by | Jan 16, 2017 | blog

Written by David Pick and Sarah Makson

The British Columbia Court of Appeal released its decision of Ari v Insurance Corporation of British Columbia, 2015 BCCA 468 (“Ari”), on November 17, 2015. The Ari decision considers the availability of a civil right of action against the employer of an employee who improperly accesses personal information. Ari is being watched because it was a consideration of the Jones v Tsige, 2012 ONCA 32 (“Jones”), decision by a Court of Appeal in a different jurisdiction.

To review, in 2012, the Ontario Court of Appeal recognized a new tort, intrusion upon seclusion, in the attention-grabbing Jones decision. The reason this decision caused such a fuss was that the Ontario Court found that the Plaintiff did not need to prove harm in order to be awarded damages when her personal banking information was improperly accessed.

The facts of this case are relatively straightforward. The Plaintiff and Defendant worked for different branches of the same bank. The Plaintiff’s ex-husband began a common law relationship with the Defendant. The Defendant used her work computer to access the Plaintiff’s personal banking information over 170 times in four years, without justification. The Defendant did not publish, distribute or record the Plaintiff’s banking information.

The Plaintiff brought an action against the Defendant, which became the subject of a summary judgment application. At this level, the Plaintiff’s claim was dismissed on the basis that the Defendant did not owe the Plaintiff a fiduciary obligation. The Plaintiff appealed.

The Ontario Court of Appeal set aside the lower court’s summary judgment decision and awarded the Plaintiff $10,000 in damages under this new tort, the tort of intrusion upon seclusion. In reaching its decision, the Court of Appeal set out the key features of this tort, which are the following:

  1. the defendant’s conduct must be intentional;
  2. the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and
  3. a reasonable person would regard the invasion as highly offensive; causing distress, humiliation or anguish.

The Court stated that “proof of harm to a recognized economic interest is not an element of the cause of action.” It decided that the upper range of what could be awarded for this tort was $20,000, but awarded the Plaintiff in Jones only $10,000. The Court provided five factors to consider when awarding damages for this new tort:

  1. The nature, incident and occasion of the defendant’s wrongful act;
  2. The effect of the wrong on the plaintiff’s health, welfare, social, business or financial position;
  3. Any relationship, whether domestic or otherwise, between the parties;
  4. Any distress, annoyance or embarrassment suffered by the plaintiff arising from the wrong; and
  5. The conduct of the parties, both before and after the wrong, including any apology or offer of amends made by the defendant.

The Ontario Court of Appeal added that it would neither exclude nor encourage awards of aggravated and punitive damages for this tort. The Court awarded a lesser amount to this Plaintiff because she suffered no public embarrassment or harm to her health, welfare, social, business or financial position, and the Defendant apologized for her conduct and was genuine in her attempts to atone for her actions.

The Jones decision recognized an intentional tort that was committed by one individual in a jurisdiction without a statutory scheme, at that time, to protect the personal information that was improperly accessed. We need to bear in mind that only one Plaintiff was affected by the Defendant’s actions and the Defendant’s employer was not named in the Action. We also need to remember that intentional acts of this nature are generally not covered by insurance policies.

To date, damages for the tort of intrusion upon seclusion have only been awarded in Ontario. The Alberta courts, which operate in a jurisdiction that has a complete statutory scheme to protect personal information, have not considered this new tort since it was recognized by the Ontario Court of Appeal. Other jurisdictions have considered this new tort, but have not yet awarded damages under it.

The Supreme Court of British Columbia considered this issue and decided that the common law tort of invasion or breach of privacy was not available in that jurisdiction (see Ari v Insurance Corporation of British Columbia, 2013 BCSC 1308, and Ladas v Apple Inc., 2014 BCSC 1821).

Ari, which is now the subject of a decision from the British Columbia Court of Appeal, attracted attention when the Insurance Corporation of British Columbia (“ICBC”) brought an Application to strike the Plaintiff’s notice of civil claim on the basis that it failed to disclose a reasonable claim. The Plaintiff and 65 other class members alleged that an ICBC employee accessed their personal information for an unauthorized purpose. Their premises, vehicles and other personal possessions were then made the target of various forms of damage, including alleged shootings and arson. The Supreme Court found that the Plaintiff failed to disclose a reasonable claim for the negligent protection of private information, but did not strike the vicarious liability claims against ICBC for its employee’s alleged violations of the relevant privacy legislation.

The Court of Appeal released its decision on this matter on November 17, 2015. The Court considered the statutory scheme in place in BC and found that there is no common law cause of action for breach of privacy in BC. There is a statutory cause of action for breach of privacy in

section 1 of the Privacy Act, RSBC 1996, c 373, and vicarious liability is not incompatible with this section of the Act, but additional evidence is required to decide whether the employer could be found vicariously liable in this case. The Court decided that it would be inappropriate to strike the vicarious liability claim for the employee’s breach of the Privacy Act at this point. Therefore, this portion of the action will continue.

The Court also found that the Freedom of Information and Protection of Privacy Act, RSBC 1996, c 165, which applies to public bodies in BC, provides a comprehensive statutory framework to deal with conduct that breaches this Act. That comprehensive framework does not create a cause of action in damages for breaches of the Act and, for policy reasons, a duty of care should not be recognized for breaches of this statute.

The Ari decision will stand for the proposition that jurisdictions with statutory frameworks to protect personal information will likely be insulated from damages awarded under the tort of intrusion upon seclusion, so long as the framework includes provisions for breaches of the applicable privacy legislation. That being said, this is an emerging area of law and there are a number of moving parts that need to be monitored. In particular, the decision as to whether an employer can be found vicariously liable for an employee’s intentional breach of the statute will affect the exposure faced by commercial insurers, as will the application of the new amendments to the federal privacy statute under the Digital Privacy Act, SC 2015, c 32, when and if they should take effect.

For more information about this issue, please contact David Pick at 403.260.5303 or, or Sarah Makson at 403.260.1479 or