No civil claim for misappropriated contact information says Ont SCJ

3 Nov

On October 25th the Ontario Superior Court of Justice dismissed certification motions in two actions that claimed damages for the misappropriation of contact information from a hospital information system. The information was taken and used to sell RESPs to the families of newborns.

Most significantly, the Court held there was no viable cause of action for intrusion upon seclusion because the information that was misappropriated did not support a breach that was serious enough to meet the standard established by the Court of Appeal for Ontario in Jones v Tsige. Justice Perell explained:

[151]      I generally agree with the Defendants’ arguments. It is plain and obvious in the case at bar that there is no tenable cause of action for intrusion on seclusion because there was no significant invasion of personal privacy and a reasonable person would not find the disclosure of contact information without the disclosure of medical, financial, or sensitive information, offensive or a cause for distress humiliation and anguish. The contact information that was the objective of the intrusion in the immediate case was not private, there was not a significant invasion of privacy, and the invasion of privacy was not highly offensive to an objective person.

[152]      In other words, in the immediate case, it is not the case that the disclosure of just contact information intrudes on the class members’ significant private affairs and concerns, and in the immediate case, it is not the case that the disclosure of contact information would be highly offensive to a reasonable person and cause her distress, humiliation, and anguish.

[153]      Generally speaking, there is no privacy in information in the public domain, and there is no reasonable expectation in contact information, which is in the public domain, being a private matter. Contact information is publicly available and is routinely and readily disclosed to strangers to confirm one’s identification, age, or address. People readily disclose their address and phone number to bank and store clerks, when booking train or plane tickets or when ordering a taxi or food delivery. Many people use their health cards for identification purposes. Save during the first trimester, the state of pregnancy, and the birth of child is rarely a purely private matter. The news of an anticipated birth and of a birth is typically shared and celebrated with family, friends, and colleagues and is often publicized. The case at bar is illustrative. All the proposed representative plaintiffs were not shy about sharing the news of the newborns.

Much will be said about this judgement. Here are some thoughts.

First. There’s an ambiguity . Justice Perell says there’s no reasonable expectation of privacy in the circumstances and the invasion is not “highly offensive.” How can there be an invasion if there’s no reasonable expectation of privacy? Reading the analysis as a whole, Justice Perell seems to be saying that there is an expectation of privacy (and a privacy breach), but not one that meets the “highly offensive” standard set in Jones v Tsige. This is a first.

Second. Justice Perell doesn’t use the “reasonable expectation of privacy” concept to delineate whether or not there has been an intrusion. I wish he did. For clarity’s sake, I’d like to see a merging of the REP doctrine developed in the Charter jurisprudence with the tort analysis. We’re talking about the same thing.

Third. Justice Perell was able to view the incident through a technical lens, analyzing each data element on its own and not in the broader context. Compare how he viewed the matter to the Toronto Star editors of this article. The difference is amazing.

Fourth. I don’t read paragraph 153 as endorsement of so-called “third-party doctrine.” Rather, it’s a very broad finding about the publicity of contact information. Contact information is too public in its quality to attract the protection of the common law, says Justice Perell. Compare this view to that of the Alberta OPIC, who has found that the loss of e-mail addresses alone (to a hacker, mind you) gives rise to a “real risk of significant harm.” Justice Perell’s finding (consistent with Jones v Tsige) suggests that the privacy statutes offer greater protection than the common law.

Fifth, I can’t help but think we’ll be litigating about what is and isn’t a breach of privacy for an eternity.

Broutzas v. Rouge Valley Health System, 2018 ONSC 6315 (CanLII).

Advertisements
%d bloggers like this: