The Limits to Class Action Privacy Claims in Ontario

Since the Ontario Court of Appeal’s decision in Jones v Tsige,[1] creating an Ontario version of the tort of invasion of privacy called “intrusion upon seclusion”, privacy-related class actions have emerged as a growth area. Many of these have focused on the institutional release of personal information and some have been successfully certified.[2] However, a review of two recent Ontario Superior Court decisions, Broutzas v Rouge Valley Health System[3] and Kaplan v Casino Rama,[4] highlight some of the difficulties in certifying these types of actions. In both cases, certification of the class action was refused.

Broutzas v Rouge Valley Health System involved a proposed class action relating to hospital employees selling to RESP salespeople the contact information of women who had recently given birth.

Kaplan v Casino Rama involved a proposed class action relating to a hacker stealing and posting online the personal information of nearly 11,000 casino customers.

Whether Information Is Private

In Broutzas, the Court determined the information relating to whether a woman had given birth was not private. This kind of information was typically posted on social media, announced and shared with family and friends. In addition, some class members gave their contact information to companies in exchange for free baby products. Moreover, a person’s contact information is normally public information. The Court concluded that none of the information released was protected under the tort. This type of information can be distinguished from medical information, which is private.

Ultimately, a release of personal information does not necessarily mean an invasion of privacy. The invasion must be something a reasonable person would find highly offensive, causing distress, humiliation, or anguish. Release of contact information, or that a person gave birth, does not qualify.

The Issue of Overbreadth and Indirect Defendants

The Court in Rouge Valley concluded there was no cause of action against the RESP salespeople. The salespeople were not negligent as they did not owe a duty of care to the class members. Furthermore, they were not involved in the actual breach themselves. It would be unreasonable to impose a duty on the salespeople to ensure the information was not improperly obtained.

Similarly, in Kaplan, while the casino may have been negligent for the breach, it was not liable for intrusion upon seclusion. The hacker, not the casino had invaded the class members’ privacy.

Common Issues

In Broutzas, the class members did not share common issues. Some had publicly announced their birth, meaning the information was not private. Some women were not contacted by any salespeople. Others purchased RESPs because of the solicitations, meaning they did not suffer harm. Others had already purchased RESPs from the same companies prior to the breach. As a result, different class members would be in very different positions.

Moreover, the defendants did not share common issues. The issues of invasion of privacy and negligence were relevant to the hospital defendants but not to the RESP salespeople. Resolving issues relating to liability for the hospital defendants would be irrelevant to the RESP salespeople.

In Kaplan, the class members faced a similar problem. While the casino customers were affected by the same breach, the type and amount of information that was revealed varied between them. No common issue existed because the standard of care owed by the casino varied depending on the information exposed.

Ultimately, neither proposed proceeding contained sufficient common issues between the class members that would advance the claim.

Conclusion

There have been instances of successful certification motions in privacy class actions in Ontario, particularly where it was clear the information was personal, such as medical information, and the action was not overbroad and limited to direct defendants. In appropriate cases, however, defendants will be able to contest whether the class action should be certified. Privacy class actions can raise issues that make certification difficult. When a privacy class action is commenced, defendants should carefully consider whether certification can be successfully opposed.  There will be occasions where certification will likely be successful, but these recent decisions demonstrate that, in the right case, it makes sense to oppose certification.

What are your questions and concerns arising from these decisions with regard to privacy class actions? We welcome your feedback and questions on this topic. Please post your comments on our LinkedIn page at: Dickinson Wright Canada, on Twitter at @DWrightCanada or on our LinkedIn pages at linkedin.com/in/brian-radnoff-1b162715 and linkedin.com/in/jacky-cheung-ab411812a

[1] 2012 ONCA 32.

[2] See for example Tocco v Bell Mobility Inc, 2019 ONSC 2916 and Daniells v McLellan, 2017 ONSC 3466.

[3] 2018 ONSC 6315 [Broutzas].

[4] 2019 ONSC 2025 [Kaplan].