Category: Torts (eg. Invasion of privacy)

BCCA – No privacy claim against lawyer

On January 9th, the Court of Appeal for British Columbia affirmed the dismissal of a claim against a lawyer that was based in part on his service of application materials and in part on his conveyance of information about the plaintiff in a casual conversation with another lawyer.

The application that became the subject of the claim was made in an earlier family law proceeding. It was for production of financial documentation from the plaintiff relating to seven companies in which he had an interest.

The defendant represented the plaintiff’s wife. He served the companies with application materials (a notice plus affidavit) without redaction and in an unsealed envelope. Apparently his process server left the materials with two unrelated companies in an attempt to affect service. The plaintiff also argued that the defendant should have crafted his application materials to protect the plaintiff’s privacy – serving notices “containing only information relevant to the particular relief that might concern each company.”

The Court held that the impugned action was deemed not to be an invasion of privacy based on section 2(3)(b) of the British Columbia Privacy Act, which states that the publication of a matter is not a violation of privacy if “the publication was privileged in accordance with the rules of law relating to defamation.” The defendant, the Court explained, was acting in the course of his duty to his client, and occasion protected by absolute privilege.

The “casual conversation claim” arose from a discussion the defendant had with another lawyer during a break in discovery in another case. The defendant said he represented a woman whose former husband had sold a business in Alberta for $15 million and that the couple had three young children. Another person who was present came to believe the defendant was speaking about the plaintiff.

The Court affirmed the trial judge’s finding that the plaintiff failed to prove the information disclosed was private and subject to a reasonable expectation of privacy. More significantly, it affirmed an obiter finding that that the defendant’s disclosure was not wilful.

Duncan v Lessing, 2018 BCCA 9 (CanLII).

 

ONSC affirms damages award for “friend’s” leak of work schedule

On April 8th, the Ontario Superior Court of Justice affirmed a $1,500 damages award for a privacy breach that entailed the disclosure of information that the defendant received because she was the plaintiff’s social media friend.

The plaintiff and defendant were pilots who worked for the same airline. The plaintiff shared his work schedule with the defendant though an application that allowed him to share his information with “friends” for the purpose of mitigating the demands of travel. The airline also maintained a website that made similar information available to employees. The defendant obtained the schedule information through one or both of these sites and shared it with the plaintiff’s estranged wife.

There are a number of good issues embedded in this scenario. Is a work schedule, in this context, personal information? Does one have an expectation of privacy in information shared in this context? Does the intrusion upon seclusion tort proscribe a disclosure of personal information?

The appeal judgement is rather bottom line. In finding the plaintiff had a protectable privacy interest, the Court drew significance from the airline’s employee privacy policy. It said:

The policy of Air Canada, that must be followed by all employees, emphasises the privacy rights of the employees. This policy specifically prohibits any employee from disseminating personal information of another employee to third parties without express permission of the other employee. The sharing of personal information between employees is clearly restricted for work related purposes only. Permission to review and obtain this information is not given unless it is for work related purposes. If the information is reviewed and used for any other purpose, this results in conduct that constitutes an intentional invasion of the private affairs or concerns. In addition, I find that a reasonable person would regard this type of invasion of privacy as highly offensive and causing distress, humiliation and anguish to the person.

The defendant did not appeal the $1,500 damages award.

John Stevens v Glennis Walsh, 2016 ONSC 2418 (CanLII).

Data breach response – Examining evidence and determining credibility

Having good investigative capacity is essential to good data breach response. More often than not, a post-incident investigation involves gathering evidence from witnesses. Digital forensics is also a common part of a breach investigation, but digital forensic evidence typically complements other testimonial and documentary evidence. For this reason I’m sharing a presentation I did with student conduct officers at Canadian colleges and universities last week, in which my aim was to prepare the audience to deal with a more challenging “credibility case.” It is relevant to human resources practitioners engaged in an investigative capacity post-incident and is relevant to lawyers and others who act as “breach coaches.”

BC class action alleging vicarious liability for employee’s snooping to proceed

Yesterday the Court of Appeal for British Columbia held that a class action alleging vicarious liability for breach of the British Columbia Privacy Act should not be struck.

The claim is based on an allegation that an ICBC employee improperly accessed the personal information of about 65 ICBC customers. The Court dismissed ICBC’s argument that the Privacy Act only contemplates direct liability because its statutory tort rests on wilful misconduct. The Court reasoned that a requirement of deliberate wrongdoing is not incompatible with vicarious liability.

ICBC also raised a seemingly dangerous policy question for a data breach defendant: “Should liability lie against a public body for the wrongful conduct of its employee, in these circumstances?” The Court said this question should be answered based on a full evidentiary record.

While allowing the vicarious liability claim to proceed, the Court held that the plaintiff could not found a claim on an alleged breach of the safeguarding provision in British Columbia’s public sector privacy act. It did consider whether to recognize a common law duty to abide by the safeguarding provision, but held that it should not do so based on policy grounds, including the need to defer to the comprehensive administrative remedial regime provided for by the legislature.

Ari v Insurance Corporation of British Columbia, 2015 BCCA 468 (CanLII).

Ontario court issues significant and conservative decision on scope of privacy tort

On August 31st, the Ontario Superior Court of Justice issued a significant decision on the scope of the common law privacy tort – both declining to recognize a cause of action based on “public disclosure of private facts” and articulating how the protection granted by the recognized “intrusion” tort is circumscribed by the interest in free expression.

The case involved a claim against the CBC that the plaintiff – a researcher and professor at Memorial University in Newfoundland – framed both in defamation and breach of privacy. The claim arose out of an investigative journalism program that the CBC aired about the plaintiff’s ethics. The plaintiff alleged wrongs arising out of the words the CBC used in its broadcast and the CBC’s “investigative techniques.” These techniques included receiving and using a confidential report from an anonymous source.

Justice Mew first declined to recognize a claim based on the alleged public disclosure of private facts (or false light publicity). He reasoned that the law of defamation adequately addressed the wrong at issue in the case before him in a manner that carefully balanced the competing interests at stake. He said:

The CBC defendants submit, and I agree, that to expand the tort of invasion of privacy to include circumstances of public disclosure of embarrassing private facts about a plaintiff, would risk undermining the law of defamation as it has evolved and been pronounced by the Supreme Court. To do so would also be inconsistent with the common law’s incremental approach to change.

Justice Mew did, however, allow the jury to consider the whether the CBC committed an intrusion upon the plaintiff’s seclusion because, unlike a defamation claim, an intrusion claim “focuses on the act of intrusion, as opposed to dissemination or publication of information.” This finding left the jury with a difficult exercise in balancing competing rights. In instructing the jury, Justice Mew articulated a kind of immunity for receiving confidential information from whistle-blowers (without the use of unlawful means) and drew upon the defamation defences to circumscribe the intrusion tort as follows:

If you conclude that the actions of the CBC did not breach any laws, were not actuated by malice, or did not fall outside the scope of responsible communication, there would be no basis upon which you can find the CBC defendants liable for invasion of privacy. As to what constitutes malice and responsible communication, you should apply the same considerations that pertain to the defences of fair comment and responsible communication described by me earlier in relation to the defamation claim. If you have considered those questions (4 and 5) and have concluded that the defence of responsible communication should succeed, then you should answer “No” to question 8, since it would be inconsistent with the recognition of the place of responsible communication in the balancing exercise that I mentioned just now if a journalist whose actions benefit from the protection of that defence in a defamation claim were to remain exposed to a claim for invasion of privacy arising from her journalistic activities. Put another way, the prerequisite that there must be no lawful justification for the invasion of a person’s private affairs or concerns will be hard, if not impossible, to satisfy if there has been a finding that such an invasion occurred during the course of responsible journalistic activities.

Chandra v CBC, 2015 ONSC 5303 (CanLII).

Ontario decision suggests corporation can sue for breach of privacy

On February 19th, the Ontario Superior Court of Justice declined to strike a pleading that alleged a company unlawfully interfered with a competitor’s economic relations by receiving confidential information about a client (BC Cancer) that was sought after by both organizations. The Court held that the pleading was sustainable because BC Cancer had an arguable claim against the recipient organization based on the “intrusion upon seclusion” tort, suggesting that the tort is available to natural persons and corporations. As stressed by the Court, on a motion to strike a court errs on the side of permitting a novel but arguable claim to proceed to trial.

Fundraising Initiatives v Globalfaces Direct, 2015 ONSC 1334 (CanLII).

BC court dismisses class action about iOS4 location services

On September 30th, the Supreme Court of British Columbia dismissed a motion for certification of a class proceeding against Apple that was about the recording of location data on Apple devices running the iOS4 operating system.

The Court applied significant rigor in weighing the proposed action against the certification criteria, giving heavy scrutiny to both the pleadings and the evidence filed in support of certification.

The Court’s finding on the common issues criterion may have broader implications. The Court acknowledged that the scope of one’s right to privacy under the BC Privacy Act is determined by the context. The plaintiff, the Court said, “has not shown any basis in fact to conclude that the reasonableness and context could be proved on a class-wide basis.” The Court reached the same conclusion regarding the “without claim/colour of right” issue – an issue that speaks to an essential element of a breach of privacy claim.

Ladas v Apple Inc., 2014 BCSC 1821 (CanLII).

HT to Barry Sookman.

BC court strikes privacy breach claim as being within OIPC’s exclusive jurisdiction

On July 14th, the Supreme Court of British Columbia dismissed a privacy breach claim against a public body as being within the exclusive jurisdiction of the Office of the Information and Privacy Commissioner for British Columbia.

The plaintiff sued the ICBC and others for wrongs arising out of the collection and use of his personal information. He framed his action in a number of valid legal bases including breach of contract and breach of confidence. The claim referred to duties under the British Columbia Freedom of Information and Protection of Privacy Act; the plaintiff said these references were simply recitations of  “material facts.”

The Court found that significant parts of the claim (in their essence) addressed subject matter governed exclusively by FIPPA and its complaint resolution process. It said:

In summary, I conclude that FIPA is an exhaustive legislative scheme for the investigation and adjudication (subject to judicial review) of complaints related to the collection, use and disclosure of personal information in this province. Investigations of complaints about how a public body such as ICBC has collected, used or disclosed personal information are prescribed in FIPA. I am unable to find a role for the civil courts in these matters (except for judicial review).

This issue has been litigated in Ontario. For a case in which the Ontario Superior Court of Justice struck a claim based solely on a breach of MFIPPA, see Sampogna v Smithies. For a more recent case in which the Ontario Superior Court of Justice allowed a privacy breach claim to proceed against an health information custodian and others despite an argument that the Ontario Personal Health Information Protection Act covered the field, see Hopkins v Kay. Hopkins has been appealed to the Court of Appeal for Ontario.

Cook v The Insurance Corporation of British Columbia, 2014 BCSC 1289.

Facebook’s Graph Search: New Privacy Concerns?

According to a CBC News article (here), early reviews of Facebook’s new Graph Search feature are raising privacy concerns.  The search feature appears to be eerily effective in mining Facebook users’ information in responding to search queries.

For employers who may be considering using social media to verify information about current or prospective employees, the depth of information revealed by Graph Search highlights the risk that obtaining information through social media could amount to an invasion of privacy, or conflict with human rights laws (see the Ontario Human Rights Commission’s policy on using Facebook information).  Employers should tread carefully before using social media to obtain information about current or prospective employees, since the resulting information (even if obtained inadvertently) could create unanticipated liabilities.

Government limits use of external drives, to avoid data breaches

Here is a link to an interesting Postmedia article on how HRSDC is moving to limit use by employees of portable data devices, following several incidents in which external drives containing Canadians’ personal information were lost or misplaced.  There are many compelling reasons for employers to control how and when employees can remove data from the workplace, such as preventing data breaches, minimizing wrongful competition by employees or former employees, and avoiding claims for breach of privacy.