Ontario Court of Appeal Considers Intrusion Upon Seclusion (Again)

On January 31, 2024, the Ontario Court of Appeal released its decision in Del Giudice v. Thompson 2024 ONCA 70, which again considered, amongst other issues, the necessary elements to establish the tort of intrusion upon seclusion in a data breach/misuse case.

On January 31, 2024, the Ontario Court of Appeal released its decision in Del Giudice v. Thompson 2024 ONCA 70, which again considered, amongst other issues, the necessary elements to establish the tort of intrusion upon seclusion in a data breach/misuse case. 

The proposed class action arises from the actions of a rogue employee who hacked the Capital One database containing personal information collected by the company and stored on Amazon Web Service servers. The rogue went on to post the data on a website forum for software developers to share information. As a result of the data breach, the personal financial information and other confidential information of 106 million credit card applicants became publicly accessible. Approximately six million Canadians were affected. The Plaintiffs pleaded entitlement to damages totalling $240 billion.

At the certification motion (2021 ONSC 5379), the motion judge struck the Plaintiffs’ claim, without leave to amend, on several grounds, one of which was that the pleadings failed to disclose a viable cause of action. The Plaintiffs alleged: intrusion upon seclusion; misappropriation of personality; privacy statutes; conversion; breach of trust and breach of fiduciary duty; strict liability; vicarious liability; negligence and duty to warn; and, breach of contract/negligent breach of contract. 

On appeal, the appellant Plaintiffs separated the various causes of action into data misuse claims and data breach claims. With respect to the claim of intrusion upon seclusion, the Court of Appeal referenced its decision in Owsianik, Obodo, and Winder (the “Trilogy”), which established that a hack of a database by a third party does not constitute intrusion upon seclusion by the database operator.

The Plaintiffs attempted to distinguish the matter from the Trilogy arguing that their claim was not based in negligent custodianship, but was framed as the improper retention and misuse of data, which included the aggregation and migration to a third-party platform. 

The Court held that the claim could not succeed regardless. Whether Capital One and Amazon’s alleged misdeeds were characterized as mistakes in safeguarding information or in improper retention and misuse of that information, neither characterization satisfied the test for intrusion.  Even if the Plaintiffs could succeed in showing that they had not consented to use of their information (which was doubtful), another “key element” of intrusion upon seclusion – that the conduct be of a highly offensive nature causing distress, humiliation, or anguish to a reasonable person. Here, the aggregation and sale of financial information obtained by Capital One (even if without consent) was not “highly offensive” nor could it be seen as humiliating by a reasonable person. The data was aggregated and input into algorithms for marketing purposes and did not result in any individual biographical core information being exposed to public or private view. 

The Court reviewed the remaining causes of action, and determined that they were equally inapplicable to the circumstances for reasons that included a lack of evidence or that they were improperly pleaded. The appeal was dismissed and costs were ordered in favour of the respondent Defendants. 

Takeaway: 

The key takeaway here is that the Ontario courts will not readily broaden the ambit of the tort of intrusion on seclusion to impost liability on data custodians post the Trilogy.  Aside from the significant hurdle of establishing no consent to use the personal information, such claims will also fail unless a plaintiff can demonstrate the data custodian’s engaged in highly offensive conduct resulting in distress, humiliation or anguish to a reasonable person. Where a party fails to establish that the conduct rose to this level (whether by a data custodian or not), a claim for intrusion upon seclusion will likely fail.