COURT OF APPEAL FOR ONTARIO
CITATION: Winder v. Marriott International, Inc., 2022 ONCA 815
DATE: 20221125
DOCKET: C70286
Doherty, Tulloch and Miller JJ.A.
BETWEEN
Glenn Winder
Plaintiff (Appellant)
and
Marriott International, Inc., Luxury Hotels International of Canada, ULC and Starwood Canada ULC
Defendants (Respondents)
Michael Robb and Aylin Manduric, for the appellant
Ranjan Agarwal, Ruth Promislow, Mike Eizenga, Nina Butz and Mehak Kawatra, for the respondents
Heard: June 8, 2022
On appeal from the order of Justice Paul M. Perell of the Superior Court of Justice, dated January 17, 2022, with reasons reported at 2022 ONSC 390.
Doherty J.A.:
I
overview
[1] The appellant, Glenn Winder (Mr. Winder), sued Marriott International, Inc. and various subsidiaries and affiliates (“Marriott”) on his own behalf and on behalf of the proposed class members. The claim alleged, among other things, that Marriott had invaded the privacy of Mr. Winder and the other class members.
[2] Mr. Winder launched this lawsuit after Marriott disclosed that information provided to Marriott by customers, like Mr. Winder, had been accessed by unknown, unauthorized persons who had hacked into the reservation database of Marriott’s Starwood hotels. Mr. Winder advanced claims for negligence, breach of contract, and breach of various statutory provisions. He also alleged that Marriott was liable for the intentional tort of intrusion upon seclusion.
[3] Mr. Winder brought a motion to certify the proceeding as a class proceeding. Before the certification motion proceeded, the parties agreed to state a question of law for determination under r. 21.01(1)(a) of the Rules of Civil Procedure, R.R.O. 1990, Reg. 194. The question asked:
Does the Fresh as Amended Statement of Claim dated July 2, 2021 in the within proceeding disclose a cause of action against the Defendants under the tort of intrusion upon seclusion?
[4] The motion judge held that the Fresh as Amended Statement of Claim (the “Claim”) did not disclose a cause of action for intrusion upon seclusion. Mr. Winder appeals. The rest of the lawsuit remains outstanding.
[5] This appeal was heard with the appeals in Owsianik v. Equifax Canada Co., 2021 ONSC 4112, 18 B.L.R. (6th) 78 (Div. Ct.) and Obodo v. Trans Union of Canada, Inc., 2021 ONSC 7297. With one exception, the issues raised on this appeal are addressed in my reasons in Owsianik. I will not repeat that analysis and these reasons should be read with the reasons given in Owsianik. These reasons focus on the one argument advanced on this appeal which was not made in Owsianik.
[6] Unlike the claims in Owsianik and Obodo, this Claim alleges that Marriott invaded the privacy of its customers when it collected and stored their personal information in a manner that did not reflect the representations Marriott had made to its customers and that did not meet Marriott’s legal obligations in respect of maintaining the security of the information. These legal obligations, the Claim alleges, included contractual and statutory obligations, as well as obligations imposed by industry standards and practices. On this approach, Marriott is said to have invaded the privacy of its customers by collecting and storing the information in contravention of its representations and obligations, regardless of whether any third party ever actually gained access to the customers’ information stored in the database.
[7] For the reasons set out below, I do not agree that Mr. Winder has pleaded a viable intrusion upon seclusion claim against Marriott. As in Owsianik and Obodo, the essence of the Claim lies in Marriott’s alleged failure to maintain the security of the information. That failure is actionable in different ways, but does not support a claim of intrusion upon seclusion.
II
the allegations
[8] As in Owsianik and Obodo, the proceedings are still at the certification stage. In this case, however, the parties agreed to state a question of law pursuant to r. 21.01(1)(a) of the Rules of Civil Procedure before the certification motion. As in the companion cases, therefore, there are no findings of fact, only allegations. On a motion under r. 21.01(1)(a), the factual allegations are taken as true: Beaudoin Estate v. Campbellford Memorial Hospital, 2021 ONCA 57, 154 O.R. (3d) 587, at para. 14. The standard of review for a motion judge’s determination under r. 21.01(1)(a) is correctness: Das v. George Weston Ltd., 2018 ONCA 1053, 43 E.T.R. (4th) 173, at para. 65, leave to appeal refused, [2019] S.C.C.A. No. 69.
[9] Marriott operates hotels and timeshare facilities around the world. It receives and stores information provided by customers making reservations at Marriott facilities. The information includes customers’ names, phone numbers, passport numbers, account information and, in some instances, credit card information.
[10] In November 2018, Marriott disclosed that unauthorized persons had accessed the reservation database of Marriott’s Starwood hotels. The database contained the personal information provided by customers for purposes associated with reserving and using the hotel facilities. The unauthorized access had apparently been going on since 2014.
[11] The data breach discovered by Marriott potentially affected millions of people around the world. This lawsuit is brought by Mr. Winder on his own behalf and on behalf of other affected Canadian residents.
[12] In the Claim, Mr. Winder pleads that Marriott failed to comply with their contractual obligations, stated privacy policies, internal privacy policies, privacy laws in Canada and industry standards pertaining to the accumulation and storage of customer information. He also alleges that Marriott failed to respond adequately to an earlier report of a Starwood hotels data breach and failed to react to this intrusion in a timely and effective manner.
[13] The allegations summarized above are very similar to those made in Owsianik and Obodo. As explained in Owsianik, those allegations do not provide a basis upon which Marriott could be found to have invaded the privacy of its customers by failing to adequately protect the confidentiality of their information. Mr. Winder submits, however, that his pleading goes a step beyond the allegations made in Owsianik and Obodo. On his pleading, Mr. Winder fixes the unlawful intrusion upon his privacy at the time the information was stored, rather than when it was accessed by an unauthorized third party. The rest of these reasons focus on that aspect of Mr. Winder’s Claim.
[14] The extracts from the Claim, set out below, capture the essence of the intrusion upon seclusion claim:
[6] Through their actions and omissions, and as a result of their failure to comply with the obligations and standards applicable to them, the Defendants knowingly or recklessly violated the Class Members’ privacy, disclosed the Class Members’ Personal Information to unauthorized parties or caused it to be disclosed to unauthorized parties.
…
[78] The Defendants invaded, without lawful justification, the Class Members’ private affairs or concerns. Their collection and storage of Class Members’ Personal Information with no regard to the commitments they made as to its security and their complete failure to take reasonable steps to protect that Personal Information resulted to the exposure of that information in the Data Breach and the loss of its privacy.
[79] The Defendants’ conduct was intentional or reckless.
III
the reasons of the motion judge
[15] In his argument on the motion (and before this court), counsel for Mr. Winder argued that Marriott obtained the personal information in issue based on Marriott’s representations to its customers that it would meet its obligations to preserve the confidentiality of that information and would take reasonable steps to prevent any unauthorized access to that information. Counsel argued that Marriott knowingly or recklessly failed to meet these representations and obligations, thereby exposing the customers’ information to access by unauthorized third parties. Counsel argued that Marriott’s conduct vitiated the consent given by customers to Marriott’s storage and use of the customers’ personal information. Without that consent, Marriott’s storage and use of the information constituted an invasion of the customers’ privacy. The invasion was complete when Marriott took possession of the personal information and did not depend on any unauthorized third party accessing the information.
[16] The motion judge rejected the submission that Marriott’s failure to comply with its obligations and standards applicable to maintaining the security of its database could make Marriott an intruder or invader of its customers’ privacy. He said, at para. 13:
I am not persuaded that the pleaded material facts of the immediate case are sufficient to make Marriott an intruder for the purposes of the tort of intrusion on seclusion. At most, it might be said that Marriott is a constructive intruder. However, a reading of the Court of Appeal’s decision in Jones v. Tsige reveals that both the letter and spirit of the Court’s decision and the policy reasons behind it, prescribe a narrow – do not open the floodgates of liability – ambit for the tort of intrusion on seclusion. The ambit of the tort does not extend to constructive intruders and is limited to real ones.
IV
analysis
[17] The viability of Mr. Winder’s invasion of privacy claim must be determined by reference to his pleading. In his factum and oral argument, counsel for Mr. Winder submitted that Marriott gained access to the customers’ personal information under “false pretences” when it represented that it would comply with its obligations to maintain the confidentiality of the information. These submissions suggest allegations of deceit or civil fraud. Neither are pleaded. The pleading speaks in terms of misrepresentations by Marriott and Marriott’s failure to meet its obligations and take appropriate steps to safeguard the security of the personal information provided to it. The pleadings do not allege dishonesty or fraudulent misrepresentations. Nor do the alleged facts as pled offer a basis for a finding of deceit or civil fraud.
[18] Paragraph 6 of the Claim alleges that Marriott disclosed personal information to unauthorized parties, or caused personal information to be disclosed to unauthorized parties. Those allegations could in law support an intrusion upon seclusion claim. However, there are no material facts pled, capable of supporting the allegation that Marriott either disclosed personal information to unauthorized parties, or caused it to be disclosed. What is alleged, repeatedly, is that Marriott’s breach of its duties and obligations to its customers exposed their personal information to access by third-party hackers.
[19] The claims advanced by Mr. Winder come down to the same allegations that are made in Owsianik and Obodo. The material facts pled in Mr. Winder’s Claim that are said to constitute an intrusion or invasion of his privacy by Marriott are the same facts said to support the claim that Marriott was negligent, breached its contractual obligations to Mr. Winder, and failed to comply with its statutory obligations. In his Claim, Mr. Winder recasts the negligence, breach of contract and breach of statute claims as claims that Marriott “disclosed…or caused [the personal information] to be disclosed”. There are no material facts pled to support either assertion.
[20] There is no allegation that Marriott accumulated, stored or used the personal information provided by its customers for any purpose other than the purposes reasonably contemplated by the customers. What is alleged is that the manner in which Marriott stored the information did not comply with Marriott’s representations or its obligations, and that this allowed third-party hackers to gain access to the information for their purposes. As in Owsianik and Obodo, on the facts as pled, Marriott’s misconduct lies, not in any breach of the customers’ privacy rights, but in the failure to safeguard those privacy rights from intrusion by others.
[21] Counsel’s submission that Marriott became an intruder upon its customers’ privacy when it failed in its duty and obligations to protect the privacy of the customers’ personal information in its database ignores the rationale for the tort of intrusion upon seclusion. As explained in Jones v. Tsige, 2012 ONCA 32, 108 O.R. (3d) 241, at paras. 39-41, informational privacy is concerned primarily with individual autonomy. Persons are entitled to decide for themselves when, how, and to what extent personal information about them will be disclosed to others. Marriott’s customers agreed to disclose personal information to Marriott for purposes relating to the operations of Marriott’s facilities. There are no facts pled that Marriott used or disclosed the information for any other purpose. On the allegations in the pleading, the only interference with the customers’ ability to control access to, and use of their personal information occurred when unknown third-party hackers breached Marriott’s database. Until the hackers acted, there was no breach of the customers’ privacy rights and no intrusion.
[22] I agree with the conclusion reached by the motion judge.
V
conclusion
[23] The appeal is dismissed. If the parties cannot agree on costs of the appeal, they will exchange written submissions and provide those submissions to the court within 14 days of the release of these reasons.
Released: “November 25, 2022 DD”
“Doherty J.A.”
“I agree. M. Tulloch J.A.”
“I agree. B.W. Miller J.A.”