“A person’s computer is a highly personal storage instrument. Many cases have concluded that an extremely high level of privacy is expected regarding the contents.”
One week after the Ontario Court of Justice made that observation in Pottruff v. Don Berry Holdings Inc., 2012 ONSC 311 (which involved a workplace setting), the Ontario Court of Appeal ruled in Jones v. Tsige, 2012 ONCA 32 that in Ontario the tort of invasion of personal privacy now exists. The Court has identified the basis for this new cause of action to be an “intrusion upon seclusion”. While this decision applies generally, it is likely to have a significant effect on provincially regulated employers who, to date, have not been subject to any data protection statutes or other requirements with respect to employee personal information as well as those employers who are governed under provincial legislative schemes that do regulate employee personal information.
Why is the Jones v. Tsige decision noteworthy?
Under the Personal Information and Protection of Electronic Documents Act (“PIPEDA”), provincially regulated employers need to protect the personal information they collect in the course of commercial activities, but there is no equivalent statutory obligation to protect employee personal information collected and used in the course of employment. In Alberta and British Columbia provincially regulated employers do have statutory obligations in respect of their collection, use and disclosure of employee personal information under the applicable Personal Information Protection Act (“PIPA”) of each province.
With the recognition of this new tort, unless employers have appropriate policies with respect to employee privacy, employee data protection and use of workplace technology systems, they may now face claims for damages from employees (and former employees) asserting a breach of their personal privacy at the workplace.
When could such a claim arise?
A breach of privacy claim could arise wherever there is an intrusion upon the employee’s seclusion, such as when an employer seeks to monitor an employee’s computer usage, conducts video surveillance of employees, requires pre-employment credit checks or undertakes physical searches of employees or their property.
The facts of the case
In Jones v. Tsige, Jones and Tsige were both employed at a bank, but did not know or work with each other. Tsige had become involved in a common law relationship with Jones’ ex-husband. Jones maintained her primary bank account at the bank. Given her position, Tsige accessed the banking information of Jones 174 times over a four-year period, contrary to the bank’s policy. When Jones discovered the unauthorized access of her bank account, she complained to the bank (who suspended Tsige for a week without pay) and commenced an action against Tsige in the Ontario Superior Court of Justice for invasion of privacy, seeking damages of $70,000 plus punitive damages of $20,000.
At the first level, the action was dismissed on the grounds that the tort of invasion of privacy did not exist at common law in Ontario. Jones appealed.
The Court of Appeal overturned the first decision and recognized this new common law action of “intrusion upon seclusion”.
It reasoned that the Internet and digital technology have accelerated the pace of technological change exponentially, causing personal data to be particularly vulnerable. The Court found the common law is capable of evolving to develop the common law to protect personal data and an individual’s right to privacy.
Elements of the New Tort
The Court adopted the wording used in the United States to define “intrusion of seclusion” as follows:
One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.
The Court laid out the three elements of this cause of action:
- the defendant’s conduct must be intentional, including recklessness;
- the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and
- a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.
Importantly, the Court expressly stated that proof of harm to a recognized economic interest is not an element of the cause of action.
Limitations of the Tort
The Court expressly stated that the three elements listed above make it clear that this new tort should not result in massive numbers of claims. A claim for “intrusion upon seclusion” will arise only for deliberate and significant invasions of personal privacy. In an attempt to limit the application of this new tort, the Court identified that only intrusions into sensitive information that, viewed objectively, could be reasonably described as highly offensive, will be protected; examples included intrusions into:
- financial or health records;
- sexual practices and orientation;
- employment; or
- diaries or private correspondence.
The Court suggested that where there was no financial harm suffered by the person making the claim, the damages should be modest, and it set a limit, generally, of $20,000. In this case, it awarded $10,000 to Ms. Jones.
What does this mean for Employers?
Although in its decision the Court stated that “recognizing this cause of action will not open the floodgates”, employers may see an increase in claims for “breach of privacy” until courts have issued decisions defining with greater certainty which actions fall within the parameters of the new tort.
It is suggested employers should have clear policies which articulate the right of the employer to monitor the employee’s use of company systems in order to clarify what information would be private at a workplace.
Employers who take steps to define the reasonable expectations in the workplace will not only be better equipped to defend against intrusion of seclusion claims but will also be well positioned to argue that they should not be held vicariously liable for employees, acting outside the scope of their employment, who breach policies by accessing or otherwise violating the privacy rights of other employees.
The policies should be clear that employees who engage in personal use on the company’s technology systems make a choice that results in potential loss of personal privacy. In other words, it should be clear that if an employee chooses to use company systems for personal communication and information storage, that employee should have no expectation of privacy, and should know that the employer may view all information, including the personal information, on its systems.
The Court in Jones v. Tsige recognized that the common law evolves. Employers must be mindful of this evolution. If an employer has not developed privacy policies and technology use policies designed to clarify appropriate privacy expectations at the workplace, they should do so. For employers who have already defined the expectations, it is prudent to revisit the appropriate policies to assess if they need to be updated in light of this decision.