The growth of actions for violation of privacy presents a significant risk for defendants and an opportunity for civil claims to provide a mechanism for accountability. However, several key issues that would determine the scope of liability remain unsettled. In most cases, courts have concluded that the existence of statutes dealing with personal information does not exclude the possibility of civil actions, which is important given the limits of statutory remedies. Negligence claims in this context may face issues regarding the duty of care, particularly where the defendant is a public authority, and proof of injury, given that recovery for harms such as stress or economic loss is limited. Therefore, the availability of statutory or common law privacy torts, which do not require proof of actual damage, is very important, but the elements of these torts are evolving and may be difficult to prove against an organization where the main perpetrator of the violation is an individual employee or third party. Vicarious liability for a breach of privacy by a ‘rogue’ employee is possible, but will depend on whether the facts show that the employer organization materially increased the risk of the violation. The current state of the law raises questions about the ability of these claims to effectively provide compensation or deterrence, but in the absence of legislative reform, the progressive development of the law on some of these issues could help to clarify and expand the options available to address ongoing threats to privacy.
Barbara von Tigerstrom, Direct and Vicarious Liability for Tort Claims Involving Violation of Privacy, 2018 96-3 Canadian Bar Review 539.