Continued Utility of Privacy Class Actions in Deterrence

Several years ago, I covered in the Western Journal of Legal Studies the emergence of class actions as a viable mechanism to promote privacy interests in the public. Central to this promise was the inability of statutory remedies to provide any meaningful deterrence against these breaches. I specifically focused on the Personal Health Information Protection Act (PHIPA), which had never had a successful prosecution at that time.

Since then, there has been successful prosecutions under PHIPA starting in 2016, and there have been some changes that might make it more viable in protecting privacy interests. Amendments under Bill 119 around this same time revised the definition of use of private information to include viewing, one of the key elements of the intrusion upon seclusion tort that was not previous covered explicitly under the statutory scheme.

Bill 119 also increased the fines from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations, and removed a 6 month limitation. It introduced mandatory reporting to the Information and Privacy Commissioner of Ontario (“IPC”), as well as mandatory reporting to the regulatory colleges. As I detail in my previous piece, the potential for professional discipline has also failed to effectively act as a deterrent against breaches.

Other features of Bill 119 are that it increases the authority and responsibility of Health Information Custodians (HICs), especially as it relates to any agents to collect, use, disclose, retain or dispose Personal Health Information (PHI) in relation to the instructions, permission, restrictions, and obligations that are imposed on this PHI. These are all essential to the new additions in the Act under Part V.1, dealing with Electronic Health Records (EHRs), which allows eHealth Ontario to enable HICs to collect, use and disclose PHI in relation to a patient’s EHR

Although Ontario considered and debated further amendments to the PHIPA under Bill 78, these changes were never passed. Instead, the province passed new regulations to the Act in 2017, which made a number of significant changes that were intended to address other deficiencies alluded to above, strengthening the breach notification procedures and notices to professional colleges. All HICs also have to report every year, starting March 1, 2019, the number of times in the preceding year that PHI was as stolen, lost, and used or without authority.

Whether these substantial changes will be sufficient to entirely displace the need for a private right of action in tort for privacy interests is unlikely, but there are also developments in the area of class actions which may have an impact on its efficacy as remedy for the public.

Last year, Justice Perell refused to certify a privacy class action in Broutzas v. Rouge Valley Health System, where the plaintiffs claimed the tort of intrusion upon seclusion against hospital employees who had access hospital records. These employees obtained contact information about patients who had given birth, then sold Registered Education Savings Plans (“RESPs”) directly or through dealers who sold RESPs. Central to this finding was that they did not sell or disclose any confidential medial information,

[151] I generally agree with the Defendants’ arguments. It is plain and obvious in the case at bar that there is no tenable cause of action for intrusion on seclusion because there was no significant invasion of personal privacy and a reasonable person would not find the disclosure of contact information without the disclosure of medical, financial, or sensitive information, offensive or a cause for distress humiliation and anguish. The contact information that was the objective of the intrusion in the immediate case was not private, there was not a significant invasion of privacy, and the invasion of privacy was not highly offensive to an objective person.

[152] In other words, in the immediate case, it is not the case that the disclosure of just contact information intrudes on the class members’ significant private affairs and concerns, and in the immediate case, it is not the case that the disclosure of contact information would be highly offensive to a reasonable person and cause her distress, humiliation, and anguish.

[153] Generally speaking, there is no privacy in information in the public domain, and there is no reasonable expectation in contact information, which is in the public domain, being a private matter. Contact information is publicly available and is routinely and readily disclosed to strangers to confirm one’s identification, age, or address. People readily disclose their address and phone number to bank and store clerks, when booking train or plane tickets or when ordering a taxi or food delivery. Many people use their health cards for identification purposes. Save during the first trimester, the state of pregnancy, and the birth of child is rarely a purely private matter. The news of an anticipated birth and of a birth is typically shared and celebrated with family, friends, and colleagues and is often publicized. The case at bar is illustrative. All the proposed representative plaintiffs were not shy about sharing the news of the newborns.

This finding was the crucial one in distinguishing it from the previous seminal case in privacy class actions, in Hopkins v. Kay. Because there was no sensitive medical or financial information disclosed, and no threat to the physical security of the plaintiffs, the criteria for the tort of intrusion upon seclusion had not been met [para 168]. This effectively precluded the plaintiffs from asserting any certifiable common issues,

[126] I cannot under the rubric of the cause of action criterion, however, address the circumstance that in the immediate case although there are assumed facts, there is actually no basis in fact for a reasonable cause of action for intrusion on seclusion. Technically speaking, in the immediate case, under the rubric of the cause of action criterion, I cannot address whether there is a reasonable cause of action for intrusion on seclusion, based on the true and acknowledged facts that only patient contact information was intruded upon and that there was no intrusion on the medical records of the patients. Technically speaking, the some-basis-in-fact analysis comes later under the rubric of the other certification criterion. 

[127] It is under the rubric of the other certification criteria, most particularly the common issues criterion, where the court can screen the case for a cause of action that actually exists that is shared by an identifiable class that actually exists.

[174] …Although some of the Defendants may have been liable for professional misconduct or other civil, criminal, or statutory wrongs associated with personal privacy, nevertheless, the parameters of intrusion on seclusion are tight and narrow and this tort is not established by some sort of guilt by association. Intrusion on seclusion has its own constituent elements and its own legal parameters that in my opinion are not satisfied in the case at bar.

[emphasis added]

Given the lack of common issues, Justice Perell concluded that the preferable procedure criteria under s. 5(1) of the Class Proceedings Act, 1992 were not satisfied [para 295]. This requirement is described by Winkler, Perell, Kalajdzic and Warner, The Law of Class Actions in Canada, (2014) at 112-13 as follows,

[I]f an issue can be resolved only by asking it of each class member, it is not a common issue …An issue is not “common” simply because the same question arises in connection with the claim of each class member, if that issue can only be resolved by inquiry into the circumstances of each individual’s claim.

…The fact of a common cause of action asserted by all class members does not in itself give rise to a common issue since the actual determination of liability for each class member may require individualized assessments.

The Law Commission of Ontario’s new report, Class Actions: Objectives, Experiences and Reforms, confirms that the lack of common issues continues to be the main grounds for dismissal on certification motions in Ontario.

 

Another privacy class action in Kaplan v. Casino Rama Services Inc. was denied certification earlier this year, this one focusing on a criminal cyberattack. The significant cost award earlier this month of $160,000 highlights the risk of these actions, as neither the novelty or public interest arguments on costs were accepted. The primary basis for this denial by Justice Belobaba was on a similar grounds, that there was an absence of commonality in the privacy interests,

[56] The problem here, with almost all of the [Proposed Common Issues] PCIs, is that there is no basis in fact for either the existence of the PCI or its overall commonality or both. Further, many of the PCI’s, particularly those that ask about duty of care or breach of a standard of care, require so much in the way of individual inquiry that any commonality is overwhelmed by the need for individualized assessments.

[79] …No evidence has been presented that any such invasion or intrusion was in relation to private as opposed to simply personal information or that any such invasion or intrusion would be highly offensive to a reasonable person. And more importantly, no evidence that the determination of whether such invasion or intrusion was or would be highly offensive to a reasonable person could be decided class-wide on a common basis.

[80] In this case, individual inquiries would be required to determine if class members were in fact embarrassed or humiliated by the disclosure of the fact that they were, for example, patrons of Casino Rama. Even if one or more of the representative plaintiffs could prove that she was embarrassed or humiliated, and that her reaction was objectively reasonable in the circumstances, no methodology has been provided to show how the individual assessments could translate into class-wide determinations.

Justice Belobaba preferred the one-step analysis for common issues identified by the Supreme Court of Canada in ProSys Consultants Ltd. v. Microsoft Corp. and the Court of Appeal in Hodge v. Neinstein, over the two-step approach found in the Divisional Court case of Batten v Boehringer Ingelheim.

The movement away from finding commonalities here is a more narrow interpretation than the one used in Condon v. Canadawhere the impact on the proposed plaintiffs could be described as an “inconvenience.” However, even in that case the court required that the basic biographical information related to financial records that demonstrated the existence of a debt obligation, thereby creating a privacy interest [para 59].

Kaplan was complicated by the fact that the privacy breach occurred by an independent hacker, who was not a party to the action. The hacker posted the stolen personal information online when a ransom demand was not paid. The defendant had contacted the authorities, attempted to shut down the website containing the personal information, and notified all the parties who were involved. There was no provable losses, and the primary culprit was never sued.

That doesn’t mean that the defendants could not potentially be sued on this basis on a different set of facts, as Justice Belobaba highlighted in referring the changing nature of the new privacy tort,

[28] Intrusion upon seclusion. I was initially of the view that the intrusion upon seclusion tort, first recognized by the Court of Appeal in Jones v. Tsige,[10] was doomed to fail on the facts of this case for one simple reason: it was the hacker, and not the defendants, who invaded the plaintiffs’ privacy.

[29] However, given the comments of the B.C. court in Tucci[11] and this court in Bennett[12] and Equifax Canada[13]that this is a new tort that is still evolving and could conceivably support a claim against defendants whose alleged recklessness in the design and operation of their computer system facilitated the hacker’s intrusion – I am not prepared to say that the intrusion upon seclusion claim is plainly and obviously doomed to fail.

Since the Court of Appeal’s decision in Jones v. Tsige, I have cautioned employers and institutions that the same facts that gave rise to intrusion upon seclusion could very well be interpreted differently today given the greater ability to scrutinize, monitor, and catch data breaches, and the failure to use reasonable or best practices in this respect could indeed give rise to liability.

Despite the challenges with finding commonalities around the highlight personalized nature of privacy breaches, to this extent the tort may still act as a deterrent and encourage privacy holders to bolster their security systems.

Comments

  1. David Collier-Brown

    I quite agree, and note that several hospitals known to me have been strengthening their security procedures to avoid what I’d consider “gossip” about well-known persons, arguably to avoid “viewing”.

    I also rather wonder if using what is
    * personal information,
    * from a repository of mixed public, personal and sensitive health information,
    * provided by the patient and doctors for a specific medical purpose,
    * for a commercial purpose
    might be actionable under some other head than intrusion upon seclusion? To my uneducated ears, it sounds like a parallel to “conversion”.