For nearly a decade, a nurse repeatedly viewed healthcare records of patients in order to steal prescription medication from a hospital. The access to the patient records was fleeting – the nurse was interested in the medication, not the information, and spent no more than a few seconds on any particular patient’s page. Over time, she accessed more than 11,000 records and stole nearly 25,000 Percocet pills. 

Do such facts permit the certification of a class action for the recently recognized tort of intrusion upon seclusion? In a Stewart v. Demme, 2022 ONSC 1790, the Ontario Superior Court of Justice (Divisional Court) said that they do not. Rather, the court concluded that it was plain and obvious that these facts did not – and could not – amount to the tort of intrusion upon seclusion, because the nature of the intrusion was not sufficiently serious.  

As we have previously reported, Ontario courts have not been afraid to strike down putative class actions for intrusion upon seclusion where the claims do not involve the type of intentional and highly offensive conduct described by the Court of Appeal in Jones v. Tsige, 2012 ONCA 32 (“Jones”).

Stewart is yet another example of Ontario courts taking a cautious and restrained approach to this new privacy tort in the class action context. This decision may also provide guidance to Canadian courts considering statutory privacy claims. For example, the British Columbia Privacy Act, RSBC 1996, c 37 creates a statutory tort for breach of privacy that bears many analogs to the common law tort, including because it is actionable without proof of damage.

Background

In Jones, Ontario Court of Appeal established a limited and specific tort of “intrusion upon seclusion”. The elements of the tort are as follows:

(1) the defendant’s conduct must be intentional (which includes recklessness);

(2) the defendant must have invaded, without lawful justification, the plaintiff’s private affairs; and

(3) a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.

We discussed this decision in detail in a previous article, found here.

Certification Decision (2020 ONSC 83)

Justice Morgan certified Ms. Stewart’s claim for intrusion upon seclusion. In reaching this decision, he concluded that, despite the fleeting nature of the defendant’s access to patient files, it was not plain and obvious that a claim for intrusion upon seclusion would fail. In particular, he concluded that it was the nature of the privacy interest – and not the magnitude of the infringement – that is relevant when determining whether a reasonable person would regard the invasion as “highly offensive”. In particular, he found that any intrusion into the realm of private health information could be considered “highly offensive”.

Divisional Court (2022 ONSC 1790)

The Divisional Court overturned Justice Morgan’s decision and dismissed the plaintiff’s certification motion. Key aspects of the Divisional Court’s decision include the following:

• The Divisional Court disagreed with the certification judge’s conclusion that any intrusion into private health records, no matter how small, may be considered highly offensive. When determining whether an intrusion is “highly offensive”, the court must view the conduct objectively having regard to all of the circumstances. Here, those circumstances involved the brief exposure of patient data that was not particularly sensitive. If a reasonable person would not view the intrusion as “causing distress, humiliation or anguish”, then it does not rise to the requisite level of severity to ground a claim for intrusion upon seclusion.
   
• The significance of the intrusion must be assessed individually, not collectively: “The fact that there were over 11,000 such intrusions does not mean that each intrusion was significant and highly offensive.” This interpretation of the Jones framework is particularly significant in the class action context, which has seen a trend of plaintiffs attempting to certify class actions for minor breaches of privacy that occurred in relation to a large class of persons.
   
• The fact that intrusion upon seclusion is actionable without proof of damage heightens the threshold that courts should apply when considering its availability. Only “deliberate and significant” intrusions may give rise to this tort:

[27] … To find otherwise would be to “open the floodgates” to claims such as the one at issue in this proceeding, where the intrusions were fleeting, the information accessed was not particularly sensitive within the realm of health information, the intruder was not “after” the information itself, which was otherwise available to her and/or a number of other hospital staff, and there was no discernible effect on the patients.