Posted on January 25, 2012 by Daniel Solove

Privacy Torts in Canada and the International Convergence of Privacy Law

In a recent case, the Court of Appeal for Ontario, Canada recognized the privacy torts that are widely-recognized in the United States.  Many foreign common law jurisdictions, including the United Kingdom and other countries, have steadfastly refused to recognize the privacy torts spawned by the 1890 law review article by Samuel Warren and Louis Brandeis, The Right to Privacy,  4 Harv. L. Rev. 193 (1890).  These torts – intrusion upon seclusion, public disclosure of private facts, false light, and appropriation of name or likeness – are known collectively as “invasion of privacy.”  In the case of Jones v. Tsige, 2012 ONCA 42 (Jan. 18, 2012), the Court of Appeal for Ontario finally recognized the US privacy tort of intrusion upon seclusion – intentionally intruding upon a person’s seclusion or solitude, or into his private affairs.

In the UK, courts have continued to reject the Warren and Brandeis privacy torts, and instead embrace a different tort known as breach of confidence.  Nevertheless, courts in the UK have stretched the breach of confidence tort in the past decade to quite closely resemble the US privacy torts.  See Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123 (2007).   And in the US, the breach of confidentiality tort (the US analogue to the breach of confidence tort) has been developing rapidly during the last two decades.  The result is that privacy tort law in the US and UK is converging. 

Canadian tort law is converging too, as demonstrated by Jones.  In Jones, Tsige and Jones both worked at the Bank of Montreal, but they didn’t know each other.  Tsige began a relationship with Jones’s former husband.  Tsige began to access Jones’s personal bank accounts many times during a 4-year period.  The court, in recognizing a cause of action for intrusion upon seclusion, noted several Ontario cases, provincial case law, legislative enactments, and Charter law to reach the conclusion that “the time has come to recognize invasion of privacy as a tort in its own right.”

The recognition of the US privacy torts by a Canadian court is further demonstration of a general trend – the convergence of privacy law across countries around the world.  Although profound differences in the law remain between countries, there has also been significant convergence.  Although Professor James Whitman famously argued that cultural differences would make harmonization of privacy law between the US and EU practically impossible, see James Q. Whitman, The Two Western Cultures of Privacy: Dignity Versus Liberty, 113 Yale L.J. 1151 (2004), both the US and EU and most of the rest of the world have embraced the Fair Information Practices (FIPs) as the cornerstone of their approach toward to protecting privacy.  The FIPs emerged in the US and were more widely and comprehensively adopted in the EU, but much US privacy legislation embodies some of the FIPs.

And the convergence is increasing.  More gaps continue to get filled in US privacy legislation.  States in the US have taken the lead in data security notification legislation, and other countries are beginning to follow suit – as is the federal government with the new HITECH data security breach notification requirements.

Slowly, the privacy law of many countries is beginning to converge, with different countries adopting each other’s legal approaches to privacy issues.  The US has often been left out of the process, often not perceived by other countries as a leader in privacy law.  Although the law of the US has many significant problems, and it is lagging behind the law of many countries in many dimensions, there are areas where the US law is still looked to for guidance.  Data security breach notification is one such area, as is the tort law of privacy.  With creative, practical, and effective laws, the US can once again take a more active leadership role in the international law of privacy.  And taking such a role is important, for the US can add a pragmatic perspective to other regulatory approaches.  But to have other nations embrace such pragmatism, US privacy law must be more vigorous and effective.  Strengthening US privacy law might in the short term lead to more regulatory burdens on industry, but it might also work to industry’s benefit in the long run by enhancing the US’s leadership role in privacy and by having an increased influence on foreign regulation.
Tags: , , , , , ,
Posted on September 3, 2010 by Christopher Wolf

If the Online Notice is Too Complex, Does That Open the Door to Tort Claims?

In an opinion piece appearing in today's Wall Street Journal, available here, Eric Felten describes an ongoing case in which a tort claim seeks to escape the limitation of liability language contained in an End User License Agreement (EULA):

A federal judge in Hawaii ruled last month that a man claiming to be addicted to a videogame can sue the game's maker for gross negligence in not warning him he could become a joystick junkie. Craig Smallwood alleges in his lawsuit that, as a result of playing the online game "Lineage II," he has "suffered extreme and serious emotional distress and depression, and has been unable to function independently in usual daily activities such as getting up, getting dressed, bathing, or communicating with family and friends."

Felten continues:

Silly as the suit may be, it isn't without legal ramifications. Steven Roosa, a lawyer doing research at Princeton's Center for Information Technology Policy, sounded almost giddy this week at the prospect that a court might chip away at the enforceability of End User License Agreements, or EULAs. These software license agreements often radically limit how, and for how much, customers can sue if they feel harmed by an electronic product.

Mr. Roosa cheered on his blog that the judge in Hawaii has opened an avenue for escaping the tyranny of these one-click, liability-limiting contracts. He called the judge's refusal to throw the case out in its entirety a "stunning defeat" not only for the maker of Lineage II, but for the whole business of locking customers into contracts that consist of miles of electronic fine print that hardly anyone ever reads.

Felten observes in his Journal article that "[n]o doubt we do live in a time of kudzu legalese, with weedy contractual tendrils crawling into every electronic transaction. It's alarming to think about everything we sign off on these days, with endless demands to click "I agree" as the non-negotiable price of entry into our electronic worlds. Alarming, because few of us ever peruse the legal documents to which we so regularly and glibly affix our electronic signatures."

Last April, the British retailer Gamestation set out to prove the point by including in its boilerplate some Mephistophelean contractual language: "By placing an order via this Web site," read the clause, "you agree to grant us a non-transferable option to claim, for now and for ever more, your immortal soul." In just one day, some 7,500 customers "agreed" to hand over their souls for a mess of virtual pottage. (emphasis supplied)

In the context of privacy policies, two weeks ago I was a panelist at the Privacy, Identity and Innovation 2010 conference in Seattle in the session "Competing on Privacy: Trade-offs, Transparency and Trust."  At the session, I observed  that privacy policies often are dense because companies need to protect themselves, but that alongside the legalese of the privacy policies can be layered notices with simple declarative sentences and even videos of people explaining in plain English how personal information is collected and used.

A blogger in the Seattle audience yelled out at me for admitting that I draft lengthy privacy policies, and I tried to get this concept across, explained in today's Journal article:

The proliferation of annoying and obnoxious license agreements has been driven, primarily, not by companies' desire to abuse their customers, but by a need to keep their rather more litigious customers from abusing them (and the legal system). As Jonathan Zittrain, who teaches both law and computer science at Harvard, puts it, "EULAs are, for most companies, a shield not a sword."

(I did not admit nor do I mean to suggest that the policies I draft are "annoying and obnoxious," just lengthy.)

So it is a given that legal notices almost inevitably will be complex but supplemental, simplified notices, even video notices, alongside the legalese will better inform consumers.  And it should thwart tort claims where a plaintiff claims "I had no idea this could be the result of my interaction with the web site."

 

Tags: , , , ,