A common route to obtaining relief from an invasion of privacy by a private commercial organization is through the Office of the Privacy Commissioner of Canada (“Commissioner”). In the case of Angela Miglialo, a Calgary resident, this is the route she took, which ultimately led to the Federal Court case of Migilalo v Royal Bank of Canada, 2018 FC 525 (Migilalo). Was it the right choice?
Ms. Miglialo’s privacy concerns began sometime between 2011 and 2013, when she suspected that information in her accounts with the Royal Bank of Canada (RBC or the bank) were being accessed without her authorization. She became suspicious of an unauthorized access to her RBC accounts when her mother, who resided in Montreal, started asking her invasive questions about the beneficiaries of her investment accounts. As a result of these questions, she suspected that her brother’s girlfriend, who worked for RBC in Montreal (the RBC employee), was the one who accessed her accounts without authorization and disclosed information about the accounts to Ms. Miglialo’s mother.
In response to these suspicions, Ms. Miglialo contacted RBC and expressed concerns that the identities of the beneficiaries could or had been revealed to her family. In the course of its investigation, RBC interviewed the RBC employee who admitted to viewing Ms. Miglialo’s accounts without authorization. The bank was able to confirm that Ms. Miglialo’s suspicions about unauthorized access were correct; however, it denied that the information was disclosed to anyone else.
Unsatisfied with RBC’s investigation, Ms. Miglialo made a complaint to the Commissioner, alleging that RBC was in breach of the Personal Information Protection and Electronic Data Act (PIPEDA). Upon investigating the matter, the Commissioner concluded that RBC responded to and investigated the matter effectively and dealt with the matter in an appropriate fashion.
Following the conclusion of the Commissioner’s report, Ms. Miglialo filed an application with the Federal Court pursuant to Section 14 of PIPEDA. She sought damages arising from her mental and emotional distress as a result of the privacy breach. In dismissing Ms. Miglialo’s application, the Court emphasized the need for Ms. Miglialo to adduce evidence of the causative relationship between RBC’s actions and her damages, and for evidence establishing the extent of her damages. Ms. Miglialo was unable to adduce any evidence establishing the extent of her damages and was not able to establish that RBC was the cause of her damages. To add insult to injury, it was found that the invasive questioning by her mother was done prior to the RBC employee accessing the information of her accounts.
The Court also considered several cases where damages were awarded under PIPEDA, and noted that all of them involved disclosure of highly sensitive information. The court compared this to Ms. Miglialo’s case, in which the bank had found that there was no disclosure. The Miglialo case therefore reinforces that in order for damages to be awarded under PIPEDA, plaintiffs must establish that the breach was of a certain severity and that it ultimately led to the disclosure of sensitive information.
Given the fact scenario, it may have been more prudent for Ms. Miglialo to pursue an action for intrusion upon seclusion. The tort of intrusion upon seclusion was first recognized in Canada in the landmark Ontario Court of Appeal case, Tsige v Jones, 2012 ONCA 32 [Tsige]. While Ms. Miglialo lived in Alberta, a jurisdiction that has not formally recognized the tort, it may still have been a viable route for two reasons. First, RBC carries on business in the Province of Ontario,[1] and second, the elements of intrusion upon seclusion are more appropriately aligned with Ms. Miglialo’s situation than the requirements for establishing damages under PIPEDA.
In Tsige, the Court of Appeal set out the three elements of intrusion upon seclusion:
- The Defendant’s conduct must be reckless or intentional
- The Defendant must have invaded, without lawful justification, the Plaintiff’s private affairs or concerns
- A reasonable person would regard the invasion as highly offensive, causing distress, humiliation or anguish
To establish the tort, Ms. Miglialo would merely need to have established that the RBC employee viewed the information of her accounts deliberately, that there was no apparent business reason as to why the RBC employee was looking at her accounts, and, finally, that any reasonable person would regard an invasion into their private financial affairs as highly offensive.
Notably, in setting out the elements of the tort in Tsige, the Ontario Court of Appeal noted that proof of harm to a recognized economic interest was not required. Not being required to establish proof of harm would have relieved Ms. Miglialo of the need to adduce evidence that RBC caused her actual harm. This is what potentially makes the tort of intrusion upon seclusion the more attractive route in this instance. There would have been no need to establish that a disclosure of her sensitive information was made, she would not have needed to make a causal connection between the invasive questioning from her mother to the breach, and she would not have required evidence to substantiate her claims for mental and emotional distress.
Commencing an action for intrusion upon seclusion is not without its drawbacks, however. The issue of vicarious liability remains undetermined at this point so any deliberate conduct could only be established as against the employee. It also remains to be seen what courts consider “reckless” conduct by a corporate defendant and whether that same “reckless” conduct can equate to vicarious liability for an employee’s action. Furthermore, the courts have yet to determine the thresholds for establishing employer vicarious liability for employee’s tortious conduct, in terms of lack of corporate policies, training, and monitoring. In Ms. Miglialo’s case, if the RBC employee was the only party found liable under the tort, it could complicate her ability to collect any damages that were awarded.
Finally, it is likely that any resulting damages from a successful claim of intrusion upon seclusion would be nominal. It was one unauthorized access and no disclosure was made. Given the small amount of money to be recovered from any potential claim of intrusion upon seclusion, it may not have been practical on an economic level for Ms. Miglialo to pursue the tort claim. PIPEDA’s dispute resolution mechanism is relatively quick and inexpensive, and an application to the Federal Court is more expeditious than a formal action. However, if Ms. Miglialo was determined to get compensation for the breach, no matter the time or cost, and given the stricter criteria that needs to be met to receive damages under PIPEDA, intrusion upon seclusion may have been the more favorable route.
The important lesson to be learned from this case is that a complainant who is unsuccessful before the Commissioner is unlikely to be successful before the Federal Court. The Commissioner is, by its nature, a consumer-protection-friendly regulator, less bound to precedent and incremental jurisprudential development than the Federal Court. Therefore, unless the claim involves a procedural error, anecdotally, it is unlikely that a Court will find a violation, where the Commissioner did not.
About the author
William Lim is an associate at Wolfe Lawyers where he practices primarily personal injury, but has a particular interest in the quickly developing area of privacy and cybersecurity law. He can be reached at Wlim@wolfelawyers.com.
[1] See Club Resorts Ltd. v Van Breda, 2012 SCC 17 at para 90, which indicates that if the Defendant conducts business in the province, then that is a presumptive factor in allowing a province’s Court to assume jurisdiction over the dispute.
Any article or other information or content expressed or made available in this Section is that of the respective author and not of the OBA.