The Royal Bank of Canada’s head office at Royal Bank Plaza in Toronto’s Financial District. A former RBC employee was recently charged for allegedly accessing Prime Minister Mark Carney’s personal banking information.Fred Lum/The Globe and Mail
Carlin McGoogan is a lawyer who has been practising civil litigation and privacy law for the past 19 years with Du Vernet, Stewart in Mississauga.
The recent news that a former RBC employee has been charged for allegedly accessing Prime Minister Mark Carney’s personal banking information is disappointing and alarming.
But it’s not surprising. In fact, the basic reported facts of this intrusion into the Prime Minister’s personal banking affairs appear nearly identical to those that arose in a case in which I acted as counsel some 13 years ago, in 2012.
In that case, Jones v. Tsige, the Ontario Court of Appeal recognized the tort of intrusion upon seclusion for the first time. A bank employee – an employee of the Bank of Montreal – had used her workplace computer to access the personal banking information of her boyfriend’s ex-wife at least 174 times without authorization, and indeed contrary to bank policy. The information included transaction details as well as personal data, such as date of birth, marital status and address.
The Court of Appeal ruled in that case that the bank employee had to pay damages to the plaintiff. The court described the type of damages being awarded as “symbolic” or “moral,” and in doing so, underscored the importance of recognizing that the employee’s conduct was indeed wrongful. As the court eloquently put it: “we are presented in this case with facts that cry out for a remedy.” Damages needed to be sufficient to mark the wrong that had been done.
RBC employee accused of accessing Carney’s bank profile in alleged wider scheme
The case served as a warning to participants in the banking sector. It was a shot across the bow not only for employees who might be tempted to snoop on someone else’s banking information, but also for the banks themselves, who stand as custodians of some of our most personal data. While on one level, the rogue employee could be said to be the primary wrongdoer, on another level, the employee would not have been able to snoop as she did had the bank not furnished her with the means to do so.
The court recognized that the collection and aggregation of personal information in electronic form presented a new type of problem, and its decision served as a message to Canadian banks that new measures would be required to address it.
Since 2012, this message to banks and other custodians of personal information has been re-emphasized by other Ontario courts, including in another case in which I acted as counsel, Grossman v. Nissan. In that case, the Ontario Superior Court of Justice certified a class action against Nissan Canada Inc. after a rogue employee abused their authorized access to Nissan’s computer system, stole a customer database, and tried to extort money from Nissan Canada. The claim was based on the legal doctrine of “vicarious liability,” in which an employer may be held liable for wrongdoing committed by their employee where they have furnished the employee with the means to commit the wrongdoing.
By certifying the claim, the court acknowledged that it had at least some chance of success, thus delivering another message to companies that they needed to ensure that their employees were prevented from invading customer privacy.
In view of the repeated warning bells sounded by the court, it is disappointing to read that, in 2025, our Prime Minister has now fallen victim to an invasion of his privacy allegedly committed by yet another rogue employee.
It is not as if there is no way for banks to prevent this from occurring. For instance, they could implement a requirement that the customer or bank manager specifically approve a bank employee’s access. Indeed, similar systems requiring customer or managerial approval are already in place in other areas of the bank, such as sending an e-transfer or initiating a large and unusual purchase on a credit card. Certainly, there has been sufficient lead time since 2012 for all banks to have implemented systems to prevent such intrusions by now.
The case of Mr. Carney serves to underscore precisely what is at stake. Although the RCMP has stated that they believe this intrusion posed no risk to national security or to Mr. Carney’s safety, it is not difficult to imagine the risks that could arise in both areas. If effective safeguards are not implemented, the Prime Minister could face extortion, identity theft or fraud – threats that pose national security risks.
If our banking sector is to remain strong, it must maintain consumer confidence. Protecting customer privacy – and being seen to do so – are both crucial aspects of that. In 2025, it is time for Canadian banks to take privacy seriously and put an end to these intrusions once and for all.