It is fair to assume that the personal health information provided to medical professionals is kept confidential. Medical professionals and institutions set up policies and procedures to ensure that...
It is fair to assume that the personal health information provided to medical professionals is kept confidential. Medical professionals and institutions set up policies and procedures to ensure that the information is collected, stored, and used in an appropriate manner and in compliance with privacy regulations. Recently, an individual took The Queensway Carleton Hospital to Court alleging that their procedure for surgery bookings caused her significant damages.
The facts of this case are straightforward. The Plaintiff was told that she required surgery. While waiting for a date for the surgery, she received a paper surgical booking package that she had to complete. The Plaintiff testified that she dropped off the completed booking package in the Hospital’s drop box. However, about a week later, it was returned to her by Canada Post. Despite the Plaintiff’s complaints, no one from the Hospital accepted responsibility for the misplaced booking records. The Information and Privacy Commissioner of Ontario was unable to make a determination regarding who was responsible for the privacy breach. The Plaintiff commenced a claim for damages for intrusion upon seclusion, breach of confidence, and public disclosure of embarrassing facts. She also sought punitive damages.
The Court found, on a balance of probabilities, that the Hospital received the records and they were misplaced. The Plaintiff relied on three causes of action to support her claim – intrusion upon seclusion; breach of confidence; and, public disclosure of embarrassing facts.
In dealing with intrusion upon seclusion, the Court found that a single act of inadvertence, assuming that was what happened, was not sufficient to prove recklessness. In fact, the Court found that the Hospital’s protocol for handling booking records did not create an obvious or serious risk. The Court found that the system worked quite well despite this one instance. There was not a deliberate and significant invasion of personal privacy as required in order to satisfy the threshold for damages.
Second, to establish the tort of breach of confidence, the Plaintiff had to show that the Hospital made unauthorized use of her booking record and misused it to her detriment. Once again, the Court found that this claim was not satisfied, as there was insufficient evidence that the Hospital misused the booking record.
Third, the Court found that the tort of public disclosure of embarrassing facts was not established. There was no evidence that the Hospital “published” the booking record or that the records were deliberately made publicly available. The evidence showed that the record could only be seen by postal workers in Montreal to determine where the record should be returned to. This was not sufficient to establish damages.
The Court considered the provisions of the Personal Health Information Protection Act. Section 71(1)(b) provides a statutory immunity for health information custodians where there has been an attempt at good faith compliance with the Act. The Court found that the evidence did not establish that the Hospital’s use of surgical booking packages was unreasonable. Additionally, there was no evidence that there had been any issues with other booking records, either before or after this incident.
Finally, the Court considered whether the Claimant was entitled to damages based on her “humiliation, anxiety and distress” arising from the receipt of the envelope for Canada Post which contained the booking records. The Plaintiff did not establish, on a balance of probabilities, that she suffered anxiety or psychological upset that rose to the level of requiring compensation. Similarly, there was no high-handed, arrogant or contumelious behaviour on the Hospital’s part that would warrant a finding of punitive damages.
Hospitals are particularly vulnerable to privacy claims – they are required to gather a significant amount of personal health information in a very short period, store and protect that information, and use it in an appropriate way. Healthcare organizations must implement robust safeguards and procedures to ensure their patients’ information is properly collected, used, and disclosed. Taking these reasonable steps will lower an organization’s financial and litigation risk. A good place to start is creating privacy policies or hiring an experienced counsel to review existing policies and their implementation.
Facebook has made history today, but not in a good way. The US Federal Trade Commission (“FTC”) announced this morning that Facebook will pay a record-breaking $5 billion penalty, submit to new restrictions, and modify the company’s corporate structure to settle the charges that the company violated a 2012 FTC order. Not only is this the largest penalty in FTC history but it is also almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide.
In making this determination, the FTC Chairman, Joe Simons, explained “[d]espite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices.” The underlying 2012 order included a prohibition that Facebook make misrepresentations about the privacy or security of consumers’ personal information or the extent to which this information was shared to third parties. It also required Facebook to maintain a reasonable privacy program that safeguarded the privacy and confidentiality of user information.
The FTC’s new 20 year settlement order will require Facebook to establish an independent privacy committee that will be appointed by an independent nominating committee. In addition, Facebook will be required to designate compliance officers who have to submit FTC quarterly certifications that the company is in compliance with the privacy program mandated by the FTC order. An annual certification must also be completed. Not only will the certifications need to be made by compliance officers, but they will also have to be endorsed by Facebook’s CEO, Mark Zuckerberg. Any false certification will subject the parties to individual civil and criminal penalties.
The order also strengthens external oversight of Facebook and provides that an independent third party assessor will evaluate the effectiveness of the privacy program and identify any gaps. The assessor will not simply rely on the assertions made by Facebook’s management. The third party assessor’s biennial assessments of the company’s privacy program must be based on the assessor’s independent fact gathering, sampling and testing. The third party assessor must also report to the privacy committee on a quarterly basis.
The privacy program covers not only Facebook but also WhatsApp and Instagram. Any new or modified product, service or practice must undergo a privacy review before it is launched. Any decisions about privacy in these circumstances must be documented.
There are also positive obligations in the event of a data breach. Specifically, the order requires Facebook to document incidents where the data of 500 or more users have been compromised. The company must also document what efforts it made to address the incident. This information must be sent to the FTC and the third party assessor within 30 days.
Other requirements of the Order include:
Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
Facebook must establish, implement, and maintain a comprehensive data security program;
Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and,
Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.
Most notably, Facebook agreed with the FTC settlement. Facebook will be actively and voluntarily engaged in revising their privacy policies and procedures. This stands in stark contrast to their behavior following the Office of the Privacy Commissioner of Canada’s findings that Facebook must alter their approach to privacy, a mere three months ago. Although the FTC settlement is borne out of the US, the effect will be felt worldwide. It will be interesting to see the fallout this decision will have on other organizations, especially in light of numerous other organizations that are facing a similar, yet much less financially burdensome, fine (i.e. British Airways).
Laura has a diverse practice where she focuses on accident benefits, bodily injury claims, product liability, cyber liability, privacy law and drone liability. Read more ...
Although privacy issues have been taking over the headlines in recent months, healthcare organizations have been subject to stringent privacy regulations for a number of years. Organizations providing healthcare services...
Although privacy issues have been taking over the headlines in recent months, healthcare organizations have been subject to stringent privacy regulations for a number of years. Organizations providing healthcare services are particularly susceptible to issues of unauthorized access and public disclosure of personal health information (“PHI”). More specifically, professionals working in healthcare are required to maintain a high level of confidentiality with respect to their patient’s PHI.
Early this year, Ms. Hamilton, a registered practical nurse (RPN), was involved in a professional disciplines hearing with the College of Nurses of Ontario. The allegations made by the College revolved around comments Ms. Hamilton made with respect to an elderly client at the facility she worked at who suffered from Alzheimer’s disease and dementia. The allegations stemmed from an incident that occurred in December 2016.
On December 2, 2016, the client’s child (Child A) posted a publicly available message on Facebook expressing concerns about the client’s Power of Attorney (“POA”), who was also the client’s child (Child B). The same post also expressed concern about the care that the client was receiving at the facility. Numerous family members commented on this post.
The following day, on December 3, Ms. Hamilton published several comments as direct responses to Child A’s Facebook post. The comments were public and disclosed the client’s PHI including her name, identifying her as a resident at the facility, identifying herself as an RPN and employee of the facility, referring to the client’s POA, and referring to her experiences dealing with the client’s medical conditions.
More specifically, Ms. Hamilton posted:
I’m sorry but there are 2 sides to every story. I happen to work at this facility and there is no way [the Client] or any of our residents are treated as these people speak of. How dare you imply that she is neglected in any way. Our residents receive more care hours than the provincial average in Ontario long term care home. Our staff are the hardest working I’ve seen in any LTC facility I know. I’m disgusted that you would even post this filth and lies on social media. Shame on you!
We don’t have a problem with the POA [Child B]. This is your personal business which you have chosen to hang out to dry on Facebook. I will gladly call you a liar because I spend more time with your mother than you do.
When Child A’s children (the client’s grandchildren) made posts defending Child A, Ms. Hamilton was noted to have made inappropriate and unprofessional comments such as one of the grandchildren having a “bad mouth” and that the client “would be disappointed” in the grandchild for their language. Ms. Hamilton also implied that the grandchild was uneducated regarding her medical condition and had no understanding of their grandmother’s health. She also told the grandchild to “shut up” or “grow up”.
Ms. Hamilton also posted “Oh [grandchild A] I look forward to meeting you the next time you visit your grandmother – I see we have much to discuss”, which the grandchild interpreted to be a threat.
The comments were deleted, but the family members captured them.
In the course of the disciplinary hearing, Ms. Hamilton admitted that it was inappropriate to engage in such dialogue with the client’s family, especially given such a public forum like Facebook. She further acknowledged that she breached the client’s privacy and disclosed her PHI without her consent or authorization.
Professional Standard and the Allegations
In 2004, the College issued a Practice Standard titled Confidentiality and Privacy – Personal Health Information, which was updated in 2009. The standards issued by the College represent the standard of care that is expected of all member of the organization. This particular standard largely reflected the personal health information protections codified in the Personal Health Information Protection Act (“PHIPA”). Some of the standards noted in the Practice Standard included the following provisions:
Maintaining confidentiality of clients’ personal health information with members of the healthcare team, who are also required to maintain confidentiality, including information that is documented or stored electronically…
Not discussing client information with colleagues or the client in public places such as elevators, cafeterias and hallways…
In the Notice of Hearing, dated December 7, 2018, the College made allegations against Ms. Hamilton that she: (1) engaged in an act of professional misconduct; (2) gave information about a patient to a person other than the patient or her authorized representative without the consent of the patient and without being required or allowed to do so by law; and, (3) that she engaged in conduct that would reasonably be regarded by members of the profession as disgraceful, dishonourable, or unprofessional.
Decision and Reasoning
The committee noted that the College bore the onus of proving the allegations on a balance of probabilities based upon clear, cogent, and convincing evidence. The College found that Ms. Hamilton committed the acts of professional misconduct.
The College found that Ms. Hamilton’s conduct showed disregard for private information of clients and inappropriate use of social media. The College further noted that Ms. Hamilton’s conduct was unprofessional as it fell below the standards of nursing with respect to confidentiality and trust. In short, she showed a persistent disregard for her professional obligations. The College further noted that disclosing PHI and breaching the client’s privacy in an open public forum was unacceptable and fell well below the standards of the profession.
The College ordered several penalties including a suspension for three months and further privacy training with a regulatory expert. Training was to focus on a review of professional standards, confidentiality, and privacy regarding PHI. The College found that these penalties achieved the purpose of specific deterrence, general deterrence, and rehabilitation and remediation.
Lessons from this Case
Organizations providing healthcare services to patient are required, by law, to maintain their patient’s PHI confidential. This includes proper cyber security safeguards, physical security safeguards, and policies aimed at ensuring staff are aware of their professional obligations. Organizations should develop policies that can be monitored and, more importantly, enforced on a regular basis. Ongoing staff training aimed at ensuring that staff and healthcare professionals are aware of their legal obligations to their patients are critical in meeting the appropriate standard of care.
This case is a perfect example of the impact social media has on an industry that traditionally does not have any connection to social media. Organizations should consider implementing social media policies to outline the obligations and expectations of their staff, which should be continually reinforced in the workplace. Failure to do so may result in disclosure of patients’ PHI and expose the professional and the organization to regulatory penalties and civil claims.
Stas practices in insurance-related litigation. He has a broad range of experience including tort claims, accident benefits, subrogation, priority and loss transfer disputes, WSIB matters, and fraudulent claims. Read more...
A recent decision by the Alberta Privacy Commissioner has confirmed that in some cases, an organization’s requirement for independent contractors to install GPS tracking devices on their vehicles will not...
A recent decision by the Alberta Privacy Commissioner has confirmed that in some cases, an organization’s requirement for independent contractors to install GPS tracking devices on their vehicles will not violate applicable privacy legislation but does the data collected may be considered “personal information”.
Order P2019-04 involved a complaint by independent contractors retained by NAL Resources Management LTD. NAL required the contractors to install GPS devices on their vehicles, with a default setting of “on”. The devices were intended to “promote good driving behavior” and allow NAL to locate the contractor in the event of a “Safety Line call out.” The independent contractors filed a complaint alleging the data was “personal information” and therefore NAL required their consent for its use, collection, or disclosure.
This decision investigated the difference between the definition of “employee” in Alberta’s Personal Information Protection Act, and whether the information collected by the GPS constituted “personal employee information” versus “personal information”. If information was considered “personal information”, the contractor’s consent would be required for the use, collection, and disclosure of said information. However, if the information was considered “personal employee information” no consent was required.
“Personal information” was defined as “information about an identifiable individual”. The act generally requires the consent of an individual for the use, collection, or disclosure of “personal information”. In contrast, “personal employee information” was defined by the act as personal information reasonably required by the organization for the purposes of establishing, managing, or terminating an employment or volunteer-work relationship, or managing a post-employment or post-volunteer-work relationship between the organization and the individual. This type of information did not require the consent of the employees.
In the present case, the commissioner found that the GPS data had a personal dimension given that the data collected would enable NAL to determine the physical location of the contractor, as an individual, which could be expected to have personal consequences for the contractors as individuals. Accordingly, the GPS tracking data was “personal information.”
However, the commissioner determined that in the present circumstances the GPS data was not “personal information” but rather “personal employee information” because the independent contractors were considered “employees” under the act.
The commissioner noted that s. 1(1)(e) of PIPA goes well beyond the common law definition of employee to include directors, office-holders, volunteers, students, contractors or agents of an organization. Consequently, information about a contractor reasonably required by an organization to manage a contractual relationship would be “personal employee information” under PIPA, regardless of the fact that at common law, independent contractors are not considered employees.
The Take Away
This decision is interesting for employers and privacy professionals alike. It is a solid reminder that words such as “employee” can carry different meanings across different legislation. It is also a reminder that employers need to seriously consider whether any productivity/data tracking services are collecting “personal information” under their province’s specific privacy legislation. While this was a decision of Alberta’s privacy commissioner, the definition of “personal information” is mirrored in the federal privacy legislation PIPEDA that applies to provinces such as Ontario, as they do not have substantially similar legislation.
In March, 2015, in recognition of the growing concern about cyber bullying and more particularly, the increasing number of incidents of “revenge porn”, the federal government made it a criminal offence to share intimate images. The recent case of R. v. JS provided a thorough review of the relevant case law dealing with this offence.
The charges stemmed from the offender’s decision to post a nude photograph of his wife in a men’s chat group at his church. The photo was posted after the couple separated. At issue was the appropriate sentence for the offence following the accused’s guilty plea.
The Court noted although the criminal charge was relatively new, the case law had begun to proliferate. In considering the nature of the offence, the Court cited the decision of R. v. AC (2017 ONCJ 317), which held:
The provision protects privacy. At its core, privacy is about a person’s ability to control access to something, whether it is private information or a private image. As in this case, someone like [the victim] may agree to have private photographs or videos taken that will not be seen by anyone apart from a romantic partner. Where someone shares an intimate image without consent, he violates the depicted person’s privacy because he has gone beyond that limited, consensual use. The more people to whom the image is exposed, the greater the invasion of privacy and the greater the harm caused to the victim.
The Court noted that the majority of the sentences for these types of cases involved a period of incarceration. However, the ultimate goal for the sentencing for this charge was denunciation and deterrence of this type of behaviour.
The Court found that this case was not on the low end of the spectrum as the intimate image was accessible to a chat group; the accused did not voluntarily remove the image; and, the victim was identifiable to viewers. The actions were designed to humiliate and degrade the victim. The most significant mitigating factor was the limited number of people in the group so it was not disseminated more widely. Although the victim had not provided a statement, the Court inferred substantial harm to the victim as a result of the actions. The Court found that an appropriate sentence was a two year suspended sentence.
Privacy rights are strengthening with every privacy case being heard in Canada, and the definition of “appropriate use” continues to be refined on a regular basis. The modern reality is that individuals will use technology for personal, private, and sometimes intimate purposes. The Court’s interpretation and application of privacy principles must continue to clarify the appropriate use of the private information and data. This case, the line is quite clear.
The Alberta Office of the Information and Privacy Commissioner (“Commissioner”) recently considered whether it had jurisdiction to deal with a privacy complaint. The Complainant alleged that De Beers Canada Inc....
The Alberta Office of the Information and Privacy Commissioner (“Commissioner”) recently considered whether it had jurisdiction to deal with a privacy complaint. The Complainant alleged that De Beers Canada Inc. collected his passport information in contravention of Alberta’s Personal Information Protection Act (“PIPA”).
The facts were relatively straightforward. The Complainant lived in Ontario and was hired by Memory Tree Video productions in Ontario as a subcontractor to provide television camera production services. The job required him to attend a De Beers diamond exploration site in northern Saskatchewan. Upon being hired, Memory Tree requested the Complainant’s passport information. When asked, he was told that De Beers needed this information and it was necessary in order to book the flight for him. This fact was disputed by a representative from De Beers. The Complainant provided the documentation but then filed a complaint with the Commissioner in Alberta.
In considering whether De Beers was subject to PIPA, the Commissioner noted that the company had its head office in Calgary. As such, when it collects, uses or discloses personal information within Alberta, it must comply with PIPA. However, if the information was collected outside of Alberta, PIPA would not apply. In such instances, either other provincial privacy legislation or the Personal Information Protection and Electronic Documents Act, federal legislation that protects privacy interests, would apply.
The Commissioner concluded that the subject matter of the complaint did not take place within Alberta but within Ontario. As such, PIPA did not apply and the Commissioner did not have jurisdiction.
Like in any civil case, the Commissioner will assess whether they have jurisdiction over the individuals/companies involved in the dispute. It is important to identify the correct venue and legislation that applies to a specific case and appeal to the proper entity that maintains jurisdiction over the dispute. Failure to do so may be fatal to a privacy infringement claim.
Data and privacy breaches caused by malicious actors accessing your organization’s systems are here to stay. Once considered an emerging risk, “cyber” is now a hard reality facing every organization....
Data and privacy breaches caused by malicious actors accessing your organization’s systems are here to stay. Once considered an emerging risk, “cyber” is now a hard reality facing every organization. Given the frequency of employees causing cyber breaches, human resources professionals have a growing role to play in managing this risk.
More likely than not, your organization will suffer a cyber breach and one of your employees will be the cause. In reality, personnel are just another type of software to be manipulated. Malicious actors often use an organization’s own employees to further their unlawful goals with the majority of breaches result from the actions (or inaction) taken by an organization’s employees. The 2018 NetDiligence Cyber Claims Study found that in 2017, approximately 58% of all claims were caused by ransomware, business e-mail compromise, phishing, rogue employees, or staff mistakes.
When dealing with a breach, there are significant legal consequences for an organization from a human resources standpoint. The human resources department can play a key role before, during, and after a breach event to mitigate these consequences.
Before a breach, human resources departments are frequently tasked with arranging appropriate cyber training for an organization’s employees. Ensuring that employees establish good password hygiene, can identify phishing attempts, and know when to report a possible breach will likely fall in HR’s wheelhouse.
During a breach, a senior member of HR makes an excellent addition to an organization’s response team. Consistent and accurate internal messaging during a breach is important. HR professionals know their team of employees and the most effective methods of communication. They know the individuals involved and have (hopefully) developed a rapport with their team members. Crucially, they are familiar with performing and facilitating investigations and can provide invaluable assistance in the fact gathering stage of a breach. Employees will often be more at ease speaking to an external breach coach or forensic investigator in the presence of an HR professional they know and trust. If a malicious insider is suspected, they may have information pointing to a likely suspect.
In the aftermath of an employee-caused breached, HR has a continuing role. According to a survey from Kaspersky Lab, 31% of breaches result in organizations terminating at least one high level employee. After an employee caused breach, an organization will have to make a decision. What do you do with the at fault employee? In the case of the malicious insider, termination seems obvious; however, what of the “innocent” but negligent employee? In some cases, dismissal may not always be the most appropriate result. Additional training, supervision and guidance may be the more effective approach.
If an employee is dismissed, that dismissal may have an impact on future risk. If senior management is calling for heads to roll, HR knows the legal requirements for a proper dismissal. HR is in a good position to determine whether a dismissal for cause is legally defensible. Employers have an obligation of good faith and fair dealing in the manner of dismissal. HR knows that frog marching a negligent employee out the door in full view of the office on the same day of the breach may not be advisable. It impacts morale and risks opening the door to future litigation. Additionally, employees who are dismissed in a summary manner are less likely to be cooperative with the organization if (and when) a third party lawsuit comes knocking.
The Take Away
The risk presented by cyber breaches is daunting but has also provided an opportunity for human resources professionals to maintain their position as proactive problem solvers. While cyber is now an established risk that impacts every sector of the economy, many organizations lack a comprehensive breach response. Every organization is different and has different needs and exposures. The need for a unique and tailored approach provides a real opportunity for senior HR professionals. Early and active involvement of these team members in developing and strengthening your organization’s training, culture, and response can mitigate your risk from this growing problem at all stages.
Devan Marr’s practice has focused on bodily injury, long term disability, statutory accident benefits, and employment claims.
The digital age has brought about significant benefits in our everyday lives. We can settle disputes by searching for an answer on our smartphones; get inspiration for some interior decoration through Instagram; and who can resist a midnight McDonalds delivery with Uber Eats? The thought that the modern toothbrush was not invented until 1938, makes today look like something out of a science fiction novel and makes our day to day lives considerably easier. However, the damaging effects of technological advancements have been largely ignored until recent years. The widespread availability of technology and online platforms reveals a darker side of humanity and allows people to use technology for nefarious purposes, rather than the positive ones we would like to believe it was created for.
Twitter is a great source for recent news and social commentary; however, in 2017, a Maryland man was arrested for sending a reporter a Twitter message containing a flashing strobe-light image in an attempt to trigger the reporter’s epilepsy. Instagram is a great platform to share your experiences with friends and gain inspiration for design; however, earlier this year, a man in Perth Australia became the first individual charged under a new revenge porn legislation after posting intimate images of his ex-girlfriend on Instagram. In 2015, Canada passed a similar Bill C-13, which created the new offence of non-consensual distribution of intimate images. Facebook is a great way to stay connected with classmates and colleagues; however, earlier this year its live stream service aired the New Zealand Christchurch mosque attack. Technological advances are creating a more cohesive, well-connected, and more convenient world, but the same technology has the potential to be used to cause significant harm to others.
A question arises: who is responsible for monitoring and controlling the content that is posted and how this technology is used? Should private companies be policing what users are posting or should the government be stepping in to place a greater burden on organizations? Prime Minister Trudeau believes that Canadians should have more control over their own data and the government should be taking steps to place a greater onus on organizations to combat adverse uses of the technological advances.
On May 16, 2019, Prime Minister Trudeau spoke in Paris, France, regarding the Christchurch attach in New Zealand. He committed to creating a “digital charter” that will restore the faith of citizens while holding online platforms accountable. Trudeau said that he is looking “to working alongside internet companies, but indeed, if they do not choose to act, we will be forced to continue to act in ways that protect Canadians…”.
Prime Minister Trudeau’s commitment demonstrates the inextricable link between technology and privacy. Organizations must keep up with the slow moving government changes and shift their organizational strategies to reflect the importance placed on the way they handle users’ data. Organizations will also be called on to take on a greater societal obligation to protect citizens and their data. If organizations do not want to commit to such a standard, the government seems committed to forcing them to do so through judicial means.
Stas practices in insurance-related litigation. He has a broad range of experience including tort claims, accident benefits, subrogation, priority and loss transfer disputes, WSIB matters, and fraudulent claims. Read more...
In Kaplan v. Casino Rama, released May 7, 2019, Justice Belobaba dismissed the plaintiffs’ motion to certify a class action arising from the 2016 cyber-attack on Casino Rama.
In November 2016 Casino Rama’s computer system was hacked and a variety of personal information relating to the casino’s employees, customers and suppliers was stolen. The hacker made a ransom demand, which was not paid, following which the hacker posted the personal information of close to 11,000 people online.
The representative plaintiffs included employees of the Casino, members of the Casino’s loyalty program, and people who had joined OLG’s self-exclusion program.
In considering whether to certify the class action, Justice Belobaba made specific reference to the steps taken by the Casino, including notifying the authorities, notifying thousands of people potentially affected by the breach, taking steps to shut down the websites containing the stolen information and providing free credit monitoring for a year to many of the people affected. He also noted that there was no evidence that anyone had experienced fraud or identity theft or that anyone had suffered financial or psychological loss because of the attack.
In reviewing the five requirements for certification, as set out in s 5(1) of the Class Proceedings Act, Justice Belobaba concluded the class action “collapse[d] in its entirety at commonality” [5(1)(c)]. Despite this finding, Justice Belobaba also made substantive comments with respect to 5(1)(a) and (b), which are summarized below.
5(1)(a) Cause of Action
The plaintiffs asserted five causes of action: negligence, breach of contract, intrusion upon seclusion, breach of confidence and publicity given to private life.
Of note, the hacker remained unidentified and was not a party to the action. Traditionally, some of the causes of action pleaded are aimed at recovery from the party who breached the plaintiff’s privacy (i.e. the hacker). Justice Belobaba commented that this left class counsel “trying to force square (breach of privacy) pegs into round (tort and contract) holes”.
The Court found the claims for breach of confidence and publicity given to private life were doomed to fail and should be struck. It is also questioned whether intrusion upon seclusion could be sustained against the defendants on the basis of their alleged recklessness. However, considering the infancy of the tort of inclusion upon seclusion, Justice Belobaba was not prepared to find that the claim was bound to fail. He found the same with respect to the claims in negligence and breach of contract.
5(1)(b) Class Definition
The Court found the proposed class was overly broad and imprecise. Justice Belobaba made a point of agreeing with the defendants, that the class definition could not include the Casino’s unionized employees. The Court lacked jurisdiction over their complaints for the privacy breach, whether in negligence or contract, as they fell within the ambit of the collective agreement. Such matters fall within the exclusive jurisdiction of the Ontario Labour Relations Board.
5(1)(c) Common Issues
Justice Belobaba deliberated on the appropriate test under s. 5(1)(c), which for years required satisfying two inquiries: (1) whether there was some evidentiary basis that the proposed common issue actually existed; and, (2) whether there was some evidence that the proposed issue could be answered in common across the entire class. However, in the 2013 decision of the Supreme Court of Canada, ProSys Consultants Ltd v. Microsoft Corp, the first part of the test was eliminated, no longer requiring evidence that the alleged acts occurred. Justice Belobaba found himself to be bound by the SCC’s direction; however, he performed the two-step analysis, noting that an appeal was likely forthcoming.
Getting to the heart of the common issues analysis, Justice Belobaba made the following comments at paragraph 56 of the decision:
The problem here, with almost all of the PCIs [proposed common issues] is that there is no basis in fact for either the existence of the PCI or its overall commonality or both. Further, many of the PCIs require so much in the way of individual inquiry that any commonality is overwhelmed by the need for individualized assessments.
Justice Belobaba found that the proposed causes of action that could possibly proceed –negligence, breach of contract, and intrusion upon seclusion – could not serve as the basis for common issues. His conclusion hinged on a not so subtle finding that privacy breach cases are inherently individual in nature. In this case, the stolen information varied amongst the victims; ranging from mundane information (e.g. addresses) to more sensitive data (e.g. bank records). Justice Belobaba found that, whether each of the alleged causes of action could be made out, required a look at the individual circumstances of each plaintiff. For instance, the standard of care in data breach cases is a sliding scale based on the sensitivity of the stolen information. Intrusion upon seclusion also requires consideration as to whether the breach is “offensive” to the specific plaintiff. Finally, there was no evidence of any class-wide contractual terms or conditions to support a common issue in that regard.
The Court acknowledged that it should not refuse certification merely because the damages would require individual assessments. However, Justice Belobaba found that there were no common liability issues, which made the issue of damages moot.
Finding that there was a lack of commonality, the Court dismissed the motion for certification.
Lisa has an insurance law practice that has focused exclusively on insurance defence for 15 years. Her practice focuses on complex insurance-related litigation, including accident benefits and bodily injury. Read more ...
The recent decision by the Court of Appeal in clarifies the developing concept of individuals’ privacy rights. The appellant was in a long distance romantic relationship with the complainant. During...
The recent decision by the Court of Appeal in clarifies the developing concept of individuals’ privacy rights. The appellant was in a long distance romantic relationship with the complainant. During their relationship, the parties engaged in an intimate webcam video chat where both were naked. The appellant, unbeknownst to the complainant, took still photographs of her. After the relationship ended, the appellant emailed the nude photos to many people. At trial, he was convicted of voyeurism and he appealed this conviction.
On appeal, the Court noted that there were five elements that must be satisfied under the charge of voyeurism – (1) the accused observed or recorded the subject; (2) the accused’s observation or recording was done surreptitiously; (3) the subject was in circumstances that gave rise to a reasonable expectation of privacy; (4) the subject was nude or exposing sexual parts of her body or engaged in sexual activity; and, (5) the observation or recording of the subject was done for the purpose of recording them in such a state. The issues on appeal was whether the complainant had a reasonable expectation of privacy in the circumstances and whether the appellant acted surreptitiously.
With respect with the complainant’s subjective expectation of privacy, the Court explained that she expected that the appellant would see a fleeting image of her on her computer screen in real time. She did not know and did not expect that the appellant would make any permanent recording of her naked body. The trial judge accepted the complainant’s evidence that at no point during their relationship did the appellant advise that he was capturing permanent still images.
The Court explained that the next question was whether the complainant’s subjective expectation was reasonable in the circumstances. This question should be considered in light of the norms of conduct in our society. The Court noted that there were two norms that were particularly relevant. First, an individual’s privacy expectation for some body parts are reasonably higher than for others. The exposure of intimate body parts in the privacy of the bedroom attracted a high expectation of privacy. Second, there was a distinction between mere observation and recording a permanent image.
The Court of Appeal was satisfied that the complainant was entitled to reasonably expect the appellant would not record their sexual activities in “virtual space” without her consent. The complainant had a reasonable expectation of privacy.
The final issue was whether the recording was done “surreptitiously.” The Court noted that there was little judicial consideration of the term. The Court found that the term, within the context of a voyeurism offence, must be given its ordinary meaning - including intent. Specifically, the Court held that the mental state required by the term was the intent that the subject not be aware that she was being observed or recorded. To prosecute the charge, the Crown may prove the accused acted surreptitiously by proving that he observed or recorded the subject with the intention that they be unaware that it was happening.
The conviction was upheld.
Although the result is seemingly apparent, the legal system has not developed to a point where privacy rights are innately preserved. This decision, along with the Supreme Court of Canada’s R. v. Jarvis, illustrate the importance and societal shift toward our expectation of privacy in both the public and private sphere. In the criminal context, Courts are agreeing to punish individuals who invade another’s privacy – civil courts are likely to follow.