CITATION: Owsianik v. Equifax Canada Co. 2021 ONSC 4112

DIVISIONAL COURT FILE NO.: 012/20

DATE: 2021/06/09

ONTARIO

SUPERIOR COURT OF JUSTICE

DIVISIONAL COURT

McWatt ACJSCJ, Sachs and J.A. Ramsay JJ.

BETWEEN:

Alina Owsianik

Plaintiff/Respondent

– and –

Equifax Canada Co. and Equifax Inc.

Defendant/Appellants

Jean-Marc Leclerc, for the Plaintiff/Respondent

Laura F. Cooper, Alex D. Cameron, Sarah J. Armstrong and Pavel Sergeyev, for the Defendants/Appellants

HEARD at Toronto by videoconference: May 19, 2021

H. Sachs J. (dissenting)

Overview

[1] This appeal raises the question of whether a claim for intrusion upon seclusion can succeed against the collectors and custodians of private information (“Database Defendants”) where they are alleged to have acted recklessly in the storage of that information such that the information was improperly accessed by a third party.

[2] The tort of intrusion upon seclusion was recognized by the Court of Appeal eight years ago in Jones v. Tsige, 2012 ONCA 32, 108 O.R. (3d) 241 (“Jones”). According to the Appellants (“Equifax”), in Jones the Court of Appeal deliberately defined the elements of that tort narrowly so that the only people who can be held liable for the tort are defendants who intentionally and illegally intrude to access the private information, not defendants who collect and store that information. In other words, liability for this intentional tort (which does not require proof of damages) only attaches to the hacker of private information, not the party whose intentional or reckless behaviour may have allowed the hacking to occur.

[3] This appeal arises out of a certification motion where the Plaintiff (Respondent in this appeal) sought to have a class action certified against the Equifax, who are part of a large and well-known credit-reporting agency that collects financial information relating to millions of individuals and businesses. Equifax also sells credit protection and other services designed to protect against identity theft and other risks associated with the unauthorized disclosure of personal information. Equifax does not ask for permission from the people whose data it aggregates and stores.

[4] Between May to July of 2017, an unauthorized security breach occurred in Equifax’s computer systems, which allegedly led to the exposure of the private information of millions of consumers across North America. According to the Plaintiff, Equifax knew that their IT security was inadequate and vulnerable to hackers and made the choice not to take the necessary steps to guard against the hacking that led to the breach at issue.

[5] The certification judge certified a number of causes of action against Equifax, including an action for intrusion upon seclusion. In doing so, the certification judge did not agree with Equifax’s submission that it was settled law that the Plaintiff’s intrusion upon seclusion claim would fail. He correctly found that there was no case law on the merits of whether a Database Defendant such as Equifax “who recklessly permits a hacker attack to occur is liable for intrusion upon seclusion” (Certification Reasons, para. 117).

[6] The certification judge found that the Court of Appeal’s decision in Jones did not directly deal with that question; that Jones recognized that “[t]echnological change poses a novel threat to a right to privacy that has been protected for hundreds of years by the common law under various guises”; and that, consistent with the principles laid down in Hunt v. Carey Canada, [1990] 2 S.C.R. 959 (“Hunt v. Carey”), the law should be allowed to continue to develop and not be closed down at the pleadings stage. The certification judge also reviewed the case law in which courts have certified intrusion upon seclusion claims against Database Defendants for hacker attacks and concluded that it was not certain that the analysis in those cases could not be applied to the facts of the case before him.

[7] For the reasons that follow, I would dismiss the appeal from the certification judge’s decision. Fundamentally I agree with his analysis on whether it is plain and obvious that the Plaintiff’s claim for intrusion upon seclusion is doomed to fail. Intrusion upon seclusion is a new tort designed to protect privacy rights, which the Supreme Court of Canada have been described as having “quasi constitutional” status (Douez v. Facebook, 2017 SCC 33). In a world where the threats posed to those rights by technology are growing and changing, the limits of the tort should be allowed to develop.

Factual Context

Summary of the Claim

[8] The class action claim against Equifax arises out of a hacker breach of Equifax’s computer systems that occurred from May 13, 2017 through to July 30, 2017. Equifax notified approximately 20,000 Canadians that their personal information had been accessed by the hackers. During the time period when the breach occurred, 318,342 people in Canada had subscriptions with Equifax for credit monitoring and identity theft protection services.

[9] In addition to the impacted Canadians, Equifax announced that the cybersecurity breach impacted 143 million US consumers and involved the unauthorized access to such information as Social Security numbers, names, dates of birth, addresses, drivers’ license numbers, credit card numbers and other kinds of personal information.

[10] The parties agreed that the class should be divided into three subclasses – one subclass for the claimants who had their personal information accessed during the hack (the “Access-Only Subclass”); another for those that had a contract with Equifax (the “Contract-Only Subclass”) and a third subclass who both purchased a subscription for Equifax’s products and had their personal information hacked (the “Combined Subclass”).

[11] The Plaintiff sought to certify a number of causes of action against Equifax, which varied depending on the sub-class. For the Access-Only Subclass, they sought to certify claims in negligence, intrusion upon seclusion, and breach of the provincial privacy legislation in British Columbia, Saskatchewan, Manitoba, Newfoundland and Labrador and Quebec. For the Contract-Only Subclass, they sought to certify breach of contract and consumer protection legislation claims. For the Combined Subclass, they sought to certify all claims. In addition, they sought to establish that all claimants could seek aggregate and punitive damages.

[12] Equifax raised a number of objections to the Plaintiff’s proposal to certify the above causes of action and the common issues that arose from those causes of action. Among other things, Equifax argued that the facts pleaded did not give rise to a claim of intrusion upon seclusion. The certification judge agreed with the Plaintiff’s position on the issues raised and granted the Plaintiff’s motion to certify.

The Leave Motion

[13] Equifax sought leave to appeal the certification judge’s decision to certify the intrusion upon seclusion claim. In doing so, they attacked the decision on a number of bases, which included the fact that the pleadings did not disclose allegations of conduct that would amount to recklessness and that the information at issue did not constitute the type of private information that the tort is meant to protect.

[14] Equifax obtained leave on the following question:

Did the motion judge err in finding that the tort of intrusion upon seclusion is available against collectors and custodians of private information, such as the defendants in this case, where the private information is improperly access by a third party, including in circumstances where the defendants are alleged to have acted recklessly?

[15] At the beginning of the appeal, the panel directed counsel not to address us on the question of whether the pleadings disclosed that the information at issue constituted private information as that was not a question encompassed by the decision to grant leave. We agreed to hear submissions with respect to the recklessness allegations, but only to the extent that these were relevant to the determination of the issue that leave was granted on – namely, could a claim of seclusion upon intrusion be brought against a collector or custodian of private information whose property was hacked by a third party?

The Certification Judge’s Decision

Summary of Relevant Facts

[16] The certification judge begins his decision with a summary of the facts alleged in the pleadings, which he accepted as true for the purposes of the test under s. 5(1)(a) of the Class Proceedings Act, 1992, S.O. 1992, c. 6. These included the following:

1. A primary aspect of Equifax’s business involved selling credit-reporting services for profit. “To provide these services, [Equifax] obtain detailed and sensitive financial information about millions of Canadians and aggregated the information for resale for the purposes of providing credit ratings.” (Certification Reasons, para. 52).

2. People cannot opt out of having Equifax collect their personal information.

3. Equifax made representations that included the following: (1) they knew that they were a huge target for cybercriminals due to the vast amount of information that they collected (2) data security was a top priority for them and (3) they had advanced data protection, which included rigorous risk management programs that targeted their cybersecurity risks and was regularly reviewed and updated.

4. Equifax did not provide notice to the Canadians who were affected by the security breach at issue until three months after the breach was first detected.

5. Equifax’s IT security had serious deficiencies, which included a failure to meet the most basic industry standards.

6. Equifax knew that their IT security was inadequate and vulnerable to hackers. In 2014, KPMG performed a security audit of Equifax’s IT system, which found, among other things, that encryption keys were left on the same public server where encrypted data was found. In 2016, Deloitte performed another security audit, which found, among other things, that Equifax had inadequate patching systems. In March of 2017, Equifax’s U.S. CEO personally oversaw a project that concluded that its protective systems were grossly inadequate. In the same month, Equifax was advised by an organization within the U.S. Department of Homeland Security of the fact that they had a specific weakness in their data collection system that was highly dangerous and easy for hackers to exploit. It was this vulnerability, among other things, that allowed hackers to execute a “remote code execution attack” in which hackers force vulnerable systems into running computer programs run by them. This in turn allows the hackers to either steal data or establish a foothold in the data collection and storage systems.

7. Instead of heeding this advice, Equifax disputed some of these findings and declined to engage in a broader review of their cybersecurity. As a result, two months later, the data breach at issue began.

8. Equifax has been involved in other previous incidents of failures to guard against unauthorized intrusions into their systems. In 2004, they confirmed that the records of approximately 1400 B.C. and Alberta consumers were accessed by criminals posing as legitimate customers. In 2013, Equifax revealed that hackers had obtained fraudulent access to personal data of celebrities and prominent figures. In 2016, Equifax revealed that the tax and salary data for hundreds of thousand employees of a U.S. grocery chain was stolen in a data breach.

[17] With respect to the tort of intrusion upon seclusion, the Plaintiff pleads that Equifax’s actions constituted an intentional or reckless intrusion upon seclusion that would be highly offensive to a reasonable person.

The Principles Applicable to the Cause of Action Requirement in s. 5(1)(a) of the Class Proceedings Act

[18] The certification judge adopted the articulation of the relevant principles applicable to the cause of action requirement under s. 5(1)(a) of the Class Proceedings Act set out by Strathy J. (as he then was) in Williams v. Canon Canada Inc., 2011 ONSC 6571 at para. 176. As put by the certification judge at para. 79, those principles are:

(i) The proper approach is to apply the “plain and obvious” test that is applied on a motion to strike a claim under Rule 21, for a failure to disclose a cause of action. There is a very low threshold to prove the existence of a cause of action;

(ii) No evidence is admissible. All allegations of fact pleaded, unless patently ridiculous or incapable of proof, must be accepted as proved and assumed to be true;

(iii) The pleadings will only be struck if it is plain and obvious and beyond doubt that the plaintiff will not succeed and the action is certain to fail. The novelty of the cause of action will not militate against sustaining the plaintiff’s claim. Matters of law which are not fully settled by the jurisprudence must be permitted to proceed; and

(iv) The pleadings must be read generously to allow for drafting inadequacies or frailties and the plaintiff’s lack of access to many key documents and discovery information. (emphasis added).

[19] The certification judge carefully reviewed the leading authority from the Supreme Court of Canada, Hunt v. Carey. In that case, the defendants had submitted that the tort of conspiracy was confined to the commercial context and could not be extended to the personal injury context. They supported their submission with a reference to a passage by Wilson J. (who authored Hunt v. Carey) in which she questioned the appropriateness of extending the tort of conspiracy beyond the commercial context. Wilson J. rejected the defendants’ argument, finding that as the law on this issue was not settled, the claim should not be struck. She also found that a pleadings motion was not the place to decide whether the existing state of the law was “good law”. As the certification judge recognized, fundamental to this aspect of the reasoning in Hunt v. Carey, is the principle that “[t]he law must develop on the merits of cases, with a proper evidentiary background for the court to consider relevant policy issues” (Certification Reasons, para. 88).

Application of these Principles to the Intrusion upon Seclusion Cause of Action

[20] The certification judge did not accept that it was settled law that the intrusion upon seclusion claim of the Access-Only Subclass and Combined Subclass would fail.

[21] In reaching this conclusion, he reviewed the Court of Appeal’s decision in Jones, in which the court first recognized the cause of action and set out its elements as follows: (1) “the defendant's conduct must be intentional, within which I would include reckless”; (2) “the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns”; and (3) a “reasonable person would regard the invasion as highly offensive, causing distress, humiliation or anguish” (Jones, at para. 71). The tort does not require proof of actual harm.

[22] The certification judge reviewed the court’s rationale for recognizing the tort, which included the fact that privacy is a fundamental value that the Charter and the common law have sought to protect, that routinely kept electronic databases pose a threat to our most personal information, including health and financial information, and that the common law has the capacity to evolve to respond to this threat (Jones, at paras. 66-69).

[23] The certification judge found that the decision in Jones “does not directly address whether intrusion upon seclusion could apply to a Database Defendant who recklessly permits a hacker to access a person’s private information. That issue was not before the court.” (Certification Reasons, para. 113). He also found that there was commentary in Jones that supported the view that the tort could be extended in this way, particularly Sharpe J.A.’s comments at para. 68 that “[i]t is within the capacity of the common law to evolve to respond to the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form” and that “[t]echnological change poses a novel threat to a right of privacy that has been protected for hundreds of years by the common law under various guises”.

[24] The certification judge drew a parallel between the case at bar and the situation in Hunt where the court refused to strike a claim at the pleadings stage which sought to extend the tort of conspiracy to a different context.

[25] The certification judge reviewed the case law in which the courts have previously certified intrusion upon seclusion claims against Database Defendants and found that there were cases where such claims have been certified and it was not certain that the analysis in those cases could not be applied to the case at bar.

[26] The certification judge also reviewed the dictionary definitions of “intrude” and “invade” and U.S. case law and found that neither constituted settled law.

[27] On the issue of “recklessness”, the certification judge did not accept Equifax’s submission “that it is settled law that ‘reckless’ conduct under Jones requires ‘intentional’ conduct by a defendant to intrude or invade on the plaintiff’s private affairs such that Jones could not be applied against a Database Defendant for a hacker intrusion unless that Database Defendant intentionally or deliberately participated in the intrusion” (Certification Reasons, para. 137). In rejecting this argument, the certification judge referred, among other things, to the criminal law definition of recklessness in Sansregret v. The Queen, [1985] 1 S.C.R. 570 at p. 582, and found that it was not certain that, read generously, the conduct alleged against Equifax could not meet the high threshold in that test, namely that Equifax was aware that there was a danger that its conduct could bring about a hacker attack, but nevertheless persisted in its behaviour despite its knowledge of that risk (Certification Reasons, paras. 151-152).

Standard of Review

[28] The Ontario Court of Appeal has confirmed that “[t]he standard of review applicable to a certification judge’s determination of law that a claim discloses no reasonable cause of action is correctness” (Wright v. Horizons ETFS Management (Canada) Inc., 2020 ONCA 337, 448 D.L.R. (4th) 328, para. 56).

Was the Certification Judge Correct in Finding the Plaintiff’s Pleadings Disclosed a Cause of Action for Intrusion Upon Seclusion?

Equifax’s Position

[29] Equifax appealed the certification judge’s decision on three bases: the meaning of “intrusive” or “invasive” act; the meaning of “recklessness’ in intrusion upon seclusion; and the meaning of “private affairs” in intrusion upon seclusion. Since leave was only granted on the first issue, I will only summarize the appellant’s argument with respect to that issue. The appellant argues:

1. The rules respecting pleading novel claims has changed. The Supreme Court of Canada in Atlantic Lottery Corp. Inc. v. Babstock, 2020 SCC 19, 447 D.L.R. (4th) 543 (“Babstock”) has made it clear that supposedly novel claims should not be sent to trial, but should be vetted at the pleadings stage to preserve the efficient functioning of the justice system. Babstock was decided after the certification judge’s decision in this case.

2. The elements of the tort of intrusion upon seclusion were settled eight years ago in Jones, which established that the tort requires that an invasive or intrusive act be committed by the defendant, whereby the defendant improperly invades the plaintiff’s private affairs. Nothing in Jones supports the conclusion that liability for this tort can be extended to a defendant who recklessly enables a hack to occur. The principle objective of the tort is to publicly denounce deliberate misconduct that any person in the plaintiff’s position would find shocking. This rationale has no application where the defendant is not the person committing the intrusion.

3. “The rules respecting pleadings – and the doctrine of stare decisis more broadly – could not function if the courts had a boundless freedom to recognize ‘novel’ claims, or an infinite liberty to redefine the elements of established causes of action.” (Equifax’s Factum, para. 26).

4. The certification judge’s speculative expansion of the tort far exceeds the “incremental development principle” that is to govern the law of pleadings when it comes to novel claims. Specifically, it crosses the divide between acts and omissions, which the common law has always treated differently. Generally, the common law holds people liable for their actions, not their omissions. This distinction is even more significant when it comes to intentional torts like intrusion upon seclusion.

5. In the majority of the cases against Database Defendants where the courts have found viable causes of action, the person committing the intrusive or invasive act was an employee of the defendants. Thus, the liability of the Database Defendants in those cases was founded upon a theory of vicarious liability. The limited number of cases where this was not the case are either distinguishable from the case at bar, were wrongly decided and overturned on appeal, or relied on the certification judge’s decision and a case that was overturned on appeal.

The Supreme Court of Canada’s Decision in Babstock

[30] Babstock concerned a class action that was certified against a lottery corporation constituted by the governments of four Atlantic provinces that was empowered to approve the operation of video lottery terminals. The plaintiffs claimed that these terminals were inherently dangerous and deceptive. One of the causes of action pleaded by the plaintiffs was waiver of tort, which the plaintiffs alleged allowed for “a gain-based remedy ‘to be determined at trial of common issues without the involvement of any individual class member’” (Babstock, para. 3). The claims were certified by the court in Newfoundland and Labrador, and that decision was upheld on appeal. The Supreme Court of Canada allowed the defendant’s appeal and found that none of the claims, including the claim for waiver of tort, had any reasonable chance of success.

[31] Waiver of tort has never been recognized as a cause of action in Canada. In Babstock, the plaintiffs were relying on the doctrine of waiver of tort and the broader law of restitution or unjust enrichment. There had been a line of class action certification decisions, extending over approximately 13 years, where courts had refused to find that it was plain and obvious that a cause of action for waiver of tort did not exist. The issue went before the Supreme Court of Canada in 2013, in Pro-Sys Consultants Ltd. v. Microsoft Corporation, 2013 SCC 57, [2013] S.C.R. 477 (“Pro-Sys”), where it was not resolved.

[32] In Babstock, Brown J. noted the following developments since the 2013 decision in Pro-Sys. First, the law concerning unjust enrichment had developed such that it was increasingly clear to many legal commentators that waiver of tort should not be recognized as a cause of action. Second, in 2012 Lax J. heard a 138-day class action trial, which included arguments on the scope of waiver of tort. In her judgment, Lax J. commented that the plaintiffs did not lead any policy evidence as to why waiver to tort should be available. Thus, in Babstock, the Court found that what had been a state of uncertainty about whether there should be a cause of action for waiver of tort had become much clearer. There should not.

[33] Brown J. also noted that since Pro-Sys the Court had released Hryniak v. Mauldin, 2014 SCC 7, [2014] 1 S.C.R. 87, which emphasized “the need for a culture shift to promote ‘timely and affordable access to the justice system.’” (Babstock, para. 18).

[34] In his reasons, Brown J. articulated the tension between the need to provide for the incremental development of the common law by not striking novel claims and the need not to allow claims to proceed just because they are novel as follows:

[19] Of course, it is not determinative on a motion to strike that the law has not yet recognized the particular claim. The law is not static, and novel claims that might represent an incremental development in the law should be allowed to proceed to trial. That said, a claim will not survive an application to strike simply because it is novel. It is beneficial and indeed critical to the viability of civil justice and public access thereto that claims, including novel claims, which are doomed to fail be disposed of at an early stage in the proceedings This is because such claims present “no legal justification for a protracted and expensive trial.” If a court would not recognize such a claim when the facts as pleaded are taken to be true, the claim is plainly doomed to fail and should be struck. In making this determination, it is not uncommon for courts to resolve complex questions of law and policy. (citations omitted).

[35] Brown J. went on to consider whether waiver of tort should be considered as an independent cause of action. He noted that the plaintiffs in Babstock were seeking to pursue the remedy of disgorgement in a case that they argued was akin to negligence, but in a situation where the plaintiffs could not prove, or chose not to prove, resulting damage. According to Brown J., “disgorgement should be viewed as an alternative remedy for certain forms of wrongful conduct, not as an independent cause of action. This view follows naturally from the historical origins of unjust enrichment and gain-based remedies more generally” (para. 27). He also found that the term “waiver of tort” had generated confusion and should be abandoned. It was often taken to mean that where a plaintiff had established a tort but chose to pursue a claim to recover the defendant’s “ill-gotten gains”, the plaintiff was said to have “waived the tort”. In reality, however, instead of being an independent cause of action, waiver of tort has always operated as “nothing more than a choice between possible remedies” (para. 29).

[36] Babstock has little application to the case at bar. Unlike waiver of tort, intrusion upon seclusion has been recognized as a cause of action. Further, while it does not require proof of individual loss, that is not because the tort is nothing more than a “choice between possible remedies”, but because the tort is an intentional tort. Further, in this case, there are policy reasons for allowing the common law to evolve incrementally to test the limits of a tort designed find liability in the case of deliberate or reckless conduct that results in significant intrusions on people’s private information. In other words, this is not a case where the cause of action was certified simply because it was a novel claim.

The Court of Appeal’s Decision in Jones

[37] Equifax alleges that the Court of Appeal did not intend for the intrusion upon seclusion tort to be expanded to Database Defendants where the information is improperly accessed by a third party. On the contrary, the court acknowledged that technological security measures were likely to imperfect. Therefore, it was necessary to recognize a new tort to discourage and deter the actions not of data custodians, but of those who obtained unauthorized access. According to Equifax, to extend the tort to the custodian, would be to allow for the imposition of liability on a party who is itself a victim of the intrusion.

[38] In Jones the appellant, Jones, discovered that the respondent, Tsige, had been surreptitiously looking at her banking records. Tsige was a bank employee with full access to Jones’ records and was in a common law relationship with Jones’ former husband.

[39] Sharpe J. A., writing for the court, found that this was a situation that “cried out for a remedy” and then examined whether it was time for the tort for intrusion upon seclusion should be recognized. He found that it should for a number of reasons, including:

1. Privacy rights are important rights, which have been recognized internationally and in Canada. The right to privacy has been found to underlie specific Charter rights and freedoms. While the Charter does not apply to actions between private individuals, the Supreme Court has frequently acted so as to develop the common law in accordance with Charter values. At para. 40 of his decision, Sharpe J.A. quotes the following passage from La Forest J. in R. v. Dyment, [1988] 2 S.C.R. 417 (S.C.C.):

“In modern society, especially, retention of information about oneself is extremely important. We may, for one reason or another, wish to be compelled to reveal such information, but situations abound where the reasonable expectations of the individual that the information shall remain confidential to the persons to whom, and restricted to the purposes for which the information is divulged, must be protected.”

2. The importance of these rights supports the incremental development of the common law to protect these rights. However, “as a court of law, we should restrict ourselves to the particular issue posed by the facts of the case before us and not attempt to decide more than is strictly necessary to decide that case” (para. 21).

3. The existence of privacy legislation is not a sound basis to halt the development of the common law in this area.

4. Technological change in general and the collection and storage of private and sensitive information pose a real threat to our right to privacy. “It is within the capacity of the common law to evolve to respond to the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form. Technological change poses a novel threat to the right to privacy…” (para. 68).

5. “Finally and most importantly” Sharpe J.A. concluded that the facts before him “cried out for a remedy” (para. 69).

[40] As articulated at para. 71, the key features of the tort for intrusion upon seclusion are (1) that the defendant’s conduct must be intentional or reckless; (2) that the defendant invaded, without lawful justification, the plaintiff’s private affairs or concerns; and (3) that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. Proof of harm to a recognized economic interest is not an essential element of the cause of action.

[41] Equifax relies upon the articulation of the second element to state that it is plain and obvious that the Plaintiff has no cause of action for intrusion upon seclusion. Equifax argues that it did not invade; at most it facilitated the invasion.

[42] In my view, Sharpe J.A.’s articulation of the necessary elements of the cause of action were not a final pronouncement about this cause of action. I say this for a number of reasons. First, he was clear in his reasons that he was seeking to establish a cause of action that would encompass the facts before the court in that case. There was nothing in those facts that raised the issue presented in the case at bar. Second, from a policy perspective, Sharpe J. A. was clearly driven by the need for the common law to be able to develop to protect the threats posed to privacy presented by the “routine collection and aggregation of highly personal information that is readily accessible in electronic form.” There is nothing in his reasons to indicate that that concern was limited to the third parties who actually hack the information. Again, he was not presented with a case of alleged reckless storage; he was primarily seeking to find a remedy for the facts of the case before him.

[43] Of prime concern to Sharpe J.A. was that the case before him was one that cried out for a remedy. The same could be said about the case at bar if the facts alleged in the pleadings are proven to be true. Equifax collected and stored private information about individuals who had no say in whether the information was collected about them. They did so after holding themselves out as having highly developed security systems that were kept up to date and were therefore less vulnerable to hacking. Equifax knew that their systems were vulnerable to being hacked and chose to do nothing about it, which in turn led to precisely the hack that they had been warned about. These actions facilitated an intrusion thata reasonable person could find to be highly offensive. If the Plaintiff’s action for intrusion upon seclusion is not certified, the Plaintiff may be left without a remedy as they may not be able to prove harm to a recognized economic interest. Part of the purpose of class actions is to achieve behaviour modification, which “does not only look at the particular defendant but looks more broadly at similar defendants…” (Pearson v. Inco Ltd., (2005), 78 O.R. (3d) 641 (Ont. C.A.) at para. 88).

[44] One of the concerns about allowing a claim for a potentially novel claim to proceed is that it could open the floodgates. Sharpe J.A. addressed this concern in Jones and found that because the tort is limited to “deliberate and significant invasions of personal privacy” the floodgates will not be opened. In this case, as in Jones, the allegation is that the invasion was significant and that it was deliberate, a concept that Sharpe J.A. recognized could encompass recklessness.

[45] Thus, I agree with the certification judge that Jones did not require him to refuse to certify the Plaintiff’s action for intrusion upon seclusion. I also reject Equifax’s suggestion that certifying the claim would allow liability to attach to a victim. If the allegations against Equifax are proven, they cannot be regarded as a victim, but as the author of their own misfortune. They knew there were serious risks, they knew the nature of those risks, and they were indifferent to those risks, which did in fact end up materializing. Further, they held themselves out as being able to protect against those risks.

Other Cases

[46] According to Equifax, the bulk of the cases the certification judge relied upon to find that the law on the issue before him was unsettled were certification decisions in which the intrusion against seclusion claim was against a Database Defendant who employed the hacker. As such, the Database Defendant was potentially vicariously liable for their employee’s actions.

[47] There are three decisions where this was not the case: Bennett v. Lenovo (Canada) Inc., 2017 ONSC 1082 (“Bennet”); Tucci v. Peoples Trust Company, 2017 BCSC 1525 (“Tucci”), which was overturned on appeal in 2020 BCCA 246; and Kaplan v. Casino Rama Services Inc., 2019 ONSC 2025 (“Kaplan”).

[48] In Bennett, Belobaba J. certified a claim against a computer manufacturer that had surreptitiously installed in its laptops the co-defendant’s software that gave the defendants access to what users viewed online, and which also rendered the subject laptops more susceptible to hackers. According to Equifax, the basis on which Belobaba J. certified the action was that the manufacturer defendant had itself committed an act of intrusion upon the plaintiff’s privacy by implanting the software. The same submission was made to the certification judge. To deal with it, the certification judge reviewed the pleadings and factums in Bennett. Having done so, he found that the objection to certify in Bennett was brought on the same basis as the objection to certify in this case, namely that the computer manufacturer alleged it was not the intruder, and that at most it facilitated access by third parties. Belobaba J. concluded that “[t]he intrusion upon seclusion tort is just evolving. Its scope and content have not yet been fully determined. I am therefore not persuaded that it is plain and obvious and beyond doubt that, on the facts pleaded, this particular privacy claim has not chance of success and is doomed to fail” (para. 23). I find no error in the certification judge’s analysis of the Bennett decision or in his conclusion that the reasoning in that decision was applicable to the case at bar.

[49] In Tucci, it was alleged that the bank had improper cybersecurity that enabled hackers to access personal information of bank customers. The British Columbia Supreme Court refused to strike the claim for intrusion upon seclusion against the bank, finding that this “is a relatively new tort and it should be allowed to develop through full decisions” (para. 152). However, the court found that the claim could not be brought pursuant to provincial common law because of the existence of British Colombia’s privacy legislation, which the court held was a comprehensive scheme that ousted any common law claims. According to the certification judge in that case, the claim could be pursued under federal common law. The defendant appealed on the ground that there was no claim for intrusion upon seclusion under federal common law. The British Columbia Court of Appeal agreed, but in doing so commented on the fact that no one appealed the certification judge’s finding that no arguable claim for intrusion upon seclusion exists under the law of British Columbia. The Court of Appeal endorsed the increasing need for legal protection of privacy, holding that a future case may well cause the court “to reconsider (to the extent that the existing jurisprudence has already ruled upon) the issue of whether a common law tort of breach of privacy exists in British Columbia” (para. 67). The certification judge in the case at bar relied on the British Columbia Supreme Court’s decision in Tucci. Equifax alleges that the certification judge erred in relying on the decision in Tucci since it was subsequently reversed on appeal. However, in assessing this submission it is important to note that the British Columbia Court of Appeal did not disagree with the substance of the Supreme Court’s analysis regarding whether it was plain and obvious that the claim was doomed to fail; it just found that there was no such claim under the federal common law.

[50] In Kaplan, Belobaba J. refused to strike a class action claim for intrusion upon seclusion against a casino that was targeted by a cyber-attack, as a result of which just under 11,000 people had some personal information posted online. At para. 28 of his decision, Belobaba J. makes the comment that he was “initially of the view that the inclusion upon seclusion tort…was doomed to fail on the facts of this case for one simple reason: it was the hacker, and not the defendants, who invaded the plaintiffs’ privacy.” However, he goes on to find that “ given the comments of the B.C. court in Tucci and this court in Bennett and Equifax Canada – that this is a new tort that is still evolving and could conceivably support liability against defendants whose alleged recklessness in the design and operation of their computer system facilitated the hacker’s intrusion – I am not prepared to say that the intrusion upon seclusion claim is plainly and obviously doomed to fail” (para. 29). Equifax argues that Belobaba J.’s finding in Kaplan should be given less weight because it was a finding he came to reluctantly: if it were not for the findings in the other cases, he might have decided the matter differently. I reject this submission. One of the other cases, Bennett, was a decision Belobaba J. had made. Thus, Belobaba J., an experienced class action judge, has twice adopted the certification judge’s approach to the striking of a claim for intrusion for seclusion against a Database Defendant.

Conclusion

[51] For these reasons, I find that the certification judge made no error when he refused to strike the Plaintiff’s claim for intrusion upon seclusion. The tort is a new tort, whose limits have not been fully developed at common law in Canada. The rights at issue are fundamental rights that are facing unprecedented threats. The common law should be allowed to develop in an incremental way to see how far the tort should be extended to meet those threats.

[52] Thus, I would dismiss the appeal.

H. Sachs J.

J.A. RAMSAY J. (McWatt ACJSCJ concurring)

[53] I would set aside the certification of the class proceeding on the tort of intrusion upon seclusion. Unlike my colleague, I think that Atlantic Lottery Corp. Inc. v. Babstock, 2020 SCC 19 has significant application to the case at bar. I rely on the passage cited by my colleague at paragraph 34 of her reasons. I take Brown J. to mean that novel claims that are doomed to fail should be disposed of at an early stage and that courts can do so even if this requires resolving complex questions of law and policy.

[54] The tort of intrusion upon seclusion was defined authoritatively only nine years ago. It has nothing to do with a database defendant. It need not even involve databases. It has to do with humiliation and emotional harm suffered by a personal intrusion into private affairs, for which there is no other remedy because the loss cannot be readily quantified in monetary terms. I agree that Sharpe J.A.’s definition of the tort is not necessarily the last word, but to extend liability to a person who does not intrude, but who fails to prevent the intrusion of another, in the face of Sharpe J.A.’s advertence to the danger of opening the floodgates, would, in my view, be more than an incremental change in the common law.

[55] I agree with my colleague (paragraph 43) that Equifax’s actions, if proven, amount to conduct that a reasonable person could find to be highly offensive. But no one says that Equifax intruded, and that is the central element of the tort. The intrusion need not be intentional; it can be reckless. But it still has to be an intrusion. It is the intrusion that has to be intentional or reckless and the intrusion that has to be highly offensive. Otherwise the tort assigns liability for a completely different category of conduct, a category that is adequately controlled by the tort of negligence.

[56] For that reason I respectfully disagree with the decision in Kaplan v. Casino Rama, 2019 ONSC 2025 and the motion judge’s decision in Tucci v. Peoples Trust Company, 2017 BCSC 1525. I distinguish Bennett v. Lenovo, 2017 ONSC 1082 on the basis that the manufacturer was said to have intruded by installing adware (a kind of spyware) on the computers that it sold to the public.

[57] The plaintiffs here are not without remedy. The essence of their claim has to do with risk to economic interests caused by disclosure of their financial information. It is not too much to ask that they prove their damages. See Babstock, paragraph 60. The tort of negligence protects them adequately and has the advantage that it does not require them to prove recklessness.

[58] I would allow the appeal, set aside the certification on the tort of intrusion upon seclusion and award costs to the appellant in the agreed amount: namely, $25,000.00 for the appeal and $11,300.00 for the leave application (the quantum of the leave costs were fixed by the court who granted leave).

J.A. Ramsay J.

I agree _______________________________

McWatt ACJSCJ

Released: June 9, 2021

CITATION: Owsianik v. Equifax Canada Co., 2021 ONSC 4112

DIVISIONAL COURT FILE NO.: 012/20

DATE: 2021/06/09

ONTARIO

SUPERIOR COURT OF JUSTICE

DIVISIONAL COURT

McWatt ACJSCJ, Sachs and J.A. Ramsay JJ.

BETWEEN:

Alina Owsianik

Plaintiff/Respondent

– and –

Equifax Canada Co. and Equifax Inc.

Defendant/Appellants

REASONS FOR JUDGMENT

McWatt ACJSCJ

J.A. Ramsay J.

H. Sachs J. (Dissenting)

Released: June 9, 2021