Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Cybersecurity & Data Breaches, News & Events

Privacy Torts in Canada and the International Convergence of Privacy Law

In a recent case, the Court of Appeal for Ontario, Canada recognized the privacy torts that are widely-recognized in the United States.  Many foreign common law jurisdictions, including the United Kingdom and other countries, have steadfastly refused to recognize the privacy torts spawned by the 1890 law review article by Samuel Warren and Louis Brandeis, The Right to Privacy,  4 Harv. L. Rev. 193 (1890).  These torts – intrusion upon seclusion, public disclosure of private facts, false light, and appropriation of name or likeness – are known collectively as “invasion of privacy.”  In the case of Jones v. Tsige, 2012 ONCA 42 (Jan. 18, 2012), the Court of Appeal for Ontario finally recognized the US privacy tort of intrusion upon seclusion – intentionally intruding upon a person’s seclusion or solitude, or into his private affairs.

In the UK, courts have continued to reject the Warren and Brandeis privacy torts, and instead embrace a different tort known as breach of confidence.  Nevertheless, courts in the UK have stretched the breach of confidence tort in the past decade to quite closely resemble the US privacy torts.  See Neil M. Richards & Daniel J. Solove, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123 (2007).   And in the US, the breach of confidentiality tort (the US analogue to the breach of confidence tort) has been developing rapidly during the last two decades.  The result is that privacy tort law in the US and UK is converging. 

Canadian tort law is converging too, as demonstrated by Jones.  In Jones, Tsige and Jones both worked at the Bank of Montreal, but they didn’t know each other.  Tsige began a relationship with Jones’s former husband.  Tsige began to access Jones’s personal bank accounts many times during a 4-year period.  The court, in recognizing a cause of action for intrusion upon seclusion, noted several Ontario cases, provincial case law, legislative enactments, and Charter law to reach the conclusion that “the time has come to recognize invasion of privacy as a tort in its own right.”

The recognition of the US privacy torts by a Canadian court is further demonstration of a general trend – the convergence of privacy law across countries around the world.  Although profound differences in the law remain between countries, there has also been significant convergence.  Although Professor James Whitman famously argued that cultural differences would make harmonization of privacy law between the US and EU practically impossible, see James Q. Whitman, The Two Western Cultures of Privacy: Dignity Versus Liberty, 113 Yale L.J. 1151 (2004), both the US and EU and most of the rest of the world have embraced the Fair Information Practices (FIPs) as the cornerstone of their approach toward to protecting privacy.  The FIPs emerged in the US and were more widely and comprehensively adopted in the EU, but much US privacy legislation embodies some of the FIPs.

And the convergence is increasing.  More gaps continue to get filled in US privacy legislation.  States in the US have taken the lead in data security notification legislation, and other countries are beginning to follow suit – as is the federal government with the new HITECH data security breach notification requirements.

Slowly, the privacy law of many countries is beginning to converge, with different countries adopting each other’s legal approaches to privacy issues.  The US has often been left out of the process, often not perceived by other countries as a leader in privacy law.  Although the law of the US has many significant problems, and it is lagging behind the law of many countries in many dimensions, there are areas where the US law is still looked to for guidance.  Data security breach notification is one such area, as is the tort law of privacy.  With creative, practical, and effective laws, the US can once again take a more active leadership role in the international law of privacy.  And taking such a role is important, for the US can add a pragmatic perspective to other regulatory approaches.  But to have other nations embrace such pragmatism, US privacy law must be more vigorous and effective.  Strengthening US privacy law might in the short term lead to more regulatory burdens on industry, but it might also work to industry’s benefit in the long run by enhancing the US’s leadership role in privacy and by having an increased influence on foreign regulation.