damages for the defendant’s reckless disregard for the plaintiff. He noted that the defendant had not apologized, nor had he shown any remorse. He noted as well the highly blameworthy nature of the defendant’s conduct, the vulnerability of the plaintiff, and the significant harm the plaintiff had suffered. Justice Stinson also expressed the view that the punitive damage award was meant to have a deterrent effect. He stated: “it should serve as a precedent to dissuade others from engaging in similar harmful conduct.” (at para 62) In addition to the total award of $100,000 in damages, the judge ordered a further $5,500 in prejudgment interest and $36,208.73 in legal costs.

The recognition of the new tort, combined with the court’s approach to quantifying the harm suffered from this form of privacy invasive activity, should sound a warning to those who seek to use the internet as a means to expose or humiliate others.

Published in Privacy

Class action law suits for breach of privacy are becoming increasingly common in Canada. For example, the B.C. Supreme Court, the Ontario Superior Court, and Newfoundland and Labrador Supreme Court have all recently certified class action law suits in relation to alleged privacy breaches.

The use of the class action law suit can be a useful solution to some of the problems that plague the victims of privacy breaches. These difficulties include:

1) The lack of any other meaningful and effective recourse for a large scale privacy breach. Complaints regarding a large-scale privacy breach by a private sector corporation can be made to the Privacy Commissioner of Canada under the Personal Information Protection and Electronic Documents Act (PIPEDA) (or to his provincial counterparts in B.C., Quebec or Alberta, depending upon the nature of the corporation and its activities). However, the federal privacy commissioner can only investigate and issue a report with non-binding recommendations. He has no order-making powers. Further, there is no power to award damages. An individual who feels they have been harmed by a privacy breach must, after receiving the Commissioner’s report, make an application to Federal Court for compensation. Damage awards in Federal Court under PIPEDA have been very low, ranging from about $0 to $5000 (with a couple of outlier exceptions). This amount of damages will not likely compensate for the time and effort required to bring the legal action, let alone the harm from the privacy breach. Perhaps more importantly, a few thousand dollars may not be a significant deterrent for companies whose practices have led to the privacy breach. The Privacy Commissioner’s Office has called for reform of PIPEDA to include order making powers, and to give the Commissioner the authority to impose significant fines on companies whose conduct leads to significant privacy harms. Yet legislative reform in this area does not seem to be on the current government’s agenda.

2) The problem of establishing damages in privacy cases. It can be very difficult to establish damages in cases where privacy rights have been breached. For example, although a company’s data breach might affect tens or even hundreds of thousands of individuals, it may be very difficult for any of those individuals to show that the data breach has caused them any actual harm. Even if one or more of these individuals suffers identity theft, it may be impossible to link this back to that particular data breach. While all of the affected individuals may suffer some level of anxiety over the security of their personal information, it is hard to put a dollar value on this kind of anxiety – and courts have tended to take a rather conservative view in evaluating such harm. It simply might not be worth it for any individual to bring legal action in such circumstances – even if they were to succeed, their damages would likely not even come close to making the litigation worth their while.

3) The inaccessibility of justice on an individual scale. Frankly, the majority of Canadians are not in a financial position to take anyone to court for breach of privacy. (Those in province of Quebec might be slightly better off in this regard, as privacy rights are much clearer and better established in private law in that province than they are elsewhere in Canada). It should be noted that those few individuals who have sought damages in Federal Court for PIPEDA breaches have been self-represented – legal representation would simply be too costly given the stakes. A suit for the tort of invasion of privacy or for breach of a statutory privacy tort would be considerably more complex than an application for damages under PIPEDA. Damage awards in privacy cases are so low that litigation is not a realistic solution for most.

In this context it is not surprising that the class action law suit for breach of privacy is catching on in Canada. Such law suits allow large numbers of affected individuals to seek collective recourse. As mentioned earlier, the British Columbia Supreme Court recently certified a class action law suit against Facebook for breach of privacy rights protected under British Columbia’s Privacy Act. The claim in Douez v. Facebook, Inc. related to Facebook’s Sponsored Stories “product”. Advertisers who paid to make use of this product could use the names and likenesses of Facebook users in “sponsored stories” about their products or services. These “sponsored stories” would then be sent to the contacts of the person featured in the story. The court found that between September 9, 2012 and March 10, 2013, 1.8 million B.C. residents were featured in Sponsored Stories. The plaintiffs argued that this practice violated their privacy. Although the issues have not yet been litigated on their merits, the certification of the class action law suit allows the privacy claims to proceed on behalf of the significant number of affected individuals.

In Evans v. Bank of Nova Scotia, Justice Smith of the Ontario Superior Court of Justice certified a class action law suit against the Bank of Nova Scotia. In that case, an employee of the bank had, over almost a five year period, accessed highly confidential personal banking information of 643 customers. In June of 2012, the Bank notified these customers that there may have been unauthorized access to their banking information; 138 of these individuals later informed the bank that they were victims of identity theft or fraud. The bank employee subsequently admitted that he had channelled the banking information through his girlfriend to individuals who sought to use the information for illegal purposes. The lawsuit claims damages for invasion of privacy and negligence, among other things, and argues that the bank should be held vicariously liable for the actions of its employee.

Most recently, in Hynes v. Western Regional Integrated Health Authority, the Newfoundland and Labrador Supreme Court certified a class action law suit against the Health Authority after it was discovered that an employee had improperly accessed 1,043 medical records without authorization. The information accessed included name and address information, as well as information about diagnostic and medical procedures at the hospital. This case is an example of where it may be difficult to assess or quantify the harm suffered by the particular individuals as a result of the breach, as it is not known how the information may have been used. The plaintiffs argued that both the statutory privacy tort in Newfoundland and the common law tort of intrusion upon seclusion were applicable, and that the Health Authority should be held vicariously liable for the acts of its employee. The also argued that the Health Authority had been negligent in its care of their personal information. The court found that the arguments raised met the necessary threshold at the class action certification stage – the merits remain to be determined once the case ultimately proceeds to trial.

What these three cases demonstrate is that class action law suits may give individuals a useful recourse in cases where data breaches have exposed their personal information and perhaps left them vulnerable to identify theft or other privacy harms. Such law suits may also act as a real incentive for companies to take privacy protection seriously. The cost of defending a class action law suit, combined with the possibility of a very substantial damages award (or settlement), and the potential reputational harm from high profile litigation, all provide financial incentives to properly safeguard personal information.

This may be welcome news for those who are concerned about what seems to be a proliferation of data breaches. It should not, however, let the federal government off the hook in terms of strengthening Canada’s private sector data protection legislation and giving the Privacy Commissioner more effective tools to act in the public interest to protect privacy by ensuring compliance with the legislation.

 

Published in Privacy

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law