Simon's Megalomaniacal Legal Resources

Torts - Infringement of Privacy (2)

. Broutzas v. Rouge Valley Health System

In Broutzas v. Rouge Valley Health System (Div Court, 2023) the Divisional Court briefly canvassed the elements of the 'intrusion upon seclusion' tort:

[19] The components of the tort of intrusion upon seclusion were set out by the Ontario Court of Appeal in Jones v. Tsige[6] to include three elements: (1) that the defendant engaged in intentional or reckless conduct, (2) that the conduct involved an intrusion, without lawful justification, into the plaintiff’s private affairs or concerns, and (3) that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. If those three components are established, the behaviour is actionable without proof of damages.

. Ontario v. Madan

In Ontario v. Madan (Ont CA, 2023) the Court of Appeal briefly states elements of the privacy tort (intrusion upon seclusion):

[39] The tort of invasion of privacy, or intrusion upon seclusion, is complete when the alleged tortfeasor invades or intrudes upon the private affairs or concerns of another. That invasion or intrusion must be intentional or reckless, and it must be sufficiently serious that a reasonable person would regard the invasion of privacy as highly offensive causing distress, humiliation or anguish: Jones v. Tsige, 2012 ONCA 32, 108 O.R. (3d) 241, at para. 71; Owsianik v. Equifax Canada Co., 2022 ONCA 813, at paras. 53-54. The tort is complete without proof of pecuniary damage: Jones, at para. 71.

[40] The tort of intrusion upon seclusion seeks to protect the integrity and autonomy of one’s personal information through the recognition of one’s right to control access to, dissemination of, and use of one’s private information by others. ....

. Owsianik v. Equifax Canada Co. [data theft]

In Owsianik v. Equifax Canada Co. (Ont CA, 2022) the Court of Appeal considered an appeal (along with two other case released simultaneously) from motion orders below that declined class action certification of privacy claims in a larger class action. The issue was whether credit reporting agencies who had their stored data hacked were liable under the 'intrusion on seclusion' tort doctrine of Jones v Tsige (they weren't).

In these quotes to court finds that the Jones privacy tort did not encompass such 'stolen' data:

[40] Some of the factors in Babstock outlined above exist in this case. No decision has held that the tort of intrusion upon seclusion applies to Database Defendants based on negligent or reckless storage of private information. Such claims have been certified in class actions, but on the basis that it is not “plain and obvious” the claim cannot succeed: e.g., Bennett v. Lenovo (Canada) Inc., 2017 ONSC 1082, at paras. 8, 17, 23 and 36; see also Kaplan v. Casino Rama, 2019 ONSC 2025, 145 O.R. (3d) 736, at paras. 28-29[5]; Tucci v. Peoples Trust Company, 2020 BCCA 246, 41 B.C.L.R. (6th) 250, at paras. 53-88, rev’g in part 2017 BCSC 1525. The legal viability of the intrusion upon seclusion claim is also amenable to determination based exclusively on the facts as pleaded. There is no reason to think evidence adduced at the trial would have any effect on the determination of whether, as a matter of law, the tort could apply to Database Defendants whose failure to properly protect the data permits independent hackers to access the data.

....

[50] I accept that there are legitimate arguments on both sides of the debate over the legal viability of the intrusion upon seclusion claim against Database Defendants. The parties did not refer to any appellate authority in Canada or elsewhere in the Commonwealth directly on point. However, uncertainty in the law did not require the motion judge to decline to resolve the legal question at the certification stage. Four factors offered strong justification for deciding the legal viability of this claim on the certification motion:

. the question fell to be answered on the facts as pleaded. There was no dispute as to the facts that were relevant and material to the legal viability of the cause of action pleaded. There was no chance any evidence could be led at trial that would impact on the answer to the legal question posed;

. there was no unfairness to either party in deciding the merits of the legal question on the pleadings motion;

. the issue was fully briefed and argued on the pleadings motion; and

. the institutional considerations articulated in Babstock favoured deciding the legal question on the merits.

....

(ii) Can Equifax be liable for the tort of intrusion upon seclusion?

[52] Having concluded the majority in the Divisional Court properly addressed the legal viability of the intrusion upon seclusion claim, it remains for me to explain why I agree with the conclusion reached by the majority.

[53] The tort of intrusion upon seclusion is one of several intentional torts which, when taken together, provide “broad protection of the plaintiff’s personal integrity and autonomy”: Philip H. Osborne, The Law of Torts, 6th ed. (Toronto: Irwin Law, 2020), at p. 268. Generally speaking, intentional torts require that the defendant engage in the proscribed conduct with a specified state of mind.

[54] The elements of the tort of intrusion upon seclusion are laid down in Jones, at para. 71. I would describe them as follows:

. the defendant must have invaded or intruded upon the plaintiff’s private affairs or concerns, without lawful excuse [the conduct requirement];

. the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly [the state of mind requirement]; and

. a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation or anguish [the consequence requirement].

[55] In Jones, the conduct component of the tort was never in dispute. The defendant admitted that she had, without lawful excuse, taken advantage of her employment to look at the plaintiff’s banking records and related information on 174 occasions. On any definition, the defendant’s conduct amounted to a deliberate invasion by her of the plaintiff’s personal privacy: Jones, at paras. 57, 72.

[56] The conduct component is very much in issue in this case. Equifax stored the data and accessed and used the data for commercial purposes. That is not, however, the conduct which is alleged to have constituted the interference with the plaintiffs’ privacy. As set out above (at para. 23), the alleged intrusion occurred when:

The defendants failed to take appropriate steps to guard against unauthorized access to sensitive financial information involving the Class Members’ private affairs or concerns.

[57] On the allegation made, Equifax failed to take steps to prevent independent hackers from conduct that clearly invaded the plaintiffs’ privacy interests in the documents stored by Equifax. Equifax did not, however, itself interfere with those privacy interests. The wrong done by Equifax arose out of Equifax’s failure to meet its obligations to the plaintiffs to protect their privacy interests. Like the majority in the Divisional Court, I conclude the claim fails at this fundamental level. There is simply no conduct capable of amounting to an intrusion into, or an invasion of, the plaintiff’s privacy alleged against Equifax in the claim: Owsianik, at para. 55; see also Del Giudice v. Thompson, 2021 ONSC 5379, 71 E.T.R. (4th) 23, at paras. 137-38.

[58] Ms. Owsianik submits that her claim does allege an intrusion upon seclusion because she pleads that the defendant acted recklessly. Jones recognizes that recklessness will suffice to establish liability.

[59] Ms. Owsianik’s submission misunderstands the relationship between the two elements of the tort. The first element, the conduct requirement, requires an act by the defendant which amounts to a deliberate intrusion upon, or invasion into, the plaintiffs’ privacy. The prohibited state of mind, whether intention or recklessness, must exist when the defendant engages in the prohibited conduct. The state of mind must relate to the doing of the prohibited conduct. The defendant must either intend that the conduct which constitutes the intrusion will intrude upon the plaintiffs’ privacy, or the defendant must be reckless that the conduct will have that effect. If the defendant does not engage in conduct that amounts to an invasion of privacy, the defendant’s recklessness with respect to the consequences of some other conduct, for example the storage of the information, cannot fix the defendant with liability for invading the plaintiffs’ privacy.

[60] Intention is established if the defendant meant to intrude upon the privacy of the plaintiff or knew that it was a substantially certain consequence of the act which constitutes the intrusion: see Piresferreira v. Ayotte, 2010 ONCA 384, 319 D.L.R. (4th) 665, at paras. 72-75, leave to appeal refused, [2010] S.C.C.A. No. 283. Recklessness, also a subjective state of mind, refers to the realization at the time the prohibited conduct is being done that there is a risk that the conduct will intrude upon the privacy of the plaintiffs, coupled with a determination to nonetheless proceed with that conduct: see Demme v. Healthcare Insurance Reciprocal of Canada, 2022 ONCA 503, 83 C.C.L.T. (4th) 1, at paras. 62-64. The degree of recklessness required to fix liability can vary and need not be addressed in these reasons.

[61] In summary, the claim brought against Equifax fails at the conduct component of the tort of intrusion upon seclusion. Equifax’s negligent storage of the information cannot in law amount to an invasion of, or an intrusion upon, the plaintiffs’ privacy interests in the information. Equifax’s recklessness as to the consequences of its negligent storage cannot make Equifax liable for the intentional invasion of the plaintiffs’ privacy committed by the independent third-party hacker. Equifax’s liability, if any, lies in its breach of a duty owed to the plaintiffs, or its breach of contractual or statutory obligations.

[62] Counsel on behalf of Ms. Owsianik submits that the extension of the tort from the actual intruder to entities who fail to adequately protect information in their possession is, like the recognition of the tort in Jones, an incremental development in the common law: Jones, at para. 65. Counsel contends that the development is fully justified, given the state of the law in other jurisdictions, the realities of modern technology, the threats to individual privacy posed by the accumulation of large amounts of private information, and the absence of any effective remedy for persons whose information held in databases is accessed and used improperly.

[63] I do not agree that extending liability for the commission of the intentional tort of invasion of privacy by a stranger to Equifax would amount to an incremental change in the law. The extension of the common law proposed in this submission would not be a small step along a well-established path, but would be a giant step in a very different direction: see Merrifield v. Canada (Attorney General), 2019 ONCA 205, 145 O.R. (3d) 494, at paras. 20-26, leave to appeal refused, [2019] S.C.C.A. No. 174.

[64] On the alleged facts, Equifax did not unlawfully access any information. No one acting on Equifax’s behalf, or in consort with Equifax, did so. No one for whom Equifax could be held vicariously liable accessed any private information. A third-party stranger to Equifax accessed the information.

[65] To impose liability on Equifax for the tortious conduct of the unknown hackers, as opposed to imposing liability on Equifax for its failure to prevent the hackers from accessing the information, would, in my view, create a new and potentially very broad basis for a finding of liability for intentional torts. A defendant could be liable for any intentional tort committed by anyone, if the defendant owed a duty, under contract, tort, or perhaps under statute, to the plaintiff to protect the plaintiff from the conduct amounting to the intentional tort. The security guard who fell asleep on the job, recklessly allowing an assailant to assault the person who the security guard was obliged to protect, would become liable for battery. The garage operator who negligently, and with reckless disregard to the risk of theft, left the keys in a vehicle entrusted to his care, would become a thief if an opportunistic stranger stole the car from the garage parking lot.

[66] Not only would the scope of intentional torts expand, that expansion would radically reconfigure the border between the defendant’s liability for the tortious conduct of third parties, and the defendant’s direct liability for its own failure to properly secure the information of the plaintiffs. The distinction between the two forms of liability is made clear in Fullowka v. Pinkerton’s of Canada Ltd., 2010 SCC 5, [2010] 1 S.C.R. 132. In that case, the plaintiffs sued Pinkerton’s (and others) who were responsible for mine safety during a violent strike. The plaintiffs alleged Pinkerton’s had failed to protect the victims who were killed in a bombing caused by a striker. Cromwell J., for a unanimous court, explained the nature of Pinkerton’s’ potential liability, at paras. 16-17:

The appellants do not allege that either Pinkerton’s or the Government actually inflicted the fatal injuries on the murdered miners; rather, they allege that Pinkerton’s and the government breached a duty to take reasonable care to prevent the harm inflicted by Mr. Warren [the bomber]. The Court of Appeal characterized this as a claim that Pinkerton’s and the government were liable for Mr. Warren’s tort (para. 98). This however is not the right way to frame the issue because it does not accurately reflect the appellants’ claims.

We are here concerned with allegations of direct liability. Simply put, the appellants do not claim that Pinkerton’s and the government are responsible for Mr. Warren’s tort; the claim is that they were negligent in trying to prevent it. The appellants’ position is that primary liability should be imposed based on the fault of these two defendants [citation omitted]. The question is not, therefore, whether these defendants are responsible for the tort of another, but whether they, in relation to another’s tort, failed to meet the standard of care imposed on them and thereby caused the ultimate harm. [Emphasis added.]

[67] The words of Cromwell J. ring true here. On a reading of the actual allegations in the Statement of Claim, the real complaint against Equifax is that it failed to guard the information it was duty-bound to protect.

[68] The law relating to a defendant’s potential liability for the tortious conduct of “strangers” is well-developed in Canada and in England. That law will impose liability on Equifax if the plaintiff can show that Equifax had an obligation at tort, under contract, or perhaps under statute, to protect the private information stored in its database from access by third-party hackers, and failed to do so, thereby causing economic harm to the plaintiffs: see e.g., Rankin (Rankin’s Garage & Sales) v. J.J., 2018 SCC 19, [2018] 1 S.C.R. 587; P. Perl (Exporters) Ltd. v. Camden London Borough Council, [1983] EWCA Civ 9, [1984] Q.B. 342; and Lewis N. Klar & Cameron Jefferies, Tort Law, 6th ed. (Toronto: Carswell, 2017), at pp. 598-604. The law as it exists properly fixes liability on the defendant for the defendant’s misconduct and provides remedies consistent with the remedies available in contract and negligence for that kind of misconduct. I am not persuaded there are deficiencies in the present law calling out for the drastic change endorsed by the appellant.

[69] The appellant further argues that expanding the tort of intrusion upon seclusion the way she suggests is consistent with American caselaw. The parties in all three proceedings have referred to various American authorities said to support their respective positions on the expansion of the tort to include negligent Database Defendants.

[70] There can be no doubt that the American jurisprudence has long recognized the right to privacy as important and worthy of the protection of tort law. It is equally clear that the analysis in Jones was heavily influenced by American commentary. However, as is often the case, the sheer quantity of American caselaw and the different statutory provisions at play in many of the cases, make it difficult to arrive at any generalized conclusion about the state of the law.

[71] The cases relied on by the Database Defendants offer direct support for their position. Negligence cannot morph or be transformed into an intentional tort: see e.g., Allgood v. Paperlesspay Corp., 2022 WL 846070 (M.D. Fla.); Burton v. MAPCO Exp., Inc., 47 F. Supp. (3d) 1279 (N.D. Ala. 2014); Stephens v. Availity, 2019 WL 13041330 (M.D. Fla.); Purvis v. Aveanna Healthcare, LLC, 563 F. Supp. (3d) 1360 (N.D. Ga. 2021); and Damner v. Facebook Inc., 2020 WL 7862706 (N.D. Cal.).

[72] In contrast, the cases relied on by the appellants do not directly support their position. This, to a large extent, is because the outcomes of those cases turn on other legal principles. Some cases are explained by vicarious liability: see e.g., Savidge v. Pharm-Save, Inc., 2021 WL 3076786 (W.D. Ky.); McKenzie v. Allconnect, Inc., 369 F. Supp. (3d) 810 (E.D. Ky. 2019); and Carter v. Innisfree Hotel, Inc., 661 So. (2d) 1174 (Ala. 1995). Some cases are explained by statutory liability: see e.g., In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F. (3d) 625 (3rd Cir. 2017). Some cases are explained by liability for other torts, like nuisance, trespass and negligence: see e.g., Moore v. New York Elevated Railroad Co., 130 N.Y. 523 (1892); Remijas v. Neiman Marcus Group, LLC, 794 F. (3d) 688 (7th Cir. 2015).

[73] The American cases relied on by the appellants do affirm the importance of privacy rights and several of them affirm that a real injury can be suffered when there is a loss of privacy. The cases also make clear that a negligent actor can be held liable for reasonably foreseeable harms to which their actions give rise, including reasonably foreseeable intentional harms committed by independent third parties: see e.g., Carter; Thetford v. City of Clanton, 605 So. (2d) 835 (Ala. 1992). This, however, does nothing to support the view that negligent parties in this position should also be held liable for the intentional torts.

[74] In my view, the state of the American jurisprudence does not provide a justification for extending the tort to negligent database defendants.

[75] Ms. Owsianik submits that the remedies available against Equifax in a claim based on breach of contract, negligence, or breach of a statute, are inadequate. She contends that just as in Jones, she and her fellow victims are left in circumstances that “cry out for a remedy”: Jones, at para. 69.

[76] In Jones, the plaintiff had no remedy of any kind against the defendant who had intentionally invaded her privacy. Ms. Owsianik and the other class members have a remedy against the hackers who intentionally invaded their privacy. They can sue for invasion of privacy. No doubt, they face a very real problem. In most cases it will be impossible to identify, much less sue, the hackers. The inability to sue the actual hackers is not, however, justification for creating a remedy against a different defendant who has committed a different tort for which the plaintiffs have all the usual remedies available to them. The inability to successfully sue the hacker is no reason to make a Database Defendant liable, not only for its own wrongdoing, but also for the invasion of privacy perpetrated by the hacker.

[77] To award “moral damages” against Equifax for what is essentially its negligence or breach of contract runs contrary to the very purposes underlying the award of such damages. Moral damages are awarded to vindicate the rights infringed, and in recognition of the intentional harm caused by the defendant. These purposes are served only if the damages are awarded against the actual wrongdoer, that is the entity that invaded the privacy of the plaintiff.

[78] Ms. Owsianik and the other plaintiffs have remedies against Equifax. Those remedies are the same remedies available to anyone who can prove the claims advanced in tort, contract, and statute by the plaintiffs against Equifax.

[79] The plaintiffs’ “no remedy” argument really comes down to the assertion that because the remedies available in contract and negligence require proof of pecuniary loss, the plaintiffs who cannot prove pecuniary loss are left with no remedy. With respect, this is not what the court meant in Jones when it described the plaintiff as being without remedy. The plaintiffs here are in the same position as anyone else who advances the kind of claim the plaintiffs have advanced here. Because the claim sounds in negligence and contract, the plaintiffs must prove pecuniary loss. The plaintiffs’ position is miles away from the predicament faced by the plaintiff in Jones.

[80] While it cannot be said the plaintiffs are left without a remedy, it is true that the inability to claim moral damages may have a negative impact on the plaintiffs’ ability to certify the claim as a class proceeding. In my view, that procedural consequence does not constitute the absence of a remedy. Procedural advantages are not remedies.

[81] The plaintiffs have not made out the case for extending the tort of intrusion upon seclusion to Database Defendants whose negligent storage of information permits independent hackers to access that information. That is not to say that the risk to privacy presented by the accumulation of private information by Database Defendants is not real. It may be that existing common law remedies do not adequately encourage Database Defendants to take all reasonable steps to protect the private information under their control. Parliament and provincial legislatures have enacted legislation intended to protect informational privacy. It is certainly open to Parliament and the legislatures to expand these protections to provide for what Parliament and the legislatures might regard as more effective remedies against Database Defendants who do not take proper steps to secure the information under their control.

. Stewart v. Demme

In Stewart v. Demme (Div Ct, 2022) the Divisional Court reverses a class action certification involving thousands of medical records that were accessed in the course of medication theft:

Analysis

[15] It is clear from the certification judge’s reasons that for him, this case was a close call. While the facts did not “cry out for a remedy” this could be dealt with by a small award of damages. His decision to certify the action was also influenced by the “nature of the privacy interest infringed” and that “any intrusion – even a very small one – into a realm as protected as private health information may be considered highly offensive….”

[16] In reasoning this way, it is my view (and I say this with great respect) that the certification judge erred in how he interpreted Jones. Not every intrusion into private health information amounts to a basis to sue for the tort of intrusion upon seclusion. The particular intrusion must be “highly offensive” when viewed objectively having regard to all the relevant circumstances. If the case does not “cry out for a remedy”, it is a signal that the high standard for certification of this limited tort may not be met.

[17] In Jones, the Court of Appeal began its analysis by reviewing the case law in various jurisdictions, including Ontario, the United States and England to examine two questions: does Ontario recognize a cause of action for invasion of privacy and, if it does not, should it? On the first question, Sharpe J.A. found that while “[a]spects of privacy have long been protected by causes of action such as breach of confidence, defamation, breach of copyright, nuisance and various property rights…the recognition of a distinct right of action for breach privacy remains uncertain”: Jones, at para. 15.

[18] The Court of Appeal then looked at the Ontario case law and concluded that Ontario courts remain open to the proposition that there should be a tort such as intrusion upon seclusion. While there had been no definitive statement from an appellate court in Canada to this effect, Ontario judges had refused to dismiss such claims at the pleadings stage.

[19] The Court concluded that it was time for it to “confirm the existence of a right of action for inclusion upon seclusion”: ibid, at para. 65. Its rationale for doing so was fourfold:

(1) The case law and legal scholars support the “existence of a such a cause of action”: ibid, at para. 66. Privacy is an important underlying value and Charter jurisprudence identifies the right to informational privacy as worthy of protection.

(2) Technological change has motivated the need to protect the individual’s right to privacy. Routinely kept electronic databases make our most personal information available and vulnerable: ibid, at para. 67.

(3) The common law has the capacity to evolve to respond to this problem: ibid, at para. 68.

(4) “Finally, and most importantly, we are presented in this case with facts that cry out for a remedy. While Tsige is apologetic and contrite, her actions were deliberate, prolonged and shocking. Any person in Jones’ position would be profoundly disturbed by the significant intrusion into her highly personal information. The discipline administered by Tsige’s employer was governed by the principles of employment law and the interests of the employer and did not respond directly to the wrong that had been done to Jones. In my view, the law of this province would be sadly deficient if we were required to send Jones away without a legal remedy”: ibid, at para. 69 (emphasis added).

[20] Directly after this statement, the Court sets out the elements of the cause of action for intrusion upon seclusion: (1) the defendant’s conduct must be intentional; (2) “the defendant must have invaded, without lawful justification, the plaintiff’s private affairs”; and (3) “a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish”: ibid, at para. 71.

[21] As stated by the Court at para. 72, “[t]hese elements make it clear that recognizing this cause of action will not open the floodgates. A claim for intrusion upon seclusion will arise only for deliberate and significant invasions of privacy. Claims from individuals who are sensitive or unusually concerned about their privacy are excluded: it is only intrusions into matters such as one’s financial or health records…that, viewed objectively on the reasonable person standard, can be described as highly offensive.”

[22] Thus, it is clear that while the phrase “cry out for a remedy” is not an element of the cause of action, it does inform what the elements of the cause of action are designed to do – they are designed to offer a remedy in situations where the privacy intrusion is very serious, not any privacy intrusion. Hence the need for the intrusion to be significant and deliberate and the need for an objectively reasonable person to view the intrusion as highly offensive, “causing distress, humiliation or anguish.” The fact that this is a “no actual damages tort” means that it should only be available in particularly serious instances.

[23] There are several statements in the certification judge’s reasons that make it clear that it was his view that because the intrusion was one into hospital health records, it could be regarded as “highly offensive” even if it was fleeting, the information accessed was at the low end of sensitive and the motive behind the intrusion was not to obtain the information but to obtain drugs.

[24] In this case, as put by one counsel, the information was a “key” needed to unlock a drawer that contained drugs. In this context, it is also important to remember that the significance of the intrusion is to be assessed individually, not collectively. The fact that there were over 11,000 such intrusions does not mean that each intrusion was significant and highly offensive.

[25] At para. 70 of his reasons, the certification judge notes that “privacy is not an ‘all-or-nothing concept.’” Thus, according to him, “different privacy contexts when breached may lead to different legal consequences.” He then refers to Jones, (particularly para. 72, quoted above) and concludes his reasons by saying that “any intrusion – even a very small one – into a realm as protected as private health information may be considered highly offensive and therefore actionable.” In other words, any intrusion into private health records, no matter how small, may be considered highly offensive. This conclusion echoes the argument put forward by the Plaintiff.

[26] I disagree. This is not what Jones says. To repeat para. 72 of Jones:

These elements make it clear that recognizing this cause of action will not open the floodgates. A claim for intrusion upon seclusion will arise only for deliberate and significant invasions of personal privacy. Claims from individuals who are sensitive or unusually concerned about their privacy are excluded: it is only intrusions into matters such as one’s financial or health records, sexual practices and orientation, employment, diary or private correspondence that, viewed objectively on the reasonable person standard, can be described as highly offensive.

[27] This paragraph does not say that any intrusion into personal health information, however minimal and fleeting, can be described as “highly offensive.” What it says is that not all informational privacy is worthy of protection under this tort; it is only certain information, which may include health information, that is worthy of protection. However, to meet the threshold for the tort of intrusion upon seclusion, the intrusion must still be deliberate and significant to be considered “highly offensive.” To find otherwise would be to “open the floodgates” to claims such as the one at issue in this proceeding, where the intrusions were fleeting, the information accessed was not particularly sensitive within the realm of health information, the intruder was not “after” the information itself, which was otherwise available to her and/or a number of other hospital staff, and there was no discernible effect on the patients.

. Owsianik v. Equifax Canada Co.

In Owsianik v. Equifax Canada Co. (Div Ct, 2021) the Divisional Court considered (but dismissed) the potential for an interesting new development on the doctrine established in Jones v Tsige (Ont CA, 2012), here in a class action certification appeal. The claim alleged that Equifax, the credit bureau agency, breached the privacy doctrine by allowing a third party to break into it's database and compromise the privacy rights of a multitude of people whom Equifax accumulated credit rating information on. The issue was whether the doctrine required direct intrusion by the defendant, or whether it could be sustained by the defendant's alleged recklessness which allowed a third party's intrusion into Equifax's database. An extensive dissent by Sachs J would have tolerated having the certification maintained on appeal to fully explore this merits issue at trial, while the majority held that - in light of Atlantic Lottery Corp. Inc. v. Babstock (SCC, 2020) - that the certification issue could and should be decided at the motion stage.

The case is interesting for the possibility of it proceeding higher, perhaps further extending the Jones v Tsige doctrine.