Canada: Canadian Privacy Class Actions At The Crossroads

A. INTRODUCTION

Canadian privacy class actions are on the rise, emerging from a wealth of new technologies, novel business practices, and an ever-growing body of jurisprudence south of the border. As privacy class actions find their place in Canadian law, the question is no longer whether or when they will take hold but rather where they are going. This article canvasses the developing jurisprudence surrounding privacy class action litigation in Canada, including the circumstances in which privacy claims arise, issues around harm and damages, and the potential for ongoing influence from American precedents.

B. SOURCES OF PRIVACY CLASS ACTIONS

Privacy class actions largely fall into three categories: (1) claims that challenge a corporation's business practices, (2) claims that arise from accidental breaches, and (3) claims relating to intentional, targeted conduct. The legal and strategic considerations involved in each category of claims will likely differ. For example, the targeted hacking of a company's server can be costly to an organization's reputation and bottom line. However, such harm may not affect the organization's underlying business model. On the other hand, a challenge to an organization's business practices could affect the viability of the business as a whole.

Inadvertent or intentional conduct by employees may lead to claims of vicarious liability against their employers. Although these categories are discussed separately below, organizations that collect, use, or disclose sensitive customer information in the ordinary course should develop comprehensive privacy policies, practices, and infrastructure that aim to prevent and defend against both the risks associated with business practice challenges and mishap- and crime-based breaches.

C. CLASS ACTIONS CHALLENGING BUSINESS PRACTICES

Canadian privacy class actions challenging business models and practices relating to the handling of personal information have seen mixed results. Class action jurisprudence challenging corporate privacy practices is still limited: although courts are increasingly willing to find that privacy claims meet the low bar for certification, few proceedings to date have been decided on their merits.¹

Online services or products that actively encourage users to provide, use, and share personal information — notably social media companies — are particularly exposed to this type of claim. Litigants have claimed that a company's use or disclosure of personal information has exposed them to harms such as identity theft, harassment, embarrassment, and mental distress.² Legal claims have been brought on the basis of a reasonable expectation that businesses will protect customers' personal information, a company's alleged contravention of its own privacy policy, the alleged collection, use, or disclosure of personal information without consent, and assertions that a company diverted users' private data to third parties for profit. A selection of recent cases in these last two areas is discussed below.

1) Claims Based on Use or Disclosure of Personal Information without Consent

In 2011, Internet subscribers in Union des consommateurs c Bell Canada³ unsuccessfully proposed a class action in Quebec against Bell Canada in relation to Bell's alleged practice of bandwidth throttling (the slowing of Internet speeds for certain uses). The claim challenged the use of a technology called "deep packet inspection" to collect the content of data transmitted by subscribers using Bell's Internet service. The Quebec Superior Court found that deep packet inspection was used only for traffic management rather than to inspect the contents of the data and thereby declined to authorize the class action, which had been framed on privacy grounds.

More recently, in 2015, the British Columbia Court of Appeal reversed a lower court's decision to certify the class in Douez v Facebook, Inc.⁴ Douez had challenged Facebook's practice of promoting and earning revenue from "Sponsored Stories." The plaintiff claimed that Facebook had used the names and profile images of users in advertisements sent to the users' contacts without their knowledge or consent and contrary to British Columbia's privacy legislation. The terms of use for the social media site stated that any disputes must be settled in California whereas British Columbia privacy legislation provided that an action under the Privacy Act must be heard and determined by the courts of British Columbia. The motion judge dismissed Facebook's claim that the court lacked jurisdiction, stating that online terms of use for foreign-run social media services do not override the protections of British Columbia's Privacy Act.

The Court of Appeal, deciding the case on conflict of law principles rather than on privacy principles, disagreed with the motion judge, holding that the forum selection clause should be enforced. Relying on the principle of territoriality, the Court of Appeal held that British Columbia law applies only in British Columbia and does not affect the law of other jurisdictions subject to specific recognition by a foreign court or legislature,⁵ and there was no such recognition of British Columbia law in California in this case. Therefore, the court held that Douez was free to pursue her claim in California.

2) Claims Alleging Personal Information Diverted to Third Parties for Profit

In 2013, the Quebec Superior Court authorized a class action alleging that Apple Inc collected iPhone and iPad users' personal information and disclosed that information to third parties without customer consent.⁶ The court limited the class to affected residents of Quebec, given the petitioner's reliance on the Quebec Charter of Human Rights and Freedoms and Civil Code of Québec. The plaintiff did not seek damages for the breach of privacy itself and did not claim misuse of the collected personal information. However, the plaintiff alleged that the class members' devices were substantially devalued, both in sale value and available resources (such as battery life and data storage), by Apple's collection and disclosure of data to third parties without knowledge or consent. The case remains pending before the Superior Court.

In 2014, a class action was launched in the Ontario Superior Court alleging that Facebook illicitly intercepted and scanned users' private messages without their knowledge or consent for the purpose of tracking website links in the messages to inflate its web presence and attract advertising revenue (e.g., if a user shared a website link in a private message, this would be reflected as a "like" by the user on that website address).⁷ The proposed class action, which has not yet been certified, alleges that Facebook's Data Use Policy did not disclose that private messages would be used in this manner; rather, the policy stated that the private messages would be private. Facebook ceased the practice in October 2012 without public announcement. Nonetheless, the suit contends that the proposed class should include all Canadian-resident Facebook users who sent or received private messages containing website links up to the date on which the practice was discontinued.

As the largest social media network with over 1.44 billion monthly active users,⁸ it is not surprising that Facebook has been the target of multiple class actions in Canada and abroad. Following the trend of Canadian tagalong class actions seen in other areas of litigation, the Sponsored Stories challenge began as a class action in the United States. In 2013, the District Court for the Northern District of California approved a US$20 million settlement to be distributed among American class members, resulting in recovery of approximately US$15 per class member who filed a claim.⁹

In another recent example, a US class action was commenced against iPhone app developers (such as Path, Twitter, and Electronic Arts), alleging that they engaged in intrusion upon seclusion and violated privacy by uploading users' address books and calendar information to company servers without knowledge or consent. In a 2014 decision, the Ninth Circuit allowed the claim to proceed, stating that "the court does not believe that the surreptitious theft of personal contact information . . . has come to be qualified as 'routine commercial behavior.'"¹⁰ It would not be surprising to see a similar claim commenced in Canada, or other jurisdictions worldwide, especially given the gradual expansion of the tort of intrusion upon seclusion in Canadian common law.

To continue reading this article, please click here

Footnotes

^{1 See, for example, Albilia v Apple Inc, 2013 QCCS 2805.}

^{2 See, for example, Silvestri v Facebook, Inc, C10-00429 (ND Cal 2010).}

^{3 2011 QCCS 1118.}

^{4 2015 BCCA 279, rev'g 2014 BCSC 953.}

^{5 Ibid at para 73.}

^{6 Albilia v Apple Inc, 2013 QCCS 2805.}

^{7 Latham v Facebook (9 April 2014), Toronto CV-14-501879 (Ont SCJ).}

^{8 Facebook Inc, "Company Info" (31 March 2015), online: Facebook Newsroom http://newsroom.fb.com/company-info/.}

^{9 Fraley v Facebook Inc, 966 F Supp 2d 939 (ND Cal 2013).}

^{10 Opperman v Path, Inc, 2014 US Dist LEXIS 67225 (ND Cal).}

Previously published in The Canadian Class Action Review

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.