Rights, remedies and the means to pursue them: Rouge Valley Health System case goes to appeal

Enthusiasts for the tort of intrusion upon seclusion as the new frontier for holding organizations and their employees to account for privacy-related wrongs were forced to step back and regroup after the Ontario Superior Court of Justice’s decision in Broutzas v. Rouge Valley Health System and Kouvas v. Scarborough and Rouge Hospital. This past fall 2018, Justice Perell quashed any hope of a meaningful private law remedy for what many consider a privacy-invasion. Justice Perell concluded, in a nutshell, that there was no compensable privacy invasion when the names of women who had just had children were allegedly sold by nurses to sales persons for registered retirement savings plans.

No right with out a remedy

The case brings to a head a fundamental problem with private law remedies for privacy intrusions in Ontario.

The Supreme Court keeps telling us that privacy is an important value in Canadian society. Most recently, the majority decision in R. v. Jarvis stated (para. 65):

As this Court has recognized, our society places a high value on personal privacy — that is, privacy with respect to our bodies, including visual access to our bodies […]. While all aspects of privacy — both from the state and from other individuals — serve to foster the values of dignity, integrity and autonomy in our society, the connection between personal privacy and human dignity is especially palpable […].

R. v. Jarvis, 2019 SCC 10 at para 65.

Close readers of the Supreme Court of Canada’s decisions will know that the court has generally been careful not to call privacy a “right” (unless it is referring to a privacy right given by statute). There are exceptions. However, most often, the court refers to privacy as a “value”.

Even our Privacy Commissioners tend to be careful not to call privacy a “right”, although our current federal Privacy Commissioner, Daniel Therrien, has not always been so cautious. For example, in recent submissions to the Standing Committee on Access to Information, Privacy and Ethics, the Commissioner elevated privacy to a “fundamental human right”. He may have been speaking about Quebec, but his remarks do not seem to be well-grounded if he meant the assertion to apply to a province like Ontario.

The difference between values and rights is important. If there is a right, there must be a remedy and a means to pursue it. We common law lawyers look to the foundational judgment of Lord Holt in 1703 for the proposition that there is no right without a remedy and a means to pursue it:

If the plaintiff has a right, he must of necessity have a means to vindicate and maintain it, and a remedy if he is injured in the exercise or enjoyment of it, and, indeed it is a vain thing to imagine a right without a remedy; for want of right and want of remedy are reciprocal…

Ashby v White (1703), 92 ER 126, p. 146

This is not necessarily the case with fundamental values. Values are normative standards that inform the shaping of, our interpretation of and the application of rights and remedies.

If privacy is a “fundamental human right”, Ontario and some of the other provinces in Canada have missed that message. As the court’s discussion in Broutzas and Kouvas illustrate, any private law remedy and any means to pursue it is so narrow that calling it a “fundamental right” seems an exaggeration.

Fear of the hordes, part 1

The proposed class actions in Broutzas and Kouvas involved allegations that nurses at those hospitals sold contact information about mothers admitted for childbirth at those hospitals to sales representatives of registered education savings plans.

The plaintiffs advanced several theories of liability against the defendants. One of those was the tort of intrusion upon seclusion.

As a reminder, the Ontario Court of Appeal added the tort of intrusion upon seclusion to the legal landscape in Ontario in 2012 in the landmark case of Jones v. Tsige. The court was concerned to provide a common law remedy that was narrowly constrained to protect significant privacy interests. In recognizing the tort as part of Ontario law, Justice Sharpe stated that the key requirements to establish the tort were:

  • the defendant’s conduct was intentional or reckless
  • the conduct invaded the individual’s private affairs or concerns
  • a reasonable person would find the invasion as highly offensive causing distress, humiliation or anguish

Justice Sharpe went on to say that there need not be any concern about opening the flood gates. The tort required intention or at least recklessness and only significant privacy interests would be protected. Justice Sharpe said (para. 72):

Claims from individuals who are sensitive or unusually concerned about their privacy are excluded: it is only intrusions into matters such as one’s financial or health records, sexual practises and orientation, employment, diary or private correspondence that, viewed objectively on the reasonable person standard, can be described as highly offensive.

Jones v. Tsige, 2012 ONCA 32 at para. 72.

Does “seclusion” mean secret or confidential?

In advancing the tort of intrusion upon seclusion in the Boutzas and Kouvas cases, the plaintiffs had a steep uphill climb to convince Justice Perell that the interests protected by the tort extended beyond “confidential” or “secret” information to include other privacy interests that the court recognized in R. v. Spencer and, more recently, in R. v. Jarvis. These privacy interests, in the criminal law context, include the ability to control access to and use of information about oneself in various contexts (whether or not it is secret or confidential).

The plaintiffs failed in their task. Justice Perell neatly summarized his understanding of the “privacy” interest protected by the tort as being concerned with “confidential” or “secret” information at paragraph 153 of the judgment:

Generally speaking, there is no privacy in information in the public domain, and there is no reasonable expectation in contact information, which is in the public domain, being a private matter. Contact information is publicly available and is routinely and readily disclosed to strangers to confirm one’s identification, age, or address. People readily disclose their address and phone number to bank and store clerks, when booking train or plane tickets or when ordering a taxi or food delivery. Many people use their health cards for identification purposes. Save during the first trimester, the state of pregnancy, and the birth of child is rarely a purely private matter. The news of an anticipated birth and of a birth is typically shared and celebrated with family, friends, and colleagues and is often publicized. The case at bar is illustrative. All the proposed representative plaintiffs were not shy about sharing the news of the newborns. 

Broutzas v. Rouge Valley Health System, 2018 ONSC 6315 at para. 153.

To my mind, it is not clear that the Ontario Court of Appeal intended to limit the tort to protect “confidential” or “secret” information. When Justice Sharpe referred to the tort as being intrusion upon “seclusion”, he explained the invasion as relating to one’s “private affairs or concerns”. It is true that most of the examples he gave (e.g. diary or private correspondence) have the quality of secrecy or confidentiality. However, other matters are somewhat more elastic. In what sense, for example, is “employment” secret or confidential?

One of the interesting points on the appeal will be to see whether the court will recognize that “seclusion” does not necessarily mean secrecy. The court could pivot and acknowledge that the very nature of “seclusion” is an assertion of control over the dissemination and use of information. It is this concept of privacy that is at stake in the tort. There is certainly a precedent in the recent case of R. v. Jarvis (albeit in the criminal law context) to conceive of privacy in a way that is more about the context of the information than its confidentiality. More on that in an upcoming post.

Justice Perell avoided having to really grapple with that question because he refused to accept that the intrusion involved information in a health record, which was one of the enumerated protected categories of information that Justice Sharpe laid out in Tsige v. Jones. In my view, Justice Perell is just plain wrong on this point. The sales people weren’t buying contact lists about random patients at the hospital. The information was directly related, in an unbroken chain, to the admission of these women for care related to the birth of their children. Why those women were patient was the key factor in making the information valuable.

Fear of the hordes, part 2

The fundamental problem for the plaintiffs in Broutzas and Kouvas was that there didn’t seem to be much in the way of distress, humiliation or anguish. The evidence appears to be that the sales calls were merely annoying. Here is where the court’s general fear of the hordes comes back in. The Court of Appeal did not want to open the floodgates to claims for “trivial” privacy breaches.

But the floodgates fear requires further introspection by the court. First, it is not clear why the concerns regarding the possibility of plaintiffs pursuing remedies for trivial breaches should be a factor at all if privacy is a fundamental value or fundamental right. The law affords remedies for many trivial wrongs. Not receiving a jacket ordered online in a colour and make that I requested is also not the end of the world. In most cases, this would also be a mere inconvenience, unless the item was very special or, perhaps, the cost was very high proportional to my disposable income. And yet, there is little question that I have a remedy under the law for such a breach.

Second, there is no evidence that would suggest the floodgates would open with a broader tort. Indeed, if we look at the provinces that have created a statutory tort of invasion of privacy without the constraints imposed by the Ontario Court of Appeal for the tort of intrusion upon seclusion, there is no evidence that there has been any floodgate of claims.

Ultimately, the court must explain clearly why, if privacy is a fundamental value, its protection under the common law is so meagre. And if its protection is to remain meagre, then we should stop asserting that privacy is a “fundamental right” or even a “fundamental value”.

If regulatory action is the remedy, is it sufficient?

If privacy is a fundamental value, there is another way, of course, to handle the problem of remedies for privacy infringements. This is through a regulatory scheme and it is likely the one that judges would prefer. The courts may not be the right place to consider the issues that are involved in privacy interests related to reasonable expectations of control over the context and flow of information. Certainly, harm can arise from a violation of these expectations. However, this interest (assuming we continue to see it as societal values) may be more appropriately analyzed and remedied by Privacy Commissioners and professional regulatory bodies, rather than the courts.

Indeed, in Broutzas and Kouvas, Justice Perell may have been influenced by the fact that those involved had largely been sanctioned. Judges want to see justice done. In these cases, Justice Perell seemed to think that justice had already been done. As Justice Perell noted, with one exception (who Justice Perell observed might not have been a wrongdoer), the individuals involved had all been punished in some way for their wrongdoing and the Rouge Valley Hospital had been investigated by the Information and Privacy Commissioner and had been ordered to take remedial actions, which it had done (paras. 298-299]:

Through the access to justice and behavior modification lens of preferable procedure, the real target of the class action is the hospital, because Ms. Bandali, Nurse Cruz, and Mr. Sethi obviously do not have the multi-millions of dollars claimed, and with the exception of Mr. Sethi, who may have done nothing wrong, they have already been punished for their wrongdoing.

For the hospital, no behavior management is necessary. After training efforts and strong admonitions to protect patient privacy, the hospitals were betrayed by their employees. The Order made by the Privacy and Information Commissioner against Rouge Valley was essentially directed at having the hospital introduce better auditing systems to identify – after an intrusion – the extent of the harm caused.

Broutzas v. Rouge Valley Health System, 2018 ONSC 6315 at paras. 298-299.

If the regulatory path is the one chosen by Parliament and Legislatures to protect and promote this fundamental human value, then the Commissioners may need stronger tools to do so. At the federal level, if the Commissioner is the guardian of a fundamental human value, we might expect that Commissioner to have, at a minimum, a similar power to order compliance to protect that value (as his provincial counterpart in Ontario does). If the value is so important as to be “fundamental” to Canadian society, we might even expect Commissioners to have some ability to proceed directly to court to seek a penalty for serious violations without having to go through a two-step process.

On the other hand, if we are going to make privacy a “right” in Ontario, then individuals are going to need a remedy and a means to pursue it either by common law or by statute.



Categories: Health, Litigation, Office of the Privacy Commissioner of Canada, Privacy

Tags:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: