23 August 2022By Gush Minhas
The Divisional Court’s decision in Stewart v Demme1 (“Stewart”) is a recent example of the increased scrutiny courts are applying to plaintiffs’ claims in privacy and data breach class proceedings. In this case, the court overturned the certification of a class proceeding against a nurse and a hospital where the nurse had allegedly accessed thousands of patients’ private health records to improperly obtain opioids for personal use.
The decision in Stewart follows recent decisions in other provinces that took a similarly restrictive approach to data breach and privacy-related class proceedings. For instance, in Lamoureux v. Investment Industry Regulatory Organization of Canada (IIROC)2 and Setoguchi v Uber B.V.3, the courts refused to certify class proceedings involving privacy and data-breach claims. The decision in Stewart suggests a similarly restrictive approach may apply in Ontario, notwithstanding the recognition of the tort of intrusion upon seclusion by the Ontario Court of Appeal in Jones v. Tsige.4
Background: Catharina Demme was a nurse employed by the William Osler Health System. Over the course of a 10-year period, Ms. Demme stole an estimated 23,392 Percocet pills from an automated medication dispensing unit within the hospital where she worked. Ms. Demme used her position as a nurse to gain unauthorized access to thousands of patients’ files, view limited personal information, and have drugs dispensed for her personal use. Ms. Demme improperly accessing over 11,000 individual patient records; however, the viewing of patients files was incidental to her primary objective: to dispense drugs.
Ms. Demme was convicted for the criminal theft of the drugs, and one of the affected patients commenced a class proceeding seeking damages for intrusion upon seclusion and negligence. The plaintiff brought a motion to certify the action as a class proceeding, and the defendants brought a cross-motion for summary judgment dismissing the proceeding.
The Certification Decision: The certification judge, Morgan J., certified the claim for intrusion upon seclusion as a class proceeding, but not the negligence claim, and dismissed the defendants’ summary judgment motion.
The defendants did not seriously contest that the first two elements of the tort of intrusion upon seclusion were satisfied: (i) Ms. Demme’s conduct was intentional; and, (ii) Ms. Demme “invaded, without lawful justification, the plaintiff’s private affairs”. Rather, the crux of the issue before the court was whether a reasonable person would view the privacy invasion as “highly offensive” (the third element of the test).
Morgan J. appeared to accept the defendants’ submission that this was a “very large narcotics theft but a very small privacy invasion”.5 Ms. Demme only accessed each patient’s records for a brief moment, and such access was solely for the purpose of obtaining Percocet. There were no significant negative effects on the class as a result of this breach, and it did not appear to have caused significant damages.
His Honour’s decision to certify the action turned on the nature of the privacy interest infringed; the accessing of private health information was highly offensive, even though the magnitude of the infringement was relatively minor.
Appeal to the Divisional Court: On appeal, the Divisional Court allowed the defendants’ appeal, set aside the certification order, and dismissed the plaintiff’s motion to certify the action.
The Court disagreed with Morgan J.’s finding that any intrusion into personal health information, no matter how minimal or fleeting, can be described as “highly offensive”. The Court held:6
Not every intrusion into private health information amounts to a basis to sue for the tort of intrusion upon seclusion. The particular intrusion must be “highly offensive” when viewed objectively having regard to all the relevant circumstances. If the case does not “cry out for a remedy”, it is a signal that the high standard for certification of this limited tort may not be met.
In the Court’s view, the tort of intrusion upon seclusion is not meant to apply to every breach of privacy, and the privacy invasion in this case fell short of being “highly offensive”. Not all informational privacy is worthy of protection under this tort; it is only certain information, which may include health information.7
A deeper analysis at the harm caused and context must be undertaken.
The Court noted that, in this case, Ms. Demme did not have any malicious purpose with respect to the information, nor did she retain or share it with anyone else; her breaches into patient records were strictly and solely for the purpose of obtaining drugs. The putative class members’ information was not viewed for more than a few moments, and they did suffer any significant harm as a result.
The Court emphasized that the information viewed was “at the low end of sensitive”, and expressed concern that granting certification of privacy breach claims for minimal and fleeting intrusion could open the litigation floodgates, hampering judicial economy.