Winder v. Marriott International, Inc., 2022 ONSC 390

COURT FILE NO.: CV-18-00611365-00CP

DATE: 2022-01-17

ONTARIO

SUPERIOR COURT OF JUSTICE

BETWEEN:

GLENN WINDER

Plaintiff

• and –

MARRIOTT INTERNATIONAL, INC., LUXURY HOTELS INTERNATIONAL OF CANADA, ULC, and STARWOOD CANADA ULC

Defendants

COUNSEL:

Michael G. Robb, Alex Dimson, Ron Podolny, and Adam Tanel for the Plaintiff

Ranjan K. Agarwal, Ruth Promislow, Mike Eizenga and Mehak Kawatra for the Defendants

Proceeding under the Class Proceedings Act, 1992

HEARD: January 11, 2022

PERELL, J.

REASONS FOR DECISION

[1] In this proceeding under Ontario’s Class Proceedings Act, 1992,[^1] the plaintiff Glenn Winder has been granted carriage for a national proposed data breach class action against Marriott International Inc., Luxury Hotels International of Canada ULC and Starwood Canada ULC (collectively “Marriott”).[^2]

[2] Before the certification motion, the parties have agreed to state a question of law pursuant to rule 21 (1)(a) of the Rules of Civil Procedure[^3] as to whether Mr. Winder has pleaded a legally viable cause of action against Marriott for intrusion on seclusion, the tort recognized by the Court of Appeal in Jones v. Tsige.[^4]

[3] For present purposes, the critical pleaded facts are that Marriott operates chains of hotels and Marriott’s reservations database was hacked. The Class Members provided personal information to make reservations at one of Marriott’s hotel chains. The collection and aggregation of this data on computers makes it commercially valuable and alluring to criminals for use to perpetrate identity theft, fraud, and other financial crimes. Marriott promised to protect the personal information from unauthorized use. For a four year period, however, Marriott was unaware that a hacker had compromised its database and had installed malware. The hacker had the ability to extract the personal information of the Class Members that had been collected by Marriott. After the data breach was discovered, it is alleged that Marriott waited two months before it took steps to mitigate the harm to Class Members. It is alleged that Marriott’s remedial steps were of miniscule assistance to the Class Members, who were not provided with credit monitoring and other measures to protect their identities. They were not offered compensation for the harm to their privacy rights.

[4] The hacker most certainly would be liable for the commission of the tort of intrusion on seclusion. However, relying on Owsianik v. Equifax Canada Co.,[^5] Del Giudice v. Thompson,[^6] and Obodo v. Trans Union of Canada Inc.,[^7] Marriott submits that it is not liable for intrusion on seclusion. Those cases are authority for the proposition that the tort of intrusion on seclusion is doctrinally restricted to defendants who are “intruders.” Marriott’s argument is that it is a victim of the hacker and not a hacker encompassed by the tort of intrusion on seclusion.

[5] Structurally or doctrinally, apart from Mr. Winder’s clever argument, discussed below, the pleaded material facts of the immediate case are quite similar to the pleaded facts in Del Giudice v. Thompson, and I would follow that decision, which as it happens is one my own decisions. The outcome of the immediate motion would then be that Mr. Winder has not pleaded a legally viable action for intrusion on seclusion against Marriott.

[6] Structurally or doctrinally, apart from Mr. Winder’s clever argument, discussed below, the pleaded material facts of the immediate case are quite similar to the pleaded facts in Obodo v. Trans Union of Canada Inc., and I would follow that decision of Justice Glustein. Once again, the outcome of the immediate motion would then be that Mr. Winder has not pleaded a legally viable action for intrusion on seclusion against Marriott.

[7] In any event, structurally or doctrinally, apart from Mr. Winder’s clever argument, discussed below, the pleaded material facts of the immediate case are quite similar to the pleaded facts in Owsianik v. Equifax Canada Co.[^8] and I am bound by the rules of stare decisis to follow the Divisional Court’s decision. Yet, once again, the outcome of the immediate motion must then be that Mr. Winder has not pleaded a legally viable action for intrusion on seclusion against Marriott.

[8] Mr. Winder, however, contends that he has pleaded his Statement of Claim in such a way that he satisfies the constituent elements of the tort of intrusion on seclusion. He submits that he has pleaded material facts that distinguish Del Giudice v. Thompson, Obodo v. Trans Union of Canada Inc., and Owsianik v. Equifax Canada Co. He submits that the pleaded facts are such that I can arrive at a different outcome for the immediate case. He submits that Marriott is a hacker within the compass of the tort of intrusion on seclusion.

[9] In a quite clever argument, Mr. Winder submits that in the immediate case, Marriott obtained the Class Members’ highly confidential personal information deceptively, that is, by false premises, and he submits that this makes Marriott a reckless intruder who exposed sensitive stored personal information to the risk of harm. He submits that this conduct is reckless and objectively offensive to a reasonable person.

[10] In a Trojan Horse analogy, (ironically apt for a data breach case), Mr. Winder’s argument is that Marriott is an intruder to the database that housed their personal information. Like the Athenians and Spartans, whose wooden horse got them inside the formidable stone walls of Troy, were intruders, Marriott allowed the hacker into its database. Mr. Winder goes on to argue that he has pleaded the material facts for the other constituent elements of the tort of intrusion on seclusion.

[11] As admirable and imaginative as this argument is, I shall now explain why it fails. I shall begin by repeating what I said about intrusion on seclusion in Del Giudice v. Thompson at paragraphs 130-147:

130. The Plaintiffs advance claims of intrusion upon seclusion against Ms. Thompson, Capital One, and Amazon Web.[^9]

131. In Jones v. Tsige,[^10] in a judgment written by Justice Sharpe, the Ontario Court of Appeal (Winkler, CJO and Cunningham, ACJSC, ad hoc) ended the debate as to whether or not there were free-standing breach of privacy torts in Ontario.[^11] Adopting the model described in American academic legal literature,[^12] the Court of Appeal officially recognized four breach of privacy torts, one of which, misappropriation of personality, had already taken root in Ontario. The four breach of privacy torts were: (a) intrusion on seclusion, (b) public disclosure of embarrassing private facts, (c) publicity that places the plaintiff in a false light in the public eye, and (d) misappropriation of personality.

132. The elements of intrusion on seclusion are: (1) the defendant without lawful justification intrudes physically or otherwise upon the seclusion of the plaintiff in his or her private affairs or concerns; (2) the defendant’s intrusion is intentional or reckless; and (3) the invasion would be highly offensive causing distress, humiliation or anguish to a reasonable person.[^13]

133. The tort of intrusion on seclusion is only for significant invasions of personal privacy that, viewed objectively, a reasonable person would regard as highly offensive.[^14] Proof of actual harm is not an element of the cause of action, and given the intangible nature of the interest protected, damages for intrusion upon seclusion will ordinarily be measured by a modest conventional sum.[^15]

134. In the immediate case, as against Ms. Thompson there is a legally viable cause of action for intrusion upon seclusion as against her. However, in the immediate case, it is plain and obvious that there is no viable claim for intrusion on seclusion as against Capital One or against Amazon Web.

135. The intrusion on seclusion claims as against Capital One and Amazon Web are not legally viable for four reasons.

136. First, it was Ms. Thompson who was the intruder. Capital One and Amazon Web are alleged to have increased the risk of a data breach or to have failed to prevent the data breach. A failure to prevent an intrusion, even a reckless failure to prevent, is not an intrusion. Further, as I shall discuss below, Capital One and Amazon Web are not vicariously liable for Ms. Thompson’s misconduct.

137. During the course of the oral argument, the Plaintiffs’ reliance on the certification motion decision in Owsianik v. Equifax Canada Co.,[^16] dissipated. In the Equifax case, Justice Glustein had held that it was not plain and obvious that Equifax’s alleged reckless and negligent failure to implement adequate cybersecurity could not satisfy the recklessness element of seclusion on intrusion and that it was not plain and obvious that a person who was reckless in facilitating an intrusion on seclusion could not also be liable for intrusion. A majority of the Divisional Court disagreed.[^17] In the immediate case, I am bound to follow the decision of the Divisional Court. In the Equifax case, Justice Ramsey stated at para. 55:

138. I agree with my colleague (paragraph 43) that Equifax’s actions, if proven, amount to conduct that a reasonable person could find to be highly offensive. But no one says that Equifax intruded, and that is the central element of the tort. The intrusion need not be intentional; it can be reckless. But it still has to be an intrusion. It is the intrusion that has to be intentional or reckless and the intrusion that has to be highly offensive. Otherwise, the tort assigns liability for a completely different category of conduct, a category that is adequately controlled by the tort of negligence.

139. Adding to what Justice Ramsey said, I would add that if the tort of intrusion on seclusion would assign liability without an intrusion, then it would assign liability to categories of misconduct that are adequately controlled by an assortment of other possible torts, by statutory provisions, and by actions for breach of contract. The Court of Appeal in Jones v. Tsige, however, intended intrusion on seclusion to fill gaps in the law of privacy not pave them over.

140. Second, assuming I am wrong and the alleged misdeeds of Capital One and of Amazon Web were an intrusion, then it was not an unauthorized intrusion. The Plaintiffs’ pleadings that the applicants for credit did not authorize Capital One’s retention of personal information on the servers of Amazon Web are not capable of proof because they are belied by the terms of the Application form and by the Credit Agreement and the Privacy Policy, which are incorporated by reference into the pleading. I have highlighted above the numerous provisions in the contract documents that address the uses that can be made with the personal information.

141. Although the Plaintiffs plead that Capital One collected and used personal information for purposes to which the Class Members did not agree, the contract documents disprove this material fact. As a result, the causes of action, intrusion on seclusion, misappropriation of financial personality, breach of statutory causes of action, conversion, breach of confidence, breach of trust, breach of fiduciary duty, conversion, and strict liability that rely on that refuted material fact are certain to fail.

142. Third, the alleged misconduct of Capital One and of Amazon Web alleged to constitute an intrusion on seclusion was not intentional or reckless, which are requisite constituent elements of the tort.

143. The tort of intrusion on seclusion has a mental element of intentionality. The Plaintiffs’ pleading seeks to elevate its copious allegations of negligence into recklessness, but carelessness is not the same mental state as intentionality or recklessness. The Plaintiffs do not plead material facts that go beyond negligence, and as the discussion later in these Reasons for Decision reveals, there are proximity problems with the negligence claim against the Defendants, most particularly with respect to the negligence action against Amazon Web.

144. As a legal concept, the notion of recklessness is well developed in the criminal and civil law jurisprudence, and it is a distinct and different kind of wrongdoing different from negligence. In O’Grady v. Sparling,[^18] Justice Spence for the majority of Supreme Court of Canada stated: “The difference between recklessness and negligence is the difference between advertence and inadvertence; they are opposed, and it is a logical fallacy to suggest that recklessness is a degree of negligence.”

145. In Jones v. Tsige, in part to narrow the ambit of the tort, Justice Sharpe authenticated intrusion on seclusion as an intentional tort in which deliberate, wilful, purposeful, mindful, conduct by the defendant was a requisite constituent element and carelessness was insufficient to constitute the requisite intentionality.

146. In Broutzas v. Rouge Valley Health System,[^19] where a hospital was alleged to have been negligent in not preventing a nurse from accessing confidential medical records of childbearing patients to sell their contact information to marketers of registered education plans, I followed Justice Shape’s lead when I declined to recognize negligence as a substitute for the recklessness that was the constituent element stipulated by the Court of Appeal. In Broutzas, I stated:

147. [A]s a matter of legal policy, courts should be hesitant to introduce or impose new liabilities particularly ones that would yield a flood of claims and undermine the law’s careful regulation of liability. For example, in Martel Building Ltd. v. Canada,[^20] the Supreme Court declined to introduce a duty of care in contract bargaining, among other reasons, because to extend negligence law into the conduct of negotiations would encourage a multiplicity of needless lawsuits given the number of negotiations that do not culminate in a contract. Similarly, as a matter of legal policy, the introduction of a backstop negligence action for intrusion on seclusion against defendants at second and third degrees of proximity would undermine the careful work of the Court of Appeal in Jones v. Tsige to not open the floodgates of liability for intrusion on seclusion.

148. The fourth flaw in the Plaintiffs’ intrusion on seclusion claim is that while Ms. Thompson’s conduct would be highly offensive causing distress, humiliation, or anguish to a reasonable person, the conduct of Capital One and Amazon Web was not highly offensive. As pleaded against them, Capital One’s and Amazon Web’s conduct amounts to making mistakes in safeguarding not particularly sensitive information that largely consists of information to identify the applicant for a credit card and to provide means to contact them. Capital One’s or Amazon Web’s conduct which might be wrongful and expose them to some other cause of action, is not offensive in the requisite legal sense that would constitute the tort of intrusion on seclusion.[^21]

149. I conclude that the Plaintiffs’ cause of action for intrusion on seclusion does not satisfy the cause of action criterion as against Capital One and Amazon Web. These claims should be struck without leave to amend.

[12] With this factual and legal background, I can quite quickly explain the five reasons why Mr. Winder’s argument fails.

[13] First, I am not persuaded that the pleaded material facts of the immediate case are sufficient to make Marriott an intruder for the purposes of the tort of intrusion on seclusion. At most, it might be said that Marriott is a constructive intruder. However, a reading of the Court of Appeal’s decision in Jones v. Tsige reveals that both the letter and spirit of the Court’s decision and the policy reasons behind it, prescribe a narrow – do not open the floodgates of liability – ambit for the tort of intrusion on seclusion. The ambit of the tort does not extend to constructive intruders and is limited to real ones.

[14] Second, there is no gap in the law of privacy that needs to be filled by extending the nature of intruders. The tort of intrusion on seclusion is not needed to extend liability to defendants who obtain information by false pretenses or by breaching contractual promises or by failing to comply with statutorily imposed privacy safeguards. The law associated with negligence, breach of confidence, breach of fiduciary duty, breach of contract, and breach of statute address or could address the pleaded circumstances of the immediate case.

[15] Third, clever as the attempt is to fashion an extension to the tort of intrusion on seclusion, the essence of the Class Members’ claims, their pith and substance so to speak, are the other causes of action with their well-established doctrinal elements. Contrary to the doctrinal and legal policy concerns emanating from the Court of Appeal’s decision in Jones v. Tighe, extending the tort of intrusion on seclusion to constructive intruders would open the “floodgates” and would ascribe liability adequately controlled by other causes of action.

[16] Fourth, while there are advantages to a class member having a claim for the tort of intrusion because of its prospect of supporting a claim for class-wide aggregate damages, the availability of a cause of action is determined by the substantive law not by the tactical and strategic imperatives of a procedural regime or by the aspirations of the parties for negotiating leverage.[^22]

[17] Fifth, ultimately the case at bar is indistinguishable factually, doctrinally and on legal policy grounds from Owsianik v. Equifax Canada Co., Del Giudice v. Thompson, and Obodo v. Trans Union of Canada Inc. I am bound to follow those decisions.

[18] For the above reasons, I conclude that the Plaintiff’s Statement of Claim does not disclose a cause of action against Marriott for the tort of intrusion on seclusion.

[19] The parties have agreed that there shall be no order as to costs.

Perell, J.

Released: January 17, 2022.

COURT FILE NO.: CV-18-00611365-00CP

DATE: 20220117

ONTARIO

SUPERIOR COURT OF JUSTICE

BETWEEN:

GLENN WINDER

Plaintiff

• and -

MARRIOTT INTERNATIONAL, INC., LUXURY HOTELS INTERNATIONAL OF CANADA, ULC, and STARWOOD CANADA ULC

Defendants

REASONS FOR DECISION

PERELL J.

Released: January 17, 2022

[^1]: S.O. 1992, c. 6. [^2]: Winder v. Marriott International Inc., 2020 ONSC 7701; Winder v. Marriott International Inc., 2019 ONSC 5766. [^3]: R.R.O. 1990, Reg. 194. [^4]: 2012 ONCA 32. [^5]: 2021 ONSC 4112 (Div. Ct.). [^6]: 2021 ONSC 5379. [^7]: 2021 ONSC 7297. [^8]: 2021 ONSC 4112 (Div. Ct.). [^9]: Fresh as Amended Statement of Claim, paragraphs 1©, 34, 54, 62, 82, 94, 114, 117, 118, 128, 131. [^10]: 2012 ONCA 32. [^11]: In Somwar v. McDonald's Restaurants of Canada Ltd. (2006), 79 O.R. (3d) 172 (S.C.J.) and Nitsopoulos v. Wong, [2008] O.J. No. 3498 (S.C.J.), Justice Stinson and Justice Aston respectively held that it was not plain and obvious that there was no free-standing tort action for invasion of privacy. [^12]: S.D. Warren & L.D. Brandeis, "The Right to Privacy" (1890) 4 Harv. L. R. 193 and William L. Prosser, "Privacy" (1960), 48 Cal. L. R. 383. [^13]: Hopkins v. Kay, 2014 ONSC 321, affd 2015 ONCA 112, leave to appeal to SCC refd. [2015] S.C.C.A. No. 157; Jones v. Tsige, 2012 ONCA 32. [^14]: Broutzas v. Rouge Valley Health System, 2018 ONSC 6315 at paras. 137-139; Jones v. Tsige, 2012 ONCA 32 at para. 72. [^15]: Jones v. Tsige, 2012 ONCA 32 at paras. 71-75. [^16]: 2019 ONSC 7110, sub. nom Agnew-Americano v. Equifax Canada Co., leave to appeal to Div. Ct. granted, 2020 ONSC 5761 (Div. Ct.), var’d . 2021 ONSC 4112 (Div. Ct.). [^17]: Owsianik v. Equifax Canada Co. 2021 ONSC 4112 (Div. Ct.)(McWatt ACJSCJ., Sachs, and Ramsay JJ.), rev’g sub. nom Agnew-Americano v. Equifax Canada Co. on this point 2019 ONSC 7110. [^18]: [1960] S.C.R. 804 at p. 808 (Kerwin C.J., Taschereau, Fauteux, Abbott, Martland, Judson and Ritchie JJ.: dissenting). See also: Peracomo Inc. v. TELUS Communications Co., 2014 SCC 29; Hurst v. PriceWaterhouseCoopers (PwC) LLP, [2009] O.J. No. 1415 (S.C.J.); R. v. Gosset, [1993] 3 S.C.R. 76; R. v. Tutton, [1989] 1 S.C.R. 1392; Sansregret v. The Queen, [1985] 1 S.C.R. 570. [^19]: 2018 ONSC 6315 at para. 211. [^20]: 2000 SCC 60 [^21]: Setoguchi v Uber B.V. 2021 ABQB 18 at para. 52; Wiseau Studio LLC v. Harper, 2020 ONSC 2504; Broutzas v. Rouge Valley Health System 2018 ONSC 6315; Larizza v. The Royal Bank of Canada, 2017 ONSC 6140 at para. 59; aff’d 2018 ONCA 632; Jones v. Tsige, 2012 ONCA 32 at para. 72. See also: Cooney v. Chicago Public Schools, 407 Ill. App. 3d 358 (2010); Busse v. Motorola, Inc. 351 Ill. App. 3d 67 (2004). [^22]: For class proceedings purposes, it is, in any event, salutary to decide the scope of intrusion on seclusion one way or the other at the outset of the proceedings. In this regard, the saga of waiver of tort, the scope of which took a decade to resolve is informative. The parties in the immediate case are to be commended for bringing forward the question of law in the immediate case.