Understanding Privacy Rights in Modern Society

January 26, 2019 Ken Kelertas & Frances (Frankie) Wood Deputy Judges of the Small Claims Court Superior Court of Justice, Central West Region

What is Privacy? Recent developments in the law Reasonable Expectation of Privacy Tort of Intrusion into Seclusion Tort of Public Disclosure of Embarrassing Private Facts The How to and Practical Considerations of bringing or defending a Claim

Privacy is a broad concept that is not defined in the legislation that regulates and influences our privacy rights nor in the Charter of Rights and Freedoms Privacy is a fundamental human right. It's a critical element of a free society. It's at the heart of liberty in a modern state. There's no real freedom without privacy. In fact, some people call privacy the right from which all others flow. -Justice La Forest, former member of the SCC A private sphere of thought and action, one that's your business and no one else's, is fundamental to freedom of thought, freedom of conscience, freedom of speech, and all of the rest of our civil liberties.

If privacy is considered a basic human right, how we If privacy is considered a basic human right, how do we define it? do define it? Privacy is the right to be free from intrusion or interference. This right has four dimensions: (1) physical or bodily privacy (2) territorial privacy (3) privacy of communication, and (4) informational privacy

The intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury. -Samuel Warren & Louis Brandeis, "The Right to Privacy (1890 1890) 4 Harv. L. Rev. 193 at 196.

By 1890, the common law had developed a considerable body of protection against tangible intrusions by others on the person and property, but not much in the way of intangible intrusions on the person. Referring to the "right to be let alone , Warren and Brandeis argued that the right of privacy was central to the enjoyment of life, but was coming under attack in modern society. The common law, according to these two eminent writers, needed to respond through the judicial recognition of a tort remedy for invasions of privacy, since such invasions offended the human spirit.

Warren and Brandeis sought to extend common law protection to intangible qualities of life - dignity, thoughts, sentiments and emotions - which were at risk because of technological developments. In 1890, developments in printing technology, production methods, and instantaneous photography were identified by Warren and Brandeis as threatening to make good the prediction that what is whispered in the closet shall be proclaimed from the housetops. 130 odd years after Warren and Brandeis, there appears to be a consensus that privacy is essential to life in all societies.

Most Canadian privacy law tends to concentrate on information privacy = information privacy = ...the correction of personal information. ...the collection, use, disclosure, access to and correction of personal information. collection, use, disclosure, access to and The Office of the Privacy Commissioner of Canada has defined privacy as the right to control access to one s person and information about one s self.

With the development of automated data banks and the growing use of computers in the private and public sectors, by the 1970s, privacy was conceptualized as having individuals in control over their personal information . The Fair Information Practices Principles ( FIPPs ) were incorporated in data protection laws adopted in various jurisdictions, including the federal Personal Information Protection and Electronic Documents Act ( PIPEDA ) Under these FIPPs, individuals were deemed to have certain rights: the about them and concerning the use and the disclosure that will be made of their information; and the the right to be informed right to be informed of what personal information is collected the right to consent right to consent to collection and disclosure A person cannot give up control of their privacy without their consent. A person cannot give up control of their privacy without their consent.

Circumstances have changed fundamentally since privacy was conceptualized as individuals in control of their personal information over forty years ago. Individuals constantly and willingly provide personal information to others. We are given consent forms with vague fine-print discussions of the contractual default privacy rules that we are waiving, and we sign them without thought. Are we in fact able to exercise meaningful choices with regard to the handling of our personal information, given disparities in knowledge and power when bargaining over the transfer of their information? It is no longer clear whether individuals are always capable of making informed choices and therefore, meaningful privacy notices and valid consent may be considered as illusory. Q. regulation of informational privacy still workable? Q. Is the inform and consent model that currently governs the

Federal OPCs Guidelines for Obtaining Meaningful Consent 7 guiding principles 1. individuals need to understand the nature, purpose and consequences of what they are consenting to What personal information is being With which parties personal information is being For what purposes personal information is collected, used or Risk of harm and other consequences the purposes for which an organization collects and uses personal information must be appropriate and defined. Even with consent, organizations must legally limit collection, use and disclosure of personal information to purposes that a reasonable person would consider appropriate under the circumstances. In other words, an individual s consent is not a free pass for organizations to engage in collecting and using personal information indiscriminately for whatever purpose they choose. 1. Emphasize key Emphasize key elements elements What personal information is being collected? With which parties personal information is being shared? For what purposes personal information is collected, used or disclosed? Risk of harm and other consequences collected? shared? disclosed?

2. Allow individuals to control the level of detail they get and when. 3. Provide individuals with clear options to say yes or no Individuals cannot be required to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service they must be given a choice. These choices must be explained clearly and made easily accessible. Whether each choice is most appropriately opt-in or opt-out will depend on factors discussed in the Form of Consent section of this document. Collections, uses or disclosures of personal information over which the individual cannot assert any control (other than to not use a product or service) are called conditions of service. For a collection, use, or disclosure to be a valid condition of service, it must be integral to the provision of that product or service such that it is required to fulfill its explicitly specified and legitimate purpose. 4. Be innovative and creative When seeking consent online, organizations should do more than simply transpose in digital form, their paper-based policies from the offline environment. The digital environment is dynamic in nature, and its capabilities should be considered and taken advantage of. Organizations are encouraged to use a variety of communications strategies including just-in-time notices, interactive tools and customized mobile interfaces to explain their privacy practices, including the following:

5. Consider the consumers perspective consent processes must take into account the consumer s perspective to ensure that they are user-friendly and that the information provided is generally understandable from the point of view of the organization s target audience(s). Consent is only valid where the individual can understand that to which they are consenting. 6. Make consent a dynamic and ongoing process Informed consent is an ongoing process that changes as circumstances change organizations should not rely on a static moment in time but rather treat consent as a dynamic and interactive process. 7. Be accountable: Stand ready to demonstrate compliance in order for an organization to demonstrate that it has obtained valid consent, pointing to a line buried in a privacy policy will not suffice. Instead, organizations should be able to demonstrate either in the case of a complaint from an individual or a proactive query from a privacy regulator that they have a process in place to obtain consent from individuals, and that such process is compliant with the consent obligations set out in legislation.

Organizations must generally obtain express consent The information being collected, used or disclosed is sensitive; The collection, use or disclosure is outside of the reasonable expectations of the individual; and/or, The collection, use or disclosure creates a meaningful residual risk of significant express consent when: significant harm. Express consent must also be obtained from the parents or guardians of anyone under the age of 13 (16 yrs of age in Ontario) Consent is not a silver bullet Consent does not waive an organization s other obligations under privacy laws, such as overall accountability, collection limitation, and safeguards. In other words, if an individual consented to have their personal information handled contrary to legal requirements, the organization would still be considered in contravention of those requirements.

Until recently, privacy was dealt with in the civil context primarily as a regulatory regulatory matter matter Federal law: Privacy Act Access to Information Act Personal Information Protection and Electronic Documents Act (PIPEDA) Provincial law: Freedom of Information and Protection of Privacy Act Municipal Freedom of Information and Protection of Privacy Act Personal Health Information Protection Act (PHIPA) None of theses laws explicitly provide None of theses laws explicitly provide for a private civil cause of action for a private civil cause of action. There also exists some protections of privacy in the Charter of Rights and Freedoms section 8 against unreasonable search and seizure section 7, with the right to privacy being incorporated to a limited extent into the right to life, liberty and security of the person these laws serve individual s personal information by government, health care providers, or by commercial organizations. these laws serve mainly as mechanisms to protect against unwarranted individual s personal information by government, health care providers, or by commercial organizations. mainly as mechanisms to protect against unwarranted access to an access to an

Other provinces (British Columbia, Manitoba, Newfoundland and Saskatchewan) recognize a statutory tort of invasion of privacy Under the BC Privacy Act, it is a tort actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another . The BC Privacy Act states that individuals are only entitled to a reasonable expectation of privacy and that the nature, incidence and occasion of the act complained of must, among other things, be considered. The BC Privacy Act imposes a number of additional common sense limitations on the tort. For example, it states, among other things, that an act is not a violation of privacy if it is consented to, it was incidental to a lawful defence of person or property, it was authorized or required by law or a court, or if it was a publication of a matter that was fair comment or in the public interest.

However, the courts in those provinces have generally (though not uniformly) rejected the notion that there is an independent tort of invasion of privacy at common law. The law years or so The law has changed in Ontario in the last 5 years or so has changed in Ontario in the last 5 Want to explore with you how the common law is evolving in the area of privacy rights

R R. . v v. . Cole Supreme Court of Canada, October 2012 Cole an Ontario teacher caught with inappropriate photos of a teenage student on his work laptop had a reasonable expectation of privacy regarding his personal use of the computer, but that expectation was limited because the laptop was owned by his employer.

R R. . v v. . Cole Cole The Supreme Court of Canada found that the police search of Cole s personal files on the laptop without a warrant was a violation of his Charter privacy rights, as it revealed intimate information about his biographical core. However, it found the evidence the police found should not be excluded because there was a different level of privacy expectation for a work laptop. Had the computer been Cole s personal computer, his privacy expectation would have been higher, but because the laptop was owned and given to him by the school, this expectation was diminished. The Supreme Court found the school had a duty to maintain a safe environment for its students. This duty gave it the right to seize Cole s laptop and examine its contents if there was a reasonable belief that there were inappropriate photos of an underage student on it.

An employees privacy interests are not negated simply because a device on which private information is stored is owned by the employer. In the past, ownership of property had been of central importance in determining whether a reasonable expectation of privacy exists. From now on, relying solely on mere ownership of property is not likely to serve as sufficient insulation from claims that employees have a reasonable expectation of privacy over information stored on work-issued computers and other electronic devices.

Regina v. Marakah Can Canadians ever reasonably expect the text messages they send to remain private, even after the messages have reached their destination? Or is the state free, regardless of the circumstances, to access text messages from a recipient s device without a warrant? The accused had been charged and convicted of trafficking in handguns. Among the evidence used against him were certain incriminating text messages that he had sent to an accomplice s iPhone. The messages on his own phone (from where those messages to the accomplice were sent) had already been ruled inadmissible, since they were obtained under an invalid warrant Regina v. Marakah, [2017] [2017] S.C.J S.C.J. No. 59 . No. 59 The SCC held (but with a strong dissent) that the text messages that had been intercepted from the accomplice s phone were not only private in the circumstances, but also inadmissible.

The Court quickly added that outcome was not automatic: different facts may have led to a different result. Among other things, the decision hinged on whether Marakah had a reasonable expectation that the texts would remain private. the Court s analysis involved applying the four-part test the Court had previously developed in R. v. Cole: 1. What was the subject matter of the alleged search? 2. Did the claimant have a direct interest in the subject matter? 3. Did the claimant have a subjective expectation of privacy in the subject matter? 4. If so, was the claimant's subjective expectation of privacy objectively reasonable? Court looked at the totality of the circumstances including the elements of whether the sender had control over the messages once they are sent. Importantly, the SCC determined that the subject matter of the search at issue was not the accomplice's phone from which the text messages were recovered or the servers on which they are stored, but rather the "electronic conversation" viewed holistically between the accused and the accomplice.

On the facts, the majority found that M. had an objectively reasonable expectation of privacy of the text messages on the iPhone of his accomplice, in that: he fully expected their conversation to be private; he had repeatedly asked the accomplice to delete the incriminating messages from his iPhone. the place of the police search (i.e. the accomplice s iPhone) was a private electronic space accessible to only the accomplice, which heightened M s legitimate privacy expectations. while M. did not have exclusive control over the text messages once he sent them, this did not negate a reasonable expectation that the messages would not remain private. In other words, a simply because another person possesses it or can access it. Cole The majority ultimately found that there had been a breach of M s Charter rights, and that under section 24(2), admitting the text messages from the accomplice s iPhone as evidence would bring the administration of justice into disrepute. In other words, a person does not lose control over the information simply because another person possesses it or can access it. see person does not lose control over the information

The dissenting judges believed that control is a crucial contextual factor and, accordingly, the accused's lack of control over the accomplice's phone was fatal to his reasonable expectation of privacy in the text messages. The dissenting opinion also highlighted concerns that the majority's approach might expand too broadly the scope of those who can bring a section 8 Charter challenge to police search and seizures, which may result in an overburdened criminal justice system. The majority found that by choosing to send a text message by way of a private medium to a designated person, the sender has sufficient control over the electronic conversation and moreover, control is merely one factor to consider. The majority also firmly stated that the protection of privacy in electronic conversations "should not be lightly denied".

Regina v. Jones, [2017] S.C.J. No. 60 J. was convicted of several firearms and drug trafficking offences, which was largely founded on records of text messages seized from a TELUS account associated with his co-accused that were obtained under a valid production order. J denied connection to the offence, and prior to trial, sought to exclude the text messages on the basis that obtaining them by means of a production order contravened his section 8 Charter right. The trial judge found that J. lacked standing to challenge the production order under section 8 and he was therefore convicted. J.'s appeal against conviction was dismissed. On appeal to the SCC, the Court held that had a reasonable expectation of privacy in the text messages stored by TELUS and therefore had standing under section 8 of the Charter to challenge the production order. The majority held that J. should have been permitted to rely on the Crown's theory that he authored those text messages for the purposes of establishing his direct interest in their subject matter and his subjective expectation of privacy in the messages. However, the Court found that there was no section 8 breach in this case because the records of text messages stored on TELUS s servers were lawfully seized by means of a production order under s. 487.012 of the Criminal Code.

earlier case law (Regina v. Edwards, SCC 1996) held that in order to engage a justiciable Charter issue, the accused must establish a reasonable expectation of privacy (REP) in relation to the thing seized. SCC has issued a number of decision since then (including Marakah) that clarify that section 8 protects people, not places or things. The purpose of the right to be secure from unreasonable search and seizure is to maintain an acceptable societal balance between an individual s right to be free from state intrusion and the state s need to intrude into an individual s private life to maintain public safety and law enforcement. Nevertheless, in order to argue REP, an accused must have a direct or at least indirect ownership interest in the information in question- if the accused cannot meet this threshold , cannot argue for exclusion of the evidence under section 24(2). Typically, it is not hard for the Crown to connect the thing seized with the information, particularly if the search or seizure are items personally connected to the accused.

Key takeaways: not all text message conversations are protected from police searches Rather, in some cases, an individual who sends text messages has a reasonable expectation of privacy in the contents of that electronic conversation and therefore the individual has the necessary standing to challenge the validity of a police seizure of text messages ultimately obtained from another person's phone. Moreover, where the police obtains a valid warrant to either intercept a text message in transit or search an individual's phone, the use of the text messages as evidence will be acceptable. The SCC also noted that its findings did not apply to messages posted to social media feeds, conversations occurring in crowded online chatrooms or comments posted on public message boards. Key takeaways: not all text message conversations are protected from police searches. Messages that are encrypted or are password protected will expectation of privacy and Canadians now have the right to expect their text messages will be private. likely to have broad implications for privacy interests and can potentially be applied to other forms of digital communication such as e-mails, instant messages and direct messages on social media, as they all essentially have the same form and function as text messages. Messages that are encrypted or are password protected will attract a expectation of privacy and Canadians now have the right to expect their text messages will be private. attract a greater greater

In January 2012, the Ontario Court of Appeal released a decision that opened the door to individuals who wish to sue another party for what the court called intrusion intrusion upon seclusion upon seclusion . The central issue before the Court of Appeal was whether Ontario law recognized The central issue before the Court of Appeal was whether Ontario law recognized the the cause of action of breach of privacy cause of action of breach of privacy. The Court noted that the question of whether the common law should recognize a cause of action for invasion of privacy had been debated for the last 120 years without any clear answers. The Court reviewed the jurisprudence in Canada, Australia, New Zealand, UK, and the U.S., in an attempt to distill the answer to this question. In the end, the Court of Appeal confirmed the existence of a right of action for intrusion upon seclusion because it recognized that the common law in Ontario needs to develop in a manner consistent with the changing needs of society.

Facts: Sandra Jones, discovered that Winnie Tsige, had been surreptitiously accessing Jones banking records. Jones and Tsige both worked for the Bank of Montreal but did not know each other and worked at different branches. Tsige was in a common-law relationship with Jones former husband and became involved in a financial dispute with him. As a bank employee, Tsige had full access to Jones banking information and accessed Jones personal bank accounts at least 174 times over a period of four years. Jones sued Tsige for invasion of privacy and breach of fiduciary duty and sought damages of $70,000 and $20,000, respectively. Facts:

The Court of Appeal ruled in favour of Ms. Jones and confirmed the existence of a right of action for intrusion upon seclusion and awarded her damages of $10,000. The decision to recognize a right of action for breach of privacy was based in part upon the increasing pace of technological change brought about by the internet and digital technology. The Court of Appeal found that the significant amount of personal information being stored in electronic databases posed a novel threat to an individual s privacy rights.

Under Ontario law it is now clear that individuals can sue for breach of privacy based on proof of: 1. 2. or concerns (i.e. that breaches a reasonable expectation of privacy); and 3. offensive to the reasonable person, causing distress, humiliation or anguish. an intentional unauthorized intrusion; which is an intrusion upon private affairs that is made in circumstances that are highly The Court stressed that valid claims for intrusion upon seclusion will only arise for deliberate and significant invasions of privacy records, sexual practices and orientation, employment, diary or private correspondence. for deliberate and significant invasions of privacy involving financial or health

If these elements are proven, harms that justify an award of moral damages will be presumed. Such damages will be awarded to mark the wrong that has been done in an amount that does not ordinarily exceed $20,000, with an amount being set based on: 1. the nature, incidence and occasion of the defendant s wrongful act; 2. the effect of the wrong on the plaintiff s health, welfare, social, business or financial position; 3. any relationship, whether domestic or otherwise, between the parties; 4. any distress, annoyance or embarrassment suffered by the plaintiff arising from the wrong; and 5. the conduct of the parties, both before and after the wrong, including any apology or offer of amends made by the defendant.

Application of Jones in the Small Claims Court A deputy judge awarded damages to a plaintiff who took offence to a photo in which she appeared being used in commercial marketing materials without her consent The Defendant, was contracted to create a sales video for a real estate developer in the Westboro area in Ottawa. The video was intended to showcase the Westboro lifestyle , including activities and amenities enjoyed by its residents. The Defendant company filmed in a number of public areas, capturing local residents carrying out daily activities, including the Plaintiff, who was jogging on a public trail. The video was posted on the developer s website, and on the developer s YouTube channel.

The Plaintiff appeared in the promotional video for approximately 2 seconds, on the right hand side of a split screen shared with images of two other residents. When the video came to the Plaintiff s attention, she contacted the real estate developer to request that her image be removed. A series of heated email exchanges ensued between the Plaintiff and Defendant. The video was ultimately discontinued and removed from website and YouTube within one week. The Plaintiff brought a claim for breach of privacy (intrusion upon seclusion), pecuniary damages for appropriation of personality, and sought punitive damages.

The Plaintiff testified that she experienced shock and humiliation over the version of herself that was publicly displayed without her consent. She had since lost a considerable amount of weight and felt that the image was not an accurate reflection of her person. The Defendant argued that consent was not required from individuals in public spaces, and if it was, that if an individual saw the camera (as the Plaintiff stated she had), her consent was implied.

The Court found that in capturing the image of the Plaintiff and publishing it in a commercial video without her consent, the Defendant had committed the tort of intrusion upon seclusion. The Court reasoned that the conduct was intentional and there was no legal justification. The Court further found a reasonable person would regard the privacy invasion as highly offensive and the plaintiff testified as to the distress, humiliation or anguish that it caused her. Damages of $4,000 were awarded.

A few comments: Privacy in the Public Sphere: As a general rule, a person engaging in activities in public will have a substantially reduced expectation of privacy. However, this decision suggests that intrusion upon seclusion claims may now be properly commenced for images collected or filming undertaken in the public sphere. The Defendant had argued that obtaining consent in such situations is impractical, but the Court decided that an individual s privacy right prevails over a commercially motivated interest. However, it is unclear whether this approach to the tort applies only when the person s likeness is used for a commercial purpose or to all instances of public filming. But... What about the tort of misappropriation of personality?

Tort of misappropriation of personality: 3 elements: 1. The exploitation of the plaintiff s personality is for a commercial purpose; 2. The plaintiff's personality is clearly captured so that he/she is identifiable; and 3. An endorsement by the Plaintiff is suggested - Plaintiff needs to prove that they are a person of some notoriety or their personality is actually marketable

Reasonable or Subjective Standard The third element of the tort of intrusion upon seclusion requires a reasonableness assessment to determine whether the conduct was highly offensive causing distress, humiliation or anguish. In Jones, the Court of Appeal provided some guidance : A claim for intrusion upon seclusion will arise only for deliberate and significant invasions of personal privacy. Claims from individuals who are sensitive or unusually concerned about their privacy are excluded: it is only intrusions into matters such as one s financial or health records, sexual practices and orientation, employment, diary or private correspondence that, viewed objectively on the reasonable person standard, can be described as highly offensive. This is a high threshold to meet However, the court s conclusion in this case seems to be based on the Plaintiff s subjective evidence alone, which would not meet any of the guiding considerations found in Jones. While the circumstances in Vanderveen in were clearly unfortunate, I would argue that the reasonable person would not regard this privacy breach as highly offensive .

Damages: While $4,000 may seem insignificant, it is a relatively high damages award for this tort, particularly in the face of other successful privacy breach claims that are, on their face, far more egregious. Stevens v Walsh, 2016 ONSC 2418 the defendant accessed the plaintiff s employment information, which she gave to his ex-wife for use against him in divorce proceedings. The invasion of personal privacy was found to be significant The plaintiff was only awarded $1,500. McIntosh v Legal Aid Ontario and Reddick, 2014 ONSC 6136 R. worked for Legal Aid; she accessed the plaintiff s Legal Aid file, which she then provided to the plaintiff s ex-boyfriend (the defendant s current boyfriend). The boyfriend used the information to threaten the plaintiff with involving the Children s Aid Society to remove her children. The Court found the invasion of personal privacy to be intentional and significant. the Court applied a subjective analysis and found that the breach caused the plaintiff annoyance, anxiety and distress. The plaintiff was awarded $7,500.

The new tort of intrusion upon seclusion has not given rise to significant new data breach liability because it is a tort that governs the collection of information and not the disclosure of information. Organizations that take custody of others personal information have a statutory duty to take care of that information under privacy legislation. There is good reason to believe that an organization that takes custody of others personal information owes those individuals a duty of care that is enforceable (in court) in negligence. However, a negligence claim requires proof of damage, and the Ontario FOI statutes provide good faith and lawful justification defences (see s.62, FIPPA, s.42, MFIPPA), which are both significant limitations for those who wish to sue following a data breach. Not so under Not so under PHIPA PHIPA... ...

parties who suffer misuse of their private health information can claim common law damages against the wrongdoer. The Court of Appeal found that statutory damages under the Personal Health Information Protection Act [PHIPA], did not create an exhaustive means of redress.

This case arose from a massive violation of patient information by employees of a hospital in Peterborough. The respondent, was one of 280 patients who had their health information improperly accessed and who were notified of the breach, as is required by PHIPA. The respondent had previously sought medical care for injuries inflicted by her ex-husband, whom she had subsequently left and had hidden from. She feared that the breach was actually an attempt by him to locate her. She claimed damages through the tort of intrusion upon seclusion against the hospital employees who conducted the searches.

Decision was about jurisdiction The main issue was whether PHIPA, a statute designed to govern health information, was an exclusive code that barred common law actions predicated on the misuse of such data. An exhaustive code is a type of statute that is meant to offer an exclusive account of the law in an area; it occupies the field in that area, displacing existing common law rules and cutting off further common law evolution.

The courts use a three factors to determine whether a statute is the exclusive authority in an area: 1. The language of the statute, and in particular the legislative process for dispute resolution; 2. The nature of the dispute, and how the legislative scheme interacts with it; and 3. The regime s ability to provide effective redress. The ONCA determined that while PHIPA established comprehensive rules pertaining to the collection, use and disclosure of health information, details regarding the procedure or mechanism for the resolution of disputes are sparse . Thus, while the regime was clearly designed to address systematic concerns, [its] procedure is not designed for the resolution of all individual complaints . In fact, the ONCA found PHIPA to expressly [contemplate] the possibility of other proceedings

The ONCA also held that the tort of intrusion upon seclusion is distinct form the sorts of claims that can be made under PHIPA. based on the historical use of PHIPA s enforcement mechanisms, the Court said that many individual complaints that could give rise to a proper claim in common law will not be redressed through PHIPA s existing procedures. PHIPA was intended, and has been used as such, to address systemic issues, not personal wrongs. The ONCA felt that individuals should have access to the courts and the common law to ensure that parties who suffer a misuse of their medical information have some ability to seek personal redress.

the Court of Appeal clearly felt the need to maintain a strong disincentive to improperly use health information. Given the incredibly sensitive nature of the information compiled when seeking medical care, it is hard to fault the court for reaching such a conclusion. Misusing personal health information could have a devastating impact on the victim s life and establishing appropriate deterrence is clearly necessary.

Another application of Jones A landlord conducting a credit check on a prospective tenant without their knowledge or consent does not amount to the privacy tort of intrusion upon seclusion. Section 8 of the Ontario Consumer Reporting Act authorizes a credit check in the circumstances While the landlord might have breached provisions of PIPEDA, the breach of that statute does not, in and of itself give rise to a cause of action. PIPEDA was held to contain its own scheme for complaints, investigations and resolutions. A reasonable person would not regard this to be highly offensive, causing humiliation or anguish.

Jane Doe v N.D. 2017 ONSC 127 Jane Doe v N.D., , 2016 ONSC 541; set aside, 2016 ONSC 4920; the Court awarded damages to a plaintiff whose former boyfriend coaxed her to send him a sexually explicit video of herself. Despite promising the plaintiff confidentiality, the former boyfriend posted the video online and it was available for three weeks before being removed. The former boyfriend did not defend the action, stating that ...you can do what you need to . The plaintiff moved for default judgment. She adduced evidence that the posting caused her to suffer depression and a psychological impact that the Court concluded was significant and long-lasting. The Court awarded damages based on a variety of legal grounds, including breach of confidence, intentional infliction of mental suffering, and a privacy tort recognized in the U.S., but not yet in Canada

Jones v Tsige recognized intrusion upon seclusion as an actionable wrong for the invasion of one s private affairs the disclosure or publication of private facts is not an invasion. Justice Stinson held in Jane Doe that the wrong caused by the ex- boyfriend s actions more closely aligned with a different tort the so- called public disclosure of embarrassing private facts tort, which has been recognized in the U.S. Stinson J. adopted this tort, with a slight modification, and framed it as follows: One another other s publication ( (a) would be highly offensive to a reasonable person, and ( (b) is not of legitimate concern to the public. One who gives publicity to a matter concerning the another is subject to liability to the other s privacy, if the publication a) would be highly offensive to a reasonable person, and b) is not of legitimate concern to the public. who gives publicity to a matter concerning the private is subject to liability to the other for privacy, if the matter publicized private life life of of other for invasion of the or the act of the invasion of the the act of the matter publicized or the Court awarded general damages of $50,000, $25,000 in aggravated damages and $25,000 in punitive damages. It also ordered the former boyfriend to destroy all intimate images of the plaintiff in his possession