The recent decision of the Ontario Superior Court of Justice in Bennett v Lenovo, 2017 ONSC 1082 is an important step in the development of privacy class actions in Canada. In Lenovo, the Court refused to strike the majority of causes of action pleaded by the Plaintiffs, permitting this ground-breaking proceeding to continue.
The plaintiff, Daniel Bennett, is a lawyer who lives in St. John’s, N.L. Bennett purchased a Lenovo laptop computer. After taking delivery, he discovered that the laptop had been pre-loaded with an adware program called Virtual Discovery (“VD”) that was supplied by the co-defendant, Superfish, a Palo Alto-based software company. According to the statement of claim, the VD adware program intercepts the user’s secure internet connections and scans the user’s web traffic to inject unauthorized advertisements into the user’s web browser without the user’s knowledge or consent. The Plaintiff also claimed that VD software allows hackers to collect bank credentials, passwords and other highly sensitive information.
Causes of Action
Initially, the Plaintiffs pleaded five causes of action: breach of contract, the implied condition of merchantability, the tort of intrusion upon seclusion, breach of provincial privacy laws and negligence. The negligence claim was withdrawn. Lenovo then moved to strike the four remaining causes of action.
The Court refused to strike three of the remaining four causes of action:
1) Implied condition of warranty claim. Lenovo argued that under the current state of Canadian law, the statutory implied merchantability claim had no chance of success – a product that has multiple uses such as the plaintiff’s computer (including, word processing, storing data, accessing the internet) will still be “merchantable” if it can be reasonably used, even with the alleged defect, for at least one of the purposes, such as off-line word processing. The Court held that the law of merchantability, in the context of computer technology, was not yet settled. Implied condition of merchantability claim was an arguable claim with some chance of success. The Court refused to strike this claim;
2) Intrusion upon seclusion claim. The Plaintiff asserted this tort, first enunciated by the Court of Appeal in Jones v. Tsige, 2012 ONCA 32. The Defendants moved to strike this claim on the basis that one of the elements of this common law tort, distress or suffering, was not expressly pleaded. The Court noted that the Court of Appeal, in Jones, acknowledged that the distress element is “generally presumed once the first two elements have been established.” The Court held that this is an involving tort. Its scope and content have not yet been fully determined. The Court refused to strike this claim;
3) Provincial privacy laws. The Plaintiff relied on the privacy legislation in British Columbia, Saskatchewan, Manitoba and Newfoundland, which states that the unlawful violation of another’s privacy is an actionable tort, without proof of loss. Lenovo argued that there is no pleading of any actual violation of anyone’s privacy, no allegation that any confidential information was actually hacked and appropriated, and therefore these statutory claims are certain to fail. The Court disagreed, holding that the scope of content of the statutory torts in question was evolving. The Court noted that the torts may be concerned with risk of unauthorized access to the information, not only removal or actual theft of such information. The Court refused to strike this claim;
4) Breach of contract. The Plaintiff pleaded the existence of an implied contractual term in the sales agreement that the Lenovo laptops would be free of any defects and that they would not have pre-installed software that exposed class members to significant security risks. However, the Lenovo sales agreement stated that the software was being sold “without warranties or conditions of any kind.” The Court held that an implied term cannot be inconsistent or otherwise conflict with an express provision in the agreement. The Court struck this claim without leave to amend.
Implications for the Future
Privacy causes of action, as well as their application in the class action context, are evolving areas of Canadian law. As the Court noted at several points in Lenovo, the scope of these causes of action is not settled and will need to be elaborated upon in future decisions. Nevertheless, it is clear that consumers have remedies, in the class action context, that may be asserted against manufacturers whose products present undisclosed risks to consumer privacy. The decision represents a small but necessary step toward the development of a robust consumer privacy protection jurisprudence in Canada.