Imprimer Envoyer à un collègue Augmenter la taille de la police

Publication

TITRE

Non-Statutory Restrictions on the Use of Personal Information

DATE

26 octobre 2002

EXPERTISE

Protection de la vie privée et accès à l'information

The recent flurry of interest in privacy legislation triggered by the passing of the federal Personal Information Protection and Electronic Documents Act  1 ("PIPEDA") has, to some extent, overshadowed the fact that protection of the privacy of personal information already exists in many forms.2  While only a couple of years ago it would have been possible to say with reasonable certainty that no common law tort of invasion of privacy existed in Canada, courts in Ontario and other provinces are now signalling that a common law right to privacy may in fact exist and be enforced by the courts. As a result, while counsel must advise their clients carefully about how to comply with the various applicable statutory privacy restrictions, they must also be aware that uses of personal information which comply with these statutory rules should not automatically be considered to be legal or devoid of liability risk.

An independent common law tort of "invasion of privacy" has historically not been recognized in Canada. Rather, to the extent that privacy interests have been protected, the protection has been obtained through claims in trespass (to land, chattels and the physical person), nuisance (indirect invasion of an occupational interest in land which unreasonably interferes with one's enjoyment of it), defamation and injurious falsehood and deceit (false statements calculated to cause pecuniary damage). Other recognized causes of action that might indirectly be brought to protect privacy interests include wilful infliction of nervous suffering, passing off, appropriation of personality and breach of confidence.3

Ontario courts appear, however, to have begun recognizing invasion of privacy as a cause of action that can stand on its own. Damages have been awarded for invasions of privacy, and the courts have, on several occasions, refused to strike out pleadings that included claims for invasion of privacy. In addition, the development of other legal doctrines designed to protect confidential information in the commercial context may well be employed to prevent the use and disclosure of personal information.

The test which seems to be applied in claims relating to improper use of private and confidential information is "whether the particular invasion of privacy is necessary to the proper administration of justice and, if so, whether some terms are appropriate to limit that invasion.4"  There is disagreement as to whether this creates an independent "right of privacy" or a separate tort of "invasion of privacy":

"Despite some encouraging suggestions from a few courts, it would be fair to say that the Canadian tort law does not yet recognize a tort action for invasion of privacy per se. Rather "privacy" rights have been protected under the umbrella of other traditional tort actions, and by legislative interventions?[i]s a separate tort of "invasion of privacy" necessary? It is arguable that it is not. The concept of privacy is too ambiguous and broad to be able to be covered adequately in one cause of action. It is desirable to have the different aspects of privacy protection dealt with in separate torts which more clearly can focus on the interests at hand. Gaps in the law which cannot be filled by extending traditional principles can be dealt with as they arise, either through the expansion of the common law or by legislative intervention." 5

U.K. courts have recently considered the common law right of privacy. A v. B6   involved an application by A, a "married professional footballer", for an injunction prohibiting a London tabloid newspaper from publishing articles (said by the court to be "intended for the prurient") about two women, C and D, with whom A had had relationships. In the course of its analysis, the court considered "whether [at common law] sexual matters occurring between two persons are subject to a duty of confidence in the absence of any express agreements between them to keep such matters confidential" and decided:

"I do not think that these questions can be given an absolute answer, nor should they be. Each case depends on its circumstances. ? What we have here is communication to a newspaper not just of the fact of the relationships but of the details of the sexual conduct that occurred. The newspaper has no interest in simply publishing the facts of the relationship alone; it intends to publish the whole: to interest its readers it needs the detail. The answer in the present case is therefore straightforward. It was a breach of confidence for C and D to provide the information which they have to the newspaper or to anyone else with a view to its publication in the media." 7

The court in A v. B declined to deal with the wider question of whether there was an independent cause of action for breach of privacy beyond the law of confidentiality.

The U.K. Court of Appeal recently examined the existence of a common law right to privacy in Douglas v. Hello! Ltd. ("Douglas") 8   The actors Michael Douglas and Catherine Zeta-Jones planned a sumptuous wedding and, for a substantial sum, granted an "exclusive" on photographs of the event to a London tabloid newspaper. Douglas and Zeta-Jones took extraordinary steps to ensure that no uninvited media were present. In addition to searching all guests and staff before entry for cameras or tape recorders, Douglas and Zeta-Jones had each guest and staff member sign an agreement stating that, in exchange for entry to the wedding location, they would not record the proceedings or take any photos. When the inevitable occurred and a competing unauthorized newspaper planned to publish photos of their wedding, Douglas and Zeta-Jones sought an injunction relying on both the contracts the guests and staff had signed and on alleged breaches of several common law obligations, including a right of privacy.

The claim by Douglas and Zeta-Jones had some serious flaws. Douglas and Zeta-Jones could not prove that whoever had taken the photographs had in fact executed the confidentiality agreement, and as a result they had to rely on common law rights in order to obtain an injunction. Nor could Douglas and Zeta-Jones claim that they wanted the photographs to be kept private (as they were to be published by another newspaper); rather, it was clear that what they wanted was to be able to control the use that was to be made of any photographs in order to maximize the financial return they could obtain for selling an "exclusive".

The three members of the Court of Appeal reached the same conclusion (that the injunction could not be granted since the balance of convenience fell in favour of allowing the competing newspaper to publish the unauthorized photographs since damages would adequately compensate Douglas and Zeta-Jones and the authorized newspaper for any losses suffered), but each judge arrived at that result by a different path. Brooke L.J. recognized that the law of breach of confidence can apply "if, on a private occasion the prospective claimants make it clear, expressly or impliedly, that no photographic images are to be taken of them, then all of those that are present will be bound by obligations of confidence created by their knowledge (or imputed knowledge) of this restriction",9  and he believed that the law of breach of confidence would cover the situation without resort to a tort of breach of privacy. Keene L.J. agreed that there was a breach of confidence, but did not deal explicitly with a more general right to privacy except to say that Kaye v. Robinson 10   (in which the U.K. Court of Appeal had stated that English law did not recognize a common law right of privacy) would likely not be followed in the future. Sedley L.J. went further, however, and conclusively supported a free-standing common law right of privacy:

 "[W]e have reached a point at which it can be said with confidence that the law recognises and will appropriately protect a right of personal privacy. ? What a concept of privacy does, however, is accord recognition to the fact that the law has to protect not only those people whose trust has been abused but those who simply find themselves subjected to an unwanted intrusion into their personal lives. The law no longer needs to construct an artificial relationship between intruder and victim: it can recognise privacy itself as a legal principle drawn from the fundamental value of personal autonomy." 11

Members of the High Court of Australia, in a case involving an injunction to restrain broadcast of a video taken surreptitiously inside a abattoir,12  recently mused, without deciding, about the possibility that a separate tort of breach of privacy might be found to exist. After referring to the decision in Douglas, the High Court noted that both New Zealand13  and India14  had recognized a common privacy right, and one of the justices quoted Professor Linden to the effect that Canada was in the process of doing the same.

Canadian courts have not yet elaborated standards for establishing a cause of action for invasion of privacy; rather, "whether or not an invasion of privacy results in an actionable and compensable tort depends on the circumstances of any particular case and the conflicting rights involved."16  In Lipiec v. Borsa,17  the court found that the defendant's installation of a surveillance camera focussed on his neighbour's backyard was an intentional invasion of privacy. In Roth v. Roth,18  the court recognized a common law right of privacy, and found that the defendants' verbal harassment, blocking of an access road to the plaintiffs' property that went across their land, and the removal of previously shared property from the plaintiffs' land (which resulted in the shutting off of electricity without reasonable notice) constituted an invasion of privacy. In Saccone v. Orr19 ,  the court found an invasion of privacy where the defendant recorded and played back a private telephone conversation.

Although none of the reported cases have to date involved the use of personal information that had been collected for business purposes,20  one type of business-related activity that has been found to constitute an invasion of privacy is overzealous attempts to collect on debts. In Palad v. Pantaleon21 ,  the plaintiff sought repayment of a $10,000 loan. When the loan was not repaid, the plaintiff began telephoning the defendant at her home and at her place of employment, and eventually showed up at the defendant's place of employment and demanded repayment of the loan in front of her co-workers. Other cases have similarly found an invasion of privacy for overzealous activities associated with debt collection.22 

Based on the developing Canadian case law and the support that the concept of a tort of breach of privacy is receiving from the higher courts in the U.K., it can reasonably be expected that there will be increasing recognition by Canadian courts of an independent privacy right. In addition, even if there is no common law right of privacy, Canadian courts will not hesitate to protect the privacy of personal information under some recognized tort.23  Briefly discussed below are three developing areas of law which might, in certain cases, serve as a basis for a claim against organizations which deal with personal information.

(a) Breach of Confidence

As can be seen from the U.K. decisions in A v. B and Douglas , even absent a tort of invasion of privacy, courts will often enforce privacy rights by employing the tort of breach of confidence. According to Canadian jurisprudence, Canadian courts will enforce a claim for breach of confidence where three conditions are met:

(i) the information must have the "necessary quality of confidence about it;"
(ii) the information must have been imparted in confidence; and
(iii) there must be unauthorized use to the detriment of the party communicating the information.

The Supreme Court of Canada in Lac Minerals v. International Corona Resources24  held that, where a party receives private information in confidence, there is an expectation that it will not misuse that information for its own benefit,25  and where information of a commercial value is given on a business-like basis, the recipient is regarded as carrying a heavy burden if it seeks to resist a claim that it was bound by an obligation of confidence. The U.K. Court of Appeal stated in Douglas that "the tort of breach of confidence contains all that is necessary for the fair protection of personal privacy." 26

It is readily apparent that many business relationships which involve exchanges of personal information can be seen as creating the necessary relationship of confidence to create an obligation of confidentiality, especially where sensitive personal information is provided by one or both parties as part of the relationship. Examples of such relationships include those between insurer and insured, banker (or other financial advisor) and customer, health care practitioner and patient, consultant and client, and, of course, lawyer and client. In many circumstances, the professional obligations created by the relationship will circumscribe the use of personal information by one or both parties, but there may well be additional common law duties which will apply in addition to, or in the absence of, such obligations. The difficult question, of course, is determining the extent of the privacy duty in the particular circumstances of each individual relationship.

(b) Fiduciary Duty to Keep Information Confidential?

The Supreme Court of Canada in Frame v. Smith27   stated that there are three characteristics to be considered in determining whether a fiduciary duty exists:

(i) the fiduciary has scope for the exercise of some discretion or power;
(ii) the fiduciary can unilaterally exercise that power or discretion to affect the beneficiary's interests; and
(iii) the beneficiary is vulnerable to or at the mercy of the fiduciary exercising the discretion of power.

However, a fiduciary relationship may be found even though some of these characteristics are not present; conversely, the presence of such characteristics does not invariably identify the presence of a fiduciary relationship.

For example, in Haskett,28  the court considered, inter alia, whether a credit reporting agency owed a fiduciary duty to its consumers, and whether the credit reporting agency committed the tort of invasion of privacy. In determining that the credit reporting agency did not owe a fiduciary duty to its consumers, the court reasoned that the credit reporting agency acted in its own self-interest in selling its services, notwithstanding the fact that the manner of providing such services was constrained by statute. The court held that the credit reporting agency did not relinquish its self-interest and did not act on behalf of the consumer for the consumer's benefit. The court further held that, although the credit reporting agency may owe a prima facie duty of care to the consumer, with the standards of the Consumer Reporting Act29  informing that duty of care, such duty is not a fiduciary duty.

In light of the decision in Haskett , it is unlikely that an enterprise carrying on business in its ordinary course would have fiduciary duties imposed on it beyond any relevant statutory restrictions.

(c) Industry Policies and Negligence

In Canada v. Saskatchewan Wheat Pool,30  the Supreme Court of Canada held that proof of statutory breach may be used as evidence of negligence and that the statutory formulation of the duty may afford a specific, and useful, standard of reasonable conduct.31  The acceptance of statutory duties as the standard of reasonable conduct can be further extended to include recognized industry policies, practices, or standards as setting the standard of reasonable conduct, and the breach of a generally accepted industry standard may constitute evidence of negligence. For instance, the recent decision in Zraik v. Levesque Securities Inc32 .  confirmed that failing to comply with certain professional duties and internally created guidelines could be used to establish negligence. As a result, industry standards, such as model privacy policies or codes, may create a specific and useful standard of reasonable conduct with respect to the collection of personal information, and a breach of such policies may constitute evidence of negligence.

(d) Conclusion

The development of a common law right of privacy continues in Canada, albeit at a slow rate compared to the relatively rapid pace of legislative activity. Nevertheless, it is impossible to ignore the existence of a common law right that will likely continue to co-exist with and supplement the statutory protections for personal information privacy. Prudent counsel (and their clients) should consider whether dealings with personal information that comply with all relevant statutory restrictions may nevertheless be considered to be breaches of a developing common law right, especially since damages for such breaches will be at large and may greatly exceed the remedies prescribed under applicable statutes, especially if such damages are claimed in a class action.

  1. S.C. 2000, c.5.
  2. Note that this article is only referring to the obligations of private sector entities in respect of personal information. For an interesting discussion of the privacy obligations of the public sector under the Charter of Rights and Freedoms and other legislation, see the opinion of Justice La Forest commissioned by the federal Privacy Commissioner at <www.privcom.gc.ca/media/nr-c/opinion_020410_e.asp>.
  3. Burns, "The Law and Privacy: The Canadian Experience" 54 C.B.R. 1 at 12-24; Rainaldi, Remedies in Tort (Toronto: Carswell, 2000) at 24-12.1 to 24-19; McIsaac, Shields & Klein, The Law of Privacy in Canada (Toronto: Carswell, 1987) at 2-53 to 2-58.1.
  4. M. (A.) v. Ryan (1994), 98 B.C.L.R. (2d) 1 at 19, cited in British Columbia (Assessor of Area No. 09 - Vancouver) v. Lord Realty Holdings Ltd., [1996] B.C.J. No. 2092 (B.C.C.A.).
  5. Klar, Tort Law (Toronto: Carswell, 1991) at 56, cited in Haskett v. Trans Union of Canada Inc., [2001] O.J. No. 4949 (S.C.J.) ("Haskett"). However, the Court in Haskett acknowledged that, more recently, there has been some recognition of invasion of privacy as an embryonic tort where there is harassing behaviour or an intentional invasion of privacy: Tran v. Financial Debt Recovery Ltd. (2000), 193 D.L.R. (4th) 168 and Lipiec v. Borsa (1996), 31 C.C.L.T. (2d) 294 (Ont. Gen. Div.).
  6. [2001] 1 W.L.R. 2341 (Q.B.).
  7. Ibid., at 2354.
  8. 2001] Q.B. 967 (C.A.).
  9. Ibid., at 988.
  10. [1991] F.S.R. 62 (C.A.).
  11. Supra, note 9, at 997 and 1001.
  12. Australian Broadcasting Corporation v. Lenah Game Meats Pty. Ltd., [2001] H.C.A. 63.
  13. P. v. D., [2001] 2 N.Z.L.R. 591; Tobin, "Invasion of Privacy", [2000] New Zealand Law Journal 216.
  14. Govind v. State of Madhya Pradesh (1975) 62 A.I.R. (SC) 1378.
  15. Linden, Canadian Tort Law (6th ed., 1997) at 56.
  16. McIsaac et al., supra, note 4, at 2-55 (citing Roth v. Roth (1991), 9 C.C.L.T. (2d) 141 (Ont. Gen. Div.)).
  17. Supra, note 6.
  18. Supra, note 17.
  19. (1981), 34 O.R. (2d) 317 (Co. Ct.).
  20. Rainaldi, supra, note 4, at 24-12.2 to 24-12.4.
  21. [1989] O.J. No. 985 (Dist. Ct.).
  22. Supra, note 6. 
  23. Dyne Holdings v. Royal Insurance of Canada (1996), 34 C.C.L.I. (2d) 180 (P.E.I. S.C.).
  24. [1989] 2 S.C.R. 575.
  25. See also Cadbury Schweppes Inc. v. FBI Foods Ltd., [1999] 1 S.C.R. 142.
  26. Supra, note 9, at 998-999.
  27. [1987] 2 S.C.R. 99 at 136.
  28. Supra, note 6.
  29. R.S.O. 1990, c. C.33.
  30. [1983] 1 S.C.R. 205.
  31. Ibid., at 244.
  32. [1999] O.J. No. 2263 (S.C.J.) as varied by [2001] O.J. No. 5083 (C.A.).

 Retour aux résultats de la recherche de publications



Pour recevoir nos publications