Last week Ontario’s Court of Appeal recognized for the first time the right of an individual to sue for breach of privacy. The new common law tort is called “intrusion upon seclusion”, and its purpose is to provide a remedy for invasions of personal privacy.
In brief, the case involved a lawsuit between two Bank of Montreal employees, Ms Jones and Ms Tsige. They each worked at different branches and did not know each other personally, although Ms Tsige was involved in a relationship with Ms Jones’ former husband. Over the course of a four year period, Ms Tsige used her work computer to view Ms Jones’ personal banking activity on more than 174 occasions (i.e. approximately once per week).
Eventually Ms Tsige’s activities were discovered. When confronted, she acknowledged that she had no legitimate reason for viewing the information and that she had violated bank policy. Ms Jones subsequently brought an action against Ms Tsige (but not against the bank) for breach of privacy.
The Court of Appeal ruled in favour of Ms Jones and confirmed the existence of a right of action for intrusion upon seclusion. Ms Jones was awarded damages of $10,000. The decision to recognize a right of action for breach of privacy was based in part upon the increasing pace of technological change brought about by the internet and digital technology. The Court of Appeal found that the significant amount of personal information being stored in electronic databases posed a novel threat to an individual’s privacy rights. However, the Court of Appeal also noted that the tort was limited to “deliberate and significant invasions of personal privacy” involving “financial or health records, sexual practices and orientation, employment, diary or private correspondence.” Generally, the damages available for this tort will be all provable financial loss and up to $20,000 for non-financial loss. In addition, aggravated and punitive damages may be available in certain cases.
This decision may create significant liability for those employers who have not implemented clearly-worded policies related to the ownership of the company’s technology and systems. For example, in the absence of a policy confirming that it is the employer who owns the company’s computer system and information on that system, an employee may believe that he/she has a reasonable expectation of privacy when using the employer’s computer for both business and personal matters. An intrusion by the employer into that employee’s “personal” files or emails may give rise to a claim for breach of privacy by that employee. Employees may also claim a breach of privacy when they are disciplined for activity discovered using computer monitoring. The recognition of this tort highlights now, more than ever, the importance of clear policies about the use and abuse of company systems.
If you have any questions about the effect of this decision on your organization’s policies, please contact any member of our Labour and Employment Group.