Broutzas narrowed, privacy action certified, uncertainty abounds

On January 6th, Justice Morgan certified a class proceeding that was based on a nurse’s unauthorized access to very basic personal health information – patient status and allergy information – so she could obtain prescription drugs.

Although there were no damages to support a negligence claim, Justice Morgan held that the cause of action criterion for certification of a privacy breach claim was met because, “an infringement of privacy can be ‘highly offensive’ without being otherwise harmful in the sense of leading to substantial damages.” (IMHO, this is correct.)

In otherwise assessing the quality the nurse’s infringement, Justice Morgan distinguished Broutzas, in which Justice Perell declined to certify an action, in part, because the theft of address information from patients who had given birth at a hospital was not “highly offensive.” Justice Morgan said:

Counsel for the Plaintiff takes issue with this analysis. In the first place, he points out that the factual context of the Rouge Valley case is distinguishable from the case at bar in one important way: the patients/claimants in [Broutzas] were all in the hospital for the birth of a baby, which is perhaps the least confidential of reasons. Indeed, Perell J. recited the factual background of each patient making a claim in that case, and observed that one had announced their child’s birth and circulated photos of the new baby on social media, while another had done a Facebook posting in celebration of the birth of their new baby at the defendant hospital: Ibid, paras. 97, 106. As Plaintiff’s counsel here points out, the expectation of privacy in such circumstances is negligible.

Fair enough, but it’s nonetheless quite clear that not all judges value privacy the same way. The uncertainty in judge-made privacy law is palpable.

Stewart v. Demme, 2020 ONSC 83 (CanLII).

ONSC applies false light privacy tort, awards $300,000 in damages

Justice Kristjanson of the Ontario Superior Court of Justice has applied the tort of publicly placing a person in a false light in ordering an abusive husband to pay $300,000 in damages to his estranged spouse.

The defendant waged a campaign against the plaintiff in which, contrary to court orders, he published photos and videos of the couple’s two children to allege the plaintiff was a child abuser and criminal. He also targeted the plaintiff by e-mailing community members links to his content and directing various real-world publications via pamphleting and postering in the UK, where the plaintiff had sought shelter. The campaign was extreme, causing the plaintiff to become ill and fear for her safety.

Justice Kristjanson awarded $150,000 in punitive damages, $50,000 for intentional infliction of mental suffering and $100,000 for breach of privacy. The breach of privacy damages were based jointly on the public disclosure of embarrassing private facts tort and the tort that applies to publicity that places one in a false light. On the false light tort, Justice Kristjanson explained:

170      With these three torts all recognized in Ontario law, the remaining item in the “four-tort catalogue” of causes of action for invasion of privacy is the third, that is, publicity placing the plaintiff in a false light. I hold that this is the case in which this cause of action should be recognized. It is described in § 652E of the Restatement as follows:
Publicity Placing Person in False Light
One who gives publicity to a matter concerning another that places the other before the public in a false light is subject to liability to the other for invasion of his privacy, if
(a) the false light in which the other was placed would be highly offensive to a reasonable person, and
(b) the actor had knowledge of or acted in reckless disregard as to the falsity of the publicized matter and the false light in which the other would be placed.
171      I adopt this statement of the elements of the tort. I also note the clarification in the Restatement‘s commentary on this passage to the effect that, while the publicity giving rise to this cause of action will often be defamatory, defamation is not required. It is enough for the plaintiff to show that a reasonable person would find it highly offensive to be publicly misrepresented as they have been. The wrong is in publicly representing someone, not as worse than they are, but as other than they are. The value at stake is respect for a person’s privacy right to control the way they present themselves to the world.
172      It also bears noting this cause of action has much in common with the tort of public disclosure of private facts. They share the common elements of 1) publicity, which is 2) highly offensive to a reasonable person. The principal difference between the two is that public disclosure of private facts involves true statements, while “false light” publicity involves false or misleading claims. (Two further elements also distinguish the two causes of action: “false light” invasion of privacy requires that the defendant know or be reckless to the falsity of the information, while public disclosure of private facts involves a requirement that there be no legitimate public concern justifying the disclosure.)
173      It follows that one who subjects another to highly offensive publicity can be held responsible whether the publicity is true or false. This indeed, is precisely why the tort of publicity placing a person a false light should be recognized. It would be absurd if a defendant could escape liability for invasion of privacy simply because the statements they have made about another person are false.
174      Moreover, it is likely that in the course of creating publicity placing a person in a false light, the wrongdoer will happen to include true, but private, facts about the person whose privacy is invaded. In this case, for instance, the defendant has publicized falsehoods about the plaintiff, but he has also publicly aired private facts about her present living situation with the children and her parents (including videos of their home) and details of access visits which is a true, but private matter.

This is the first time the false light tort has been recognized in Canada. Justice Kristjanson said the $20,000 cap on damages recognized in Jones v Tsige “may not apply” to it, though also suggested a larger award was warranted on the facts.

Justice Kristjanson also issued a 33 paragraph order that provided for broad-ranging permanent injunctive relief and made the defendant’s right of access to his children dependent on compliance. (The trial of the plaintiff’s action proceeded together with a family law trial.)

Yenovkian v Gulian, 2019 CarswellOnt 21614, 2019 ONSC 7279.

What’s significant about the Loblaw report

I finally got around to reading the @PrivacyPrivee report of findings on Loblaw’s manner of authenticating those eligible for a gift card. The most significant (or at least enlightening) thing about the report is that the OPC held that residential address, date of birth, telephone number and e-mail address were, together, “sensitive.” It did so in assessing the adequacy of the contractual measures Loblaw used in retaining a service provider for processing purposes. It said:

  1. The contract also provided guarantees of confidentiality and security of personal information, and included a list of specific safeguard requirements, such as: (i) implementing measures to protect against compromise of its systems, networks and data files; (ii) encryption of personal information in transit and at rest; (iii) maintaining technical safeguards through patches, etc.; (iv) logging and alerts to monitor systems access; (v) limiting access to those who need it; (vi) training and supervision of employees to ensure compliance with security requirements; (vii) detailed incident response and notification requirements; (viii) Loblaw’s pre-approval of any third parties to whom JND wishes to share personal information, as well as a requirement for JND to ensure contractual protections that are at a minimum equivalent to those provided for by its contract with Loblaw; and (ix) to submit to oversight, monitoring, and audit by Loblaw of the security measures in place.
  2. As outlined above, the additional ID’s requested by the Program Administrator were collected through a secure channel (if online) or by mail, verified and then destroyed.
  3. In our view, given the limited, albeit sensitive, information that was shared with the Program Administrator, as well as the limited purposes and duration for which that information would be used, Loblaw’s detailed contractual requirements were sufficient to ensure a level of protection that was comparable to that which would be required under the Act. Therefore, in our view, Loblaw did not contravene Principle 4.1.3 of Schedule 1 of the Act.

Residential address, date of birth, telephone number and e-mail address is a set of basic personal information. In analyzing it, one must recall the “contact information” that the Ontario Superior Court of Justice said was not “private” enough to found a class action claim in Broutzas.

Don’t be misled, though. The OPC made its finding because Loblaw was engaged in authentication, and collected a data set precisely geared to that purpose. The potential harm – identity theft – was therefore real, supporting finding that the data set as a whole was sensitive. Context matters in privacy and data security. And organizations, guard carefully the data you use to identify your customers.

No civil claim for misappropriated contact information says Ont SCJ

On October 25th the Ontario Superior Court of Justice dismissed certification motions in two actions that claimed damages for the misappropriation of contact information from a hospital information system. The information was taken and used to sell RESPs to the families of newborns.

Most significantly, the Court held there was no viable cause of action for intrusion upon seclusion because the information that was misappropriated did not support a breach that was serious enough to meet the standard established by the Court of Appeal for Ontario in Jones v Tsige. Justice Perell explained:

[151]      I generally agree with the Defendants’ arguments. It is plain and obvious in the case at bar that there is no tenable cause of action for intrusion on seclusion because there was no significant invasion of personal privacy and a reasonable person would not find the disclosure of contact information without the disclosure of medical, financial, or sensitive information, offensive or a cause for distress humiliation and anguish. The contact information that was the objective of the intrusion in the immediate case was not private, there was not a significant invasion of privacy, and the invasion of privacy was not highly offensive to an objective person.

[152]      In other words, in the immediate case, it is not the case that the disclosure of just contact information intrudes on the class members’ significant private affairs and concerns, and in the immediate case, it is not the case that the disclosure of contact information would be highly offensive to a reasonable person and cause her distress, humiliation, and anguish.

[153]      Generally speaking, there is no privacy in information in the public domain, and there is no reasonable expectation in contact information, which is in the public domain, being a private matter. Contact information is publicly available and is routinely and readily disclosed to strangers to confirm one’s identification, age, or address. People readily disclose their address and phone number to bank and store clerks, when booking train or plane tickets or when ordering a taxi or food delivery. Many people use their health cards for identification purposes. Save during the first trimester, the state of pregnancy, and the birth of child is rarely a purely private matter. The news of an anticipated birth and of a birth is typically shared and celebrated with family, friends, and colleagues and is often publicized. The case at bar is illustrative. All the proposed representative plaintiffs were not shy about sharing the news of the newborns.

Much will be said about this judgement. Here are some thoughts.

First. There’s an ambiguity . Justice Perell says there’s no reasonable expectation of privacy in the circumstances and the invasion is not “highly offensive.” How can there be an invasion if there’s no reasonable expectation of privacy? Reading the analysis as a whole, Justice Perell seems to be saying that there is an expectation of privacy (and a privacy breach), but not one that meets the “highly offensive” standard set in Jones v Tsige. This is a first.

Second. Justice Perell doesn’t use the “reasonable expectation of privacy” concept to delineate whether or not there has been an intrusion. I wish he did. For clarity’s sake, I’d like to see a merging of the REP doctrine developed in the Charter jurisprudence with the tort analysis. We’re talking about the same thing.

Third. Justice Perell was able to view the incident through a technical lens, analyzing each data element on its own and not in the broader context. Compare how he viewed the matter to the Toronto Star editors of this article. The difference is amazing.

Fourth. I don’t read paragraph 153 as endorsement of so-called “third-party doctrine.” Rather, it’s a very broad finding about the publicity of contact information. Contact information is too public in its quality to attract the protection of the common law, says Justice Perell. Compare this view to that of the Alberta OPIC, who has found that the loss of e-mail addresses alone (to a hacker, mind you) gives rise to a “real risk of significant harm.” Justice Perell’s finding (consistent with Jones v Tsige) suggests that the privacy statutes offer greater protection than the common law.

Fifth, I can’t help but think we’ll be litigating about what is and isn’t a breach of privacy for an eternity.

Broutzas v. Rouge Valley Health System, 2018 ONSC 6315 (CanLII).

BCCA – No privacy claim against lawyer

On January 9th, the Court of Appeal for British Columbia affirmed the dismissal of a claim against a lawyer that was based in part on his service of application materials and in part on his conveyance of information about the plaintiff in a casual conversation with another lawyer.

The application that became the subject of the claim was made in an earlier family law proceeding. It was for production of financial documentation from the plaintiff relating to seven companies in which he had an interest.

The defendant represented the plaintiff’s wife. He served the companies with application materials (a notice plus affidavit) without redaction and in an unsealed envelope. Apparently his process server left the materials with two unrelated companies in an attempt to affect service. The plaintiff also argued that the defendant should have crafted his application materials to protect the plaintiff’s privacy – serving notices “containing only information relevant to the particular relief that might concern each company.”

The Court held that the impugned action was deemed not to be an invasion of privacy based on section 2(3)(b) of the British Columbia Privacy Act, which states that the publication of a matter is not a violation of privacy if “the publication was privileged in accordance with the rules of law relating to defamation.” The defendant, the Court explained, was acting in the course of his duty to his client, and occasion protected by absolute privilege.

The “casual conversation claim” arose from a discussion the defendant had with another lawyer during a break in discovery in another case. The defendant said he represented a woman whose former husband had sold a business in Alberta for $15 million and that the couple had three young children. Another person who was present came to believe the defendant was speaking about the plaintiff.

The Court affirmed the trial judge’s finding that the plaintiff failed to prove the information disclosed was private and subject to a reasonable expectation of privacy. More significantly, it affirmed an obiter finding that that the defendant’s disclosure was not wilful.

Duncan v Lessing, 2018 BCCA 9 (CanLII).

 

ONSC affirms damages award for “friend’s” leak of work schedule

On April 8th, the Ontario Superior Court of Justice affirmed a $1,500 damages award for a privacy breach that entailed the disclosure of information that the defendant received because she was the plaintiff’s social media friend.

The plaintiff and defendant were pilots who worked for the same airline. The plaintiff shared his work schedule with the defendant though an application that allowed him to share his information with “friends” for the purpose of mitigating the demands of travel. The airline also maintained a website that made similar information available to employees. The defendant obtained the schedule information through one or both of these sites and shared it with the plaintiff’s estranged wife.

There are a number of good issues embedded in this scenario. Is a work schedule, in this context, personal information? Does one have an expectation of privacy in information shared in this context? Does the intrusion upon seclusion tort proscribe a disclosure of personal information?

The appeal judgement is rather bottom line. In finding the plaintiff had a protectable privacy interest, the Court drew significance from the airline’s employee privacy policy. It said:

The policy of Air Canada, that must be followed by all employees, emphasises the privacy rights of the employees. This policy specifically prohibits any employee from disseminating personal information of another employee to third parties without express permission of the other employee. The sharing of personal information between employees is clearly restricted for work related purposes only. Permission to review and obtain this information is not given unless it is for work related purposes. If the information is reviewed and used for any other purpose, this results in conduct that constitutes an intentional invasion of the private affairs or concerns. In addition, I find that a reasonable person would regard this type of invasion of privacy as highly offensive and causing distress, humiliation and anguish to the person.

The defendant did not appeal the $1,500 damages award.

John Stevens v Glennis Walsh, 2016 ONSC 2418 (CanLII).

Data breach response – Examining evidence and determining credibility

Having good investigative capacity is essential to good data breach response. More often than not, a post-incident investigation involves gathering evidence from witnesses. Digital forensics is also a common part of a breach investigation, but digital forensic evidence typically complements other testimonial and documentary evidence. For this reason I’m sharing a presentation I did with student conduct officers at Canadian colleges and universities last week, in which my aim was to prepare the audience to deal with a more challenging “credibility case.” It is relevant to human resources practitioners engaged in an investigative capacity post-incident and is relevant to lawyers and others who act as “breach coaches.”