BC class action alleging vicarious liability for employee’s snooping to proceed

Yesterday the Court of Appeal for British Columbia held that a class action alleging vicarious liability for breach of the British Columbia Privacy Act should not be struck.

The claim is based on an allegation that an ICBC employee improperly accessed the personal information of about 65 ICBC customers. The Court dismissed ICBC’s argument that the Privacy Act only contemplates direct liability because its statutory tort rests on wilful misconduct. The Court reasoned that a requirement of deliberate wrongdoing is not incompatible with vicarious liability.

ICBC also raised a seemingly dangerous policy question for a data breach defendant: “Should liability lie against a public body for the wrongful conduct of its employee, in these circumstances?” The Court said this question should be answered based on a full evidentiary record.

While allowing the vicarious liability claim to proceed, the Court held that the plaintiff could not found a claim on an alleged breach of the safeguarding provision in British Columbia’s public sector privacy act. It did consider whether to recognize a common law duty to abide by the safeguarding provision, but held that it should not do so based on policy grounds, including the need to defer to the comprehensive administrative remedial regime provided for by the legislature.

Ari v Insurance Corporation of British Columbia, 2015 BCCA 468 (CanLII).

Ontario court issues significant and conservative decision on scope of privacy tort

On August 31st, the Ontario Superior Court of Justice issued a significant decision on the scope of the common law privacy tort – both declining to recognize a cause of action based on “public disclosure of private facts” and articulating how the protection granted by the recognized “intrusion” tort is circumscribed by the interest in free expression.

The case involved a claim against the CBC that the plaintiff – a researcher and professor at Memorial University in Newfoundland – framed both in defamation and breach of privacy. The claim arose out of an investigative journalism program that the CBC aired about the plaintiff’s ethics. The plaintiff alleged wrongs arising out of the words the CBC used in its broadcast and the CBC’s “investigative techniques.” These techniques included receiving and using a confidential report from an anonymous source.

Justice Mew first declined to recognize a claim based on the alleged public disclosure of private facts (or false light publicity). He reasoned that the law of defamation adequately addressed the wrong at issue in the case before him in a manner that carefully balanced the competing interests at stake. He said:

The CBC defendants submit, and I agree, that to expand the tort of invasion of privacy to include circumstances of public disclosure of embarrassing private facts about a plaintiff, would risk undermining the law of defamation as it has evolved and been pronounced by the Supreme Court. To do so would also be inconsistent with the common law’s incremental approach to change.

Justice Mew did, however, allow the jury to consider the whether the CBC committed an intrusion upon the plaintiff’s seclusion because, unlike a defamation claim, an intrusion claim “focuses on the act of intrusion, as opposed to dissemination or publication of information.” This finding left the jury with a difficult exercise in balancing competing rights. In instructing the jury, Justice Mew articulated a kind of immunity for receiving confidential information from whistle-blowers (without the use of unlawful means) and drew upon the defamation defences to circumscribe the intrusion tort as follows:

If you conclude that the actions of the CBC did not breach any laws, were not actuated by malice, or did not fall outside the scope of responsible communication, there would be no basis upon which you can find the CBC defendants liable for invasion of privacy. As to what constitutes malice and responsible communication, you should apply the same considerations that pertain to the defences of fair comment and responsible communication described by me earlier in relation to the defamation claim. If you have considered those questions (4 and 5) and have concluded that the defence of responsible communication should succeed, then you should answer “No” to question 8, since it would be inconsistent with the recognition of the place of responsible communication in the balancing exercise that I mentioned just now if a journalist whose actions benefit from the protection of that defence in a defamation claim were to remain exposed to a claim for invasion of privacy arising from her journalistic activities. Put another way, the prerequisite that there must be no lawful justification for the invasion of a person’s private affairs or concerns will be hard, if not impossible, to satisfy if there has been a finding that such an invasion occurred during the course of responsible journalistic activities.

Chandra v CBC, 2015 ONSC 5303 (CanLII).

Ontario decision suggests corporation can sue for breach of privacy

On February 19th, the Ontario Superior Court of Justice declined to strike a pleading that alleged a company unlawfully interfered with a competitor’s economic relations by receiving confidential information about a client (BC Cancer) that was sought after by both organizations. The Court held that the pleading was sustainable because BC Cancer had an arguable claim against the recipient organization based on the “intrusion upon seclusion” tort, suggesting that the tort is available to natural persons and corporations. As stressed by the Court, on a motion to strike a court errs on the side of permitting a novel but arguable claim to proceed to trial.

Fundraising Initiatives v Globalfaces Direct, 2015 ONSC 1334 (CanLII).

BC court dismisses class action about iOS4 location services

On September 30th, the Supreme Court of British Columbia dismissed a motion for certification of a class proceeding against Apple that was about the recording of location data on Apple devices running the iOS4 operating system.

The Court applied significant rigor in weighing the proposed action against the certification criteria, giving heavy scrutiny to both the pleadings and the evidence filed in support of certification.

The Court’s finding on the common issues criterion may have broader implications. The Court acknowledged that the scope of one’s right to privacy under the BC Privacy Act is determined by the context. The plaintiff, the Court said, “has not shown any basis in fact to conclude that the reasonableness and context could be proved on a class-wide basis.” The Court reached the same conclusion regarding the “without claim/colour of right” issue – an issue that speaks to an essential element of a breach of privacy claim.

Ladas v Apple Inc., 2014 BCSC 1821 (CanLII).

HT to Barry Sookman.

BC court strikes privacy breach claim as being within OIPC’s exclusive jurisdiction

On July 14th, the Supreme Court of British Columbia dismissed a privacy breach claim against a public body as being within the exclusive jurisdiction of the Office of the Information and Privacy Commissioner for British Columbia.

The plaintiff sued the ICBC and others for wrongs arising out of the collection and use of his personal information. He framed his action in a number of valid legal bases including breach of contract and breach of confidence. The claim referred to duties under the British Columbia Freedom of Information and Protection of Privacy Act; the plaintiff said these references were simply recitations of  “material facts.”

The Court found that significant parts of the claim (in their essence) addressed subject matter governed exclusively by FIPPA and its complaint resolution process. It said:

In summary, I conclude that FIPA is an exhaustive legislative scheme for the investigation and adjudication (subject to judicial review) of complaints related to the collection, use and disclosure of personal information in this province. Investigations of complaints about how a public body such as ICBC has collected, used or disclosed personal information are prescribed in FIPA. I am unable to find a role for the civil courts in these matters (except for judicial review).

This issue has been litigated in Ontario. For a case in which the Ontario Superior Court of Justice struck a claim based solely on a breach of MFIPPA, see Sampogna v Smithies. For a more recent case in which the Ontario Superior Court of Justice allowed a privacy breach claim to proceed against an health information custodian and others despite an argument that the Ontario Personal Health Information Protection Act covered the field, see Hopkins v Kay. Hopkins has been appealed to the Court of Appeal for Ontario.

Cook v The Insurance Corporation of British Columbia, 2014 BCSC 1289.

Facebook’s Graph Search: New Privacy Concerns?

According to a CBC News article (here), early reviews of Facebook’s new Graph Search feature are raising privacy concerns.  The search feature appears to be eerily effective in mining Facebook users’ information in responding to search queries.

For employers who may be considering using social media to verify information about current or prospective employees, the depth of information revealed by Graph Search highlights the risk that obtaining information through social media could amount to an invasion of privacy, or conflict with human rights laws (see the Ontario Human Rights Commission’s policy on using Facebook information).  Employers should tread carefully before using social media to obtain information about current or prospective employees, since the resulting information (even if obtained inadvertently) could create unanticipated liabilities.

Government limits use of external drives, to avoid data breaches

Here is a link to an interesting Postmedia article on how HRSDC is moving to limit use by employees of portable data devices, following several incidents in which external drives containing Canadians’ personal information were lost or misplaced.  There are many compelling reasons for employers to control how and when employees can remove data from the workplace, such as preventing data breaches, minimizing wrongful competition by employees or former employees, and avoiding claims for breach of privacy.