In Owsianik v. Equifax Canada Co. (Ont CA, 2022) the Court of Appeal considered an appeal (along with two other case released simultaneously) from motion orders below that declined class action certification of privacy claims in a larger class action. The issue was whether credit reporting agencies who had their stored data hacked were liable under the 'intrusion on seclusion' tort doctrine of Jones v Tsige (they weren't).
In these quotes the court characterizes credit reporting agencies generally:
 Equifax and related companies (referred to collectively as “Equifax”) operate around the world providing credit reporting services and credit protection services to customers. For the purposes of providing credit ratings to its customers, Equifax collects and aggregates financial and other information relating to millions of individuals and various corporate entities (“consumers”). The information gathered by Equifax is organized and analyzed by Equifax to assist its customers in assessing the credit worthiness of the consumers to whom the information relates. Those consumers do not give Equifax permission to accumulate or analyze the data, and have no control over Equifax’s collection of the data.
 In addition to providing credit ratings, Equifax also provided clients with services intended to protect those clients from fraud, identity theft, and other financial crimes. Equifax accumulated and stored information pertaining to those clients for the purposes of providing those services.
The author has waived all copyright and related or neighboring rights to this Isthatlegal.ca webpage.