Skip To Content

Privacy class actions: Data breaches

Author(s): Kristian Brabander, Robert Carson, Tommy Gelbman, Jessica Harding, Craig Lockwood, Julien Morissette

Aug 9, 2023

Digital Padlock Icon Cyber Security Network

Table of contents

Read the full edition: Privacy Jurisprudence Review

In a trilogy of privacy class action certification appeals, the Ontario Court of Appeal ( ONCA) refused to certify three class actions based on the tort of intrusion upon seclusion first recognized in Jones v. Tsige. In June 2022, the Court heard the three appeals consecutively, and released its decisions together in November 2022. The Court held that defendants who collect and store personal information of individuals (the Database Defendants) cannot be held liable under the intentional tort of intrusion upon seclusion in the context of a data breach by a third-party hacker.

In each of these cases, the plaintiffs sought to certify class proceedings against Database Defendants who had experienced a data breach where threat actors hacked the defendants’ computer networks and compromised their data, including the personal information of proposed class members. In addition to claims of negligence and breach of contract, the plaintiffs alleged the Database Defendants were also liable for intruding on the plaintiffs’ privacy.

On the claims pleaded, the ONCA found the Database Defendants did not do anything that could constitute an act of intrusion or invasion into the privacy of the plaintiffs. The alleged intrusions were committed by unknown third-party hackers, acting independently from, and to the detriment of, the interests of the Database Defendants. None of the facts pleaded could, in law, provide a basis upon which the actions of the hackers could be attributed to the Database Defendants. Further, none of the material facts pleaded indicated that the Database Defendants acted in consort with, or were vicariously liable for, the hackers’ conduct.

In recent years, claimants have attempted to expand the application of the intentional tort of intrusion upon seclusion to cybersecurity and have sought to have class actions certified on that basis. This privacy trilogy from the ONCA is a clarification of the scope of the tort and makes clear that liability can only attach to a party who is an active participant in the wrongful access of private information of another. While the Court of Appeal has effectively narrowed the scope for future privacy class actions against database defendants, reckless protection of information or wilful blindness to inadequate cybersecurity measures could impose liability onto corporations for other torts, such as negligence.

Owsianik v. Equifax Canada Co., 2022 ONCA 813

Read more about the case: Owsianik v. Equifax Canada Co., 2022 ONCA 813

Owsianik was the first of the three cases to be heard by the lower courts. The representative plaintiff pleaded that Equifax’s “reckless” data management practices constituted an intrusion that would be highly offensive to a reasonable person. A data breach by hackers provided unauthorized access to the personal information stored by Equifax, including individuals’ social insurance numbers, names, dates of birth, addresses, driver’s licence numbers, credit card numbers, email addresses and passwords.

At first instance, the court certified the claim for intrusion upon seclusion finding that it was not plain and obvious that the tort could not succeed at trial. That decision was reversed, however, by a majority of the Divisional Court who found that there was no possibility of establishing the tort where the Database Defendants were not alleged to have committed the wrongful intrusion themselves.

In dismissing the appeal, the ONCA reviewed the three elements of the tort of intrusion upon seclusion: (1) conduct; (2) state of mind; and (3) consequence. The ONCA held that the plaintiffs’ claim failed at the “conduct” stage of the analysis. The ONCA found that the defendants had not committed any conduct that amounted to an invasion of or intrusion on the plaintiffs’ privacy. The defendants’ wrongdoing, if any, rested in their failure to prevent hackers from carrying out an invasion of privacy. The Court reasoned that liability would properly be pursued under the tort of negligence, or under a breach of contract or other statutory duty. Since neither Equifax nor anyone acting on Equifax’s behalf, or in consort with them, unlawfully accessed any information, to impose liability on Equifax for the tortious conduct of the unknown hackers would create a new and potentially very broad basis for a finding of liability for intentional torts.

Obodo v. Trans Union of Canada, Inc., 2022 ONCA 814

Read more about the case: Obodo v. Trans Union of Canada, Inc., 2022 ONCA 814

Like Equifax, Trans Union accumulated and stored its customers’ personal information in its database for purposes of providing credit-related services. As in Owsianik, the database was breached by unknown third-party hackers. At first instance, the motion judge certified the proposed class proceeding in relation to the claims in negligence, as well as certain statutory claims, but declined certification of the intrusion upon seclusion claims on the basis of the Divisional Court’s reasoning in Owsianik. The plaintiff appealed directly to the Court of Appeal in relation to this latter aspect of the ruling. The ONCA ultimately upheld the dismissal of the proposed certification of the intrusion upon seclusion claims on the basis that the tort had “nothing to do” with a Database Defendant (with cross-reference to the reasons delivered in the Owsianik appeal). In the Obodo reasons, the ONCA also addressed the plaintiff’s additional arguments in relation to vicarious liability, concluding that Trans Union was not vicariously liable for the hackers’ conduct because such liability rests primarily on policy considerations which are, in turn, predicated on the existence of an employer-employee relationship and a connection in some sense between that relationship and the employee’s tortious misconduct. This relationship is a precondition to the imposition of vicarious liability and without it, the claim fails.

Winder v. Marriott International, Inc., 2022 ONCA 815

Read more about the case: Winder v. Marriott International, Inc., 2022 ONCA 815

In Winder, third-party hackers accessed Marriot’s reservation database which contained customers’ personal information, such as passport numbers and payment information. Unlike the claims in Owsianik and Obodo, this claim alleged that Marriott invaded its customers’ privacy when it collected and stored their personal information in a manner that (i) did not reflect the representations Marriott had made to them and (ii) did not meet Marriott’s legal obligations in respect of maintaining the security of the information. The claimants alleged that these legal obligations included contractual and statutory obligations, as well as obligations imposed by industry standards and practices. The claimants attempted to argue that obtaining the customers’ personal information deceptively by false premises made it a “reckless” intruder, regardless of whether any third party ever actually gained access to the customers’ information stored in the database.

The ONCA found that there was no allegation that Marriott accumulated, stored or used the personal information provided by its customers for any purpose other than the purposes reasonably contemplated by the customers. Marriott’s misconduct was not that it breached its customers’ privacy rights, but that it failed to safeguard those privacy rights from intrusion by others. The only interference with the customers’ ability to control access to and use of their personal information occurred when unknown third-party hackers breached Marriott’s database. Until the hackers acted, there was no breach of the customers’ privacy rights and no intrusion.

The plaintiffs in all three of these cases sought leave to appeal to the Supreme Court of Canada. Those applications were dismissed in July 2023.

Danny Lamoureux c. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2023 CanLII 24495 (CSC)

Read more about the case: Danny Lamoureux c. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2023 CanLII 24495 (CSC)


The appellant's class action was based on the loss of a laptop computer mistakenly left on a train by an IIROC inspector. The computer was never found. The information on the computer was password protected, but, despite internal policies put in place by the respondent to ensure greater protection, it was not encrypted. The computer contained the personal information of thousands of Canadian investors. The members composing the class alleged that the respondent’s lack of security measures in place to protect their personal information caused a violation of their right to privacy, protected under article 5 of the Québec Charter of Human Rights and Freedoms.


The Supreme Court of Canada dismissed the application for leave to appeal from a judgment of the Court of Appeal of Québec which in turn dismissed an appeal from a Superior Court judgment. The lower court dismissed the class action after a full trial on the merits. No reasons were given for the Supreme Court’s dismissal of the leave application. However, the Superior Court and Court of Appeal decisions were upheld.

The lower Courts had held that the fear and inconvenience experienced by members as a result of the loss of their personal information did not constitute compensable harm. Rather, they are akin to the normal inconveniences that any person living in society encounters and should be required to accept. The evidence did not support a finding that the computer or the class members’ information was in the hands of a malicious person, nor was there a convincing link between the loss of the computer and the illicit uses alleged by the members. The defendant-respondent had reacted diligently, according to the standards expected in similar circumstances.

Key Takeaway

In the absence of demonstrated compensable harm, a corporation may successfully defend itself against claims following a data incident by reacting diligently to the incident.


Sciscente c. Audi Canada inc., 2022 QCCS 2911

Read more about the case: Sciscente c. Audi Canada inc., 2022 QCCS 2911


The plaintiff sought authorization to bring a Canada-wide class action on behalf of those individuals in Canada whose personal information held by the defendants Audi Canada Inc. and Volkswagen Group Canada Inc. was compromised in a March 2021 data breach. The data breach compromised the personal information of 3.3 million customers throughout North America.


The Superior Court authorized the class action against Audi only, and only for Québec residents. None of the alleged facts could support a finding that the breach affected VW’s customers in Canada, as the evidence provided related solely to customers located in the United States. The Court held that a sufficient demonstration of possible wrongdoing had been made out as against Audi, based in part on the amount of time that went by before the breach was noticed, and the subsequent delay in notifying customers.

Key Takeaway

The Québec courts require some evidence that Québec/Canadian customers were affected by a data incident. The plaintiff cannot rely solely on evidence that U.S. customers were affected.


Stay informed

Get notified by email when the next edition of Privacy Jurisprudence Review is available.

Subscribe now