Ontario Divisional Court Overturns Certification Of Intrusion Upon Seclusion Claim

• Published date: 21 June 2021
• Subject Matter: Litigation, Mediation & Arbitration, Privacy, Privacy Protection, Class Actions, Trials & Appeals & Compensation
• Law Firm: Blake, Cassels & Graydon LLP
• Author: Ms Nicole Henderson

On June 9, 2021, in Owsianik v Equifax Canada Co (Equifax), 2021 ONSC 4112, a majority of the Divisional Court overturned the certification of intrusion upon seclusion as a common issue in a class proceeding involving a cyberattack. The decision represents the first time an appellate court has considered the scope of the tort since the Ontario Court of Appeal first recognized it as a cause of action in Jones v Tsige (Jones).

BACKGROUND

In 2017, hackers accessed Equifax's computer network without authorization, allegedly exposing personal and financial information of consumers across North America to the hackers.

The plaintiffs commenced a class action alleging various causes of action, including the tort of intrusion upon seclusion. In the pleadings, the plaintiffs claimed that Equifax knew that its computer network was vulnerable to cyberattacks and chose to do nothing, and that those omissions constituted an intentional or reckless intrusion upon seclusion. This claim represented a novel application of the tort against a defendant who was the victim of a cyberattack perpetrated by a third party.

The tort of intrusion upon seclusion was first recognized in Jones in 2012. To make out a claim for intrusion upon seclusion, the plaintiff must show that:

1. The defendant committed an intentional (or reckless) and unlawful intrusion into the plaintiff's affairs;
2. The matter intruded upon was private;
3. The intrusion would be highly offensive to the reasonable person; and
4. The intrusion caused the plaintiff distress, humiliation, or anguish.

Since Jones, intrusion upon seclusion has been certified as a common issue in several privacy class actions, although some courts had expressed doubt that such a claim could succeed against a defendant who was not itself an "intruder." A central issue in Equifax was whether it was plain and obvious that the plaintiff's intrusion upon seclusion claim was doomed to fail, because the defendant was the victim rather than the perpetrator of the cyberattack.

The motion judge certified the plaintiff's claim for intrusion upon seclusion on the basis that it represented a novel application of the tort. He found that the question of whether a defendant who recklessly permits a cyberattack to occur is liable for intrusion upon seclusion had not yet been settled. For this reason, he concluded it was not plain and obvious that the claim would fail.

DIVISIONAL COURT DECISION

A majority of the Divisional Court held that the plaintiff's claim...