Last week, on December 9, 2021, the Privacy Commissioner of Canada, Daniel Therrien, published his final annual report wherein he called upon the federal government to “bring Canada into the modern era by adopting rights-based privacy laws that will reflect Canadian values and support responsible innovation.” The Commissioner pointed to successive large scale data breaches, the growing use of facial recognition technology and risks of surveillance, as well as ineffective consent policies, as examples of some of the key threats to privacy and other human rights.
Commissioner Therrien was encouraged by recent indications from the government that it would re-introduce a bill to update Canada’s federal private sector privacy laws in 2022. However, the report emphasized that Canada’s federal privacy regime has fallen behind the laws of global trading partners, and of several provinces.
The Commissioner commended provincial initiates aimed at bolstering privacy protections, but cautioned that these efforts “do not absolve the federal government from the responsibility to ensure that all Canadians are protected [in the same manner]”.
As discussed below, the current inconsistencies between provincial privacy laws, coupled with differing developments within the common law of various provinces, suggest that the Commissioner’s call for updated federal privacy laws is well-founded. With improved privacy laws at the federal level, there is a greater possibility that Canada’s privacy protection framework as a whole will provide improved clarity and consistency across jurisdictions, and afford similar protections to individuals living throughout the nation.
As an example, in Ontario, the provincial government has recently put forward proposals encouraging digital innovation within a legal framework that recognizes privacy as a fundamental human right. While the Ontario government should be commended for its efforts to prioritize privacy moving forward, at present, Ontarians do not enjoy the same statutory protections as individuals in many other provinces. Unlike British Columbia, Saskatchewan, Manitoba and Newfoundland and Labrador, Ontario’s privacy legislation currently does not include a statutory cause of action to address threats to individual privacy.
Instead, Ontarians have had to resort to the common law tort of intrusion upon seclusion when seeking redress for privacy infringements in the civil justice system. Since the tort was recognized in Ontario in 2012, the court has considered a number of data and privacy-related claims and, in doing so, has gradually elucidated the types of claims and incidents that fall within the scope of the tort.
Despite the growth of the common law in this regard, recent caselaw suggests that the tort of intrusion upon seclusion is not so malleable or so broad so as to respond to increasingly common and diverse threats to individual privacy rights. The decision in Obodo v. Trans Union of Canada Inc., released in November 2021, supports this position.
In Odobo, Justice Glustein considered a motion by plaintiff for an order certifying a proposed class action. This action arose out of a large scale data breach conducted by hackers into the defendant, TransUnion’s, database in 2019. The hackers accessed the financial information and credit reports of almost 40,000 individuals. They obtained biographical and employment information, trade accounts, mortgage accounts, insolvency filings, legal claims and other personal information.
The plaintiff’s claim for damages was based upon three causes of action: intrusion upon seclusion, negligence, and breach of provincial privacy statutes in Manitoba, Newfoundland and Labrador and British Columbia. One issue considered by Justice Glustein was whether the intrusion upon conclusion claim could be brought against the defendant.
While the court granted the certification motion, it found that intrusion upon seclusion did not apply to hacker attacks and claims against “database defendants” (i.e. corporate defendants whose database has been breached by an outside attack). In arriving at this decision, His Honour noted that, in recent years, the court has come to conflicting conclusions about whether intrusion upon seclusion claims could apply to hacker attacks and claims against database defendants.
Nevertheless, Justice Glustein found that the law on this issue was recently settled in the 2020 appellate decision by the Divisional Court in Owsianik v. Equifax Canada Co. In this case, the majority found that intrusion of seclusion could not apply to find a database defendant liable for hacker attacks.
In a compelling dissent, Justice Sachs agreed with the lower court finding in Owsianik that it was not settled law that intrusion upon seclusion precluded a claim against a database defendant. Her Honour stated that, from a policy perspective, the recognition of the tort of intrusion upon seclusion by the Court of Appeal in Jones v. Tsige
“was clearly driven by the need for the common law to be able to develop to protect against the threats posed to privacy by the ‘routine collection and aggregation of highly personal information that is readily accessible in electronic form’”.
Justice Sachs held that the Court of Appeal’s articulation of the elements of intrusion upon seclusion in Jones was not a final pronouncement of this cause of action, and that the Court of Appeal was clear in its reasons that it was seeking to establish a cause of action to encompass the facts before it. Those facts, said Justice Sachs, were clearly different than those in Owsianik.
Justice Sachs further stated:
“[Intrusion upon seclusion] is a new tort, whose limits have not been fully developed at common law in Canada. The rights at issue are fundamental rights that are facing unprecedented threats. The common law should be allowed to develop in an incremental way to see how far the tort should be extended to meet those threats”.
Ultimately, the court in Odobo found that the Divisional Court’s decision in Owsianik was binding authority and that the intrusion upon seclusion claim could not apply to the hacker attack. As such, this claim against TransUnion did not disclose a cause of action in intrusion upon seclusion.
These decisions highlight the difficulties that Ontario courts have faced when attempting to address how the common law should evolve to protect privacy rights and provide civil remedies to individuals when their privacy rights are violated. This task is undoubtedly complicated by the absence of a cohesive legislative framework to address and confront this issue with greater specificity.
At present, Canada’s privacy legal landscape is in a state of flux. The privacy rights of residents in different provinces and territories are addressed through a myriad of legislative schemes and conflicting developments at common law. As a result, the privacy rights afforded to individuals across Canada varies. Not all Canadians enjoy the same protections.
If the federal government were to heed the Privacy Commissioner’s recommendations to revamp the federal private sector privacy laws, many of the wrinkles in Canada’s current privacy protection framework might be ironed out. Until then, Canadian courts and provincial legislatures will continue to grapple with the question of how to best protect privacy rights within the civil justice system.