The Canadian legal community has been abuzz about the January 2012 Jones v Tsige decision of the Ontario Court of Appeal, which recognized a new common law breach of privacy tort called Intrusion on Seclusion. This term was first coined by Professor William Prosser in a 1960 California Law Review article, and later recognized as a tort in most US jurisdictions. In this article, we look at the implications of this new tort for BC businesses.
Facts of Jones v Tsige
This case revolved around the actions of one Bank of Montreal employee – Ms Tsige, who accessed the bank records of an employee working in another Bank of Montreal branch – Ms Jones. Tsige was involved in a relationship with Jones’ former husband, and Tsige used her workplace computer to access Jones’ personal BMO bank accounts at least 174 times. Besides banking transactions, the information Tsige accessed included Jones’ birthdate, marital status and address. When Jones became suspicious that Tsige was accessing her bank accounts, she complained to BMO and, when confronted, Tsige admitted that she had accessed the information and that she did not have any legitimate reasons for doing so. BMO then disciplined Tsige for breach of its Code of Business Ethics, and Tsige apologised to Jones.
Jones, upset with Tsige’s deliberate and repeated intrusion into her financial affairs, commenced an action in Ontario Superior Court claiming damages for invasion of privacy. Jones’ application for summary judgment was met with Tsige’s successful cross-application to have the action dismissed. As part of that decision the Ontario Superior Court held that there was no tort of invasion of privacy in Ontario and the privacy laws in force in Ontario also did not apply, and so there was no remedy available to Jones.
Jones then appealed the judgement to the Ontario Court of Appeal which, after an exhaustive review of the statute and common law in Canada and other jurisdictions, concluded that it was appropriate for the court to confirm the existence of a tort and right of action for intrusion on seclusion. This tort is defined as follows:
One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person. [Emphasis added]
The two underlined sections emphasize the following points: (1) that a claim will arise only if the intrusions are deliberate, and (2) the invasion of personal privacy must be significant. Examples provided by the court were intrusions into matters such as one’s financial or health records, sexual practices and orientation, employment, and diaries or private correspondence. Further, the Court also noted that pre-existing rights such as freedom of expression and freedom of the press may be valid defences to this tort, and that just because the complainant was highly sensitive or offended was not enough – the actions complained of had to be highly offensive to a reasonable person.
Finally, the Court held that damages may be awarded under this tort even if there was no proof of actual loss, however the appropriate range of damages where no actual loss was proven should be consistent with other awards for symbolic or moral damages, and so the Court set the upper range of general damages at $20,000 if there was no evidence of actual financial loss. The Court also confirmed that aggravated and punitive damages could also be awarded depending on the facts. The Court then awarded Jones $10,000 in damages and said that the facts did not justify the award of aggravated or punitive damages.
Implications for British Columbia
For many years BC has had the Privacy Act, which created a statutory tort of invasion of privacy. (Other provinces with similar privacy legislation are Manitoba, Saskatchewan and Newfoundland, and Quebec also has a similar statute-created tort derived from its Civil Code.) Section 1 of the BC Privacy Act describes the tort as follows:
Violation of privacy actionable
(1) It is a tort, actionable without proof of damage, for a person, willfully and without a claim of right, to violate the privacy of another.
(2) The nature and degree of privacy to which a person is entitled in a situation or in relation to a matter is that which is reasonable in the circumstances, giving due regard to the lawful interests of others.
(3) In determining whether the act or conduct of a person is a violation of another’s privacy, regard must be given to the nature, incidence and occasion of the act or conduct and to any domestic or other relationship between the parties.
(4) Without limiting subsections (1) to (3), privacy may be violated by eavesdropping or surveillance, whether or not accomplished by trespass.
The Privacy Act describes the tort broadly, leaving it up to the courts to determine on a case by case basis whether or not the breach of privacy was actionable. As with the common law tort recognized by the Ontario Court of Appeal, the BC Privacy Act allows individuals to bring an action for damages without proof of loss, provided that the privacy breach was willful. The defenses of freedom of expression and freedom of the press (acknowledged by the Court in Jones v Tsige) are explicitly recognized in section 2. Actions brought pursuant to the BC Privacy Act must be commenced in the BC Supreme Court. Previous decisions of the BC courts have also awarded aggravated and punitive damages in situations where the Courts found the actions of the defendants to be worthy of additional rebuke and punishment.
Because BC’s statutory tort of breach of privacy is very similar to the common law tort of Intrusion on Seclusion, we do not think there will be any profound changes in how breaches of privacy law are dealt with for BC’s private and public sector organizations. On the other hand, organizations in jurisdictions which do not have the equivalent to the BC Privacy Act, such as Ontario, Alberta, New Brunswick, Nova Scotia and the territories, need to be aware of this additional scope of liability for privacy breaches.
The fact that there is now a recognized common law tort means that claims could be made outside of the ‘rules’ set by the Privacy Act. Thus, individuals could bring an action in the BC Provincial Court rather than the BC Supreme Court as required by the Act. While the upper monetary jurisdiction of the Provincial Court is $25,000, its rules are much simpler and it is easier for an unrepresented person to prosecute a claim without the assistance of lawyers. That fact may encourage more breach of privacy claims (based on the common law tort of intrusion on seclusion) in future. Finally, if BC courts follow the Ontario Court of Appeal’s decision that there can be a $20,000 upper limit on damages awarded where there is no proof of damages, then we may see lower damage awards for similar cases in BC.
Implications for BC Employers
Employers are already subject to privacy protection legislation: BC’s Freedom of Information and Protection of Privacy Act (for public sector employers), BC’s Personal Information Protection Act (for private sector employers), and Canada’s Personal Information Protection and Electronic Documents Act applies to federally regulated employers (i.e. banks and rail, ship and truck transportation companies that operate across provincial borders). These and other related forms of legislation are intended to regulate how organizations collect, use and protect personal information, and complaints under the above noted legislation must go to Privacy Commissioners who investigate and have the power to make orders and impose fines for non-compliance.
Because of the above noted legislation, most employers already have some form of privacy and information protection programs in place. These in turn help discourage unlawful privacy breaches to begin with, and can establish a due diligence defence that can protect employers from liability if employees on their own decide to breach someone’s right to privacy. For example, in the Jones v Tsige case, BMO had good policies and employee education programs in place and Tsige’s behaviour was contrary to such rules and not part of her legitimate workplace duties. BMO also took steps to investigate Jones’ complaint and disciplined Tsige for her actions. Presumably, those facts protected BMO from a complaint under Canada’s Personal Information Protection and Electronic Documents Act, and from being named as a defendant vicariously responsible for Tsige’s actions.
As with other torts committed by employees in the course of their employment, employers can be found vicariously liable for damages caused by their employees acting in the course of their employment. Whether the Jones v Tsige decision increases opportunities for employers to be held liable to other employees or third parties for damages arising from actions by their employees (whether pursuant to Privacy Act claims or based on this new common law tort of Intrusion of Seclusion), is not yet clear.