On March 24, 2022, in Stewart v. Demme, 2022 ONSC 1790 (Stewart), the Ontario Divisional Court (Court) overturned the certification of an intrusion upon seclusion claim in a proposed class proceeding. It is a further example in a recent line of cases in which Ontario courts are refusing to certify class actions relating to data breaches (see Blakes Bulletins: Proposed Privacy Class Action “Collapses in its Entirety” on Commonality and Ontario Divisional Court Overturns Certification of Intrusion Upon Seclusion Claim). Stewart underlines that intrusion upon seclusion claims are available only in the most serious privacy cases. Even unauthorized access to data falling within a category that can be highly sensitive — like personal health information — does not automatically fall within the scope of the cause of action.
Over a period of ten years, a hospital nurse stole thousands of painkiller pills to satisfy her addiction. To mask the theft by appearing to obtain the pills for patients, the nurse accessed health records of over 11,000 patients. The records contained a limited amount of patient information, including about their hospital unit, allergies and medications. The nurse accessed these records for a few seconds at a time and only for the purpose of obtaining the drugs.
The plaintiff brought a class action against the nurse and the hospital seeking damages for intrusion upon seclusion and negligence. To make out a claim for intrusion upon seclusion – which was first recognized in the 2012 Ontario Court of Appeal decision, Jones v. Tsige – a plaintiff must satisfy three elements:
The defendant invaded the plaintiff’s private affairs without lawful justification;
The defendant’s conduct was intentional or reckless; and
A reasonable person would regard the invasion as highly offensive and causing distress, humiliation or anguish.
The first and second elements of the tort were satisfied in Stewart. The case therefore turned on whether the invasion of patients’ privacy would be regarded by a reasonable person as “highly offensive, causing distress, humiliation or anguish.”
The certification judge held that the plaintiff’s intrusion upon seclusion claim was viable. He found that “the facts do not exactly ‘cry out for a remedy’” and characterized the nurse’s conduct as a “fleeting” interference in limited personal health information. Nonetheless, he reasoned that “any intrusion – even a very small one – into a realm as protected as private health information may be considered highly offensive and therefore actionable”. As a result, he permitted the claim to proceed as a class action.
DIVISIONAL COURT DECISION
The Divisional Court overturned the certification decision and dismissed the intrusion upon seclusion claim.
The Court held that “[n]ot every intrusion into private health information amounts to a basis to sue for the tort of intrusion upon seclusion.” Rather, the Court emphasized that, on the facts, the intrusion must be “‘highly offensive’ when viewed objectively having regard to all the relevant circumstances.” Where a particular case does not “cry out for a remedy”, that is a sign that the high bar to bring a viable intrusion upon seclusion claim has not been satisfied.
On the facts of Stewart, the Court found that the intrusion into patient personal information was not “highly offensive” because:
The nurse’s access to the patient health records was “fleeting”;
The records she viewed were at the low end of the sensitivity scale; and
The motive behind the intrusion was not to snoop into patient records but to obtain access to drugs.
While there may be further appeals, Stewart is an important development in Canadian privacy law. It shows the high bar that a plaintiff must meet to bring an intrusion upon seclusion claim. Only intentional, highly offensive breaches of privacy are actionable. Whether a particular breach is highly offensive will depend on the specific circumstances and context of the situation, including the degree and scope of access to personal information, the sensitivity of the information accessed and the defendant’s motives.
Stewart is also notable for holding that not all intrusions into private health information generate tort liability. Courts can likely be expected to apply this reasoning in other realms of personal information traditionally regarded as most sensitive, such as financial information, employment records and private correspondence.
Finally, Stewart once again demonstrates that the reasonable cause of action criterion is a meaningful screening tool in class actions. Claims, including the novel application of a recognized cause of action, can be fully vetted at the pleadings stage.
For further information, please contact:
Chris DiMatteo 416-863-3342
Nicole Henderson 416-863-2399
or any other member of our Cybersecurity and Data Breach Response & Litigation group.
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at firstname.lastname@example.org.
© 2022 Blake, Cassels & Graydon LLP