In modern commerce, it is quite common for manufacturers and service providers to pre-install software on a consumer’s computer and mobile devices, all with a view to tailoring the efficient delivery of services to the consumer. Given the expanding use of embedded software in Internet-connected consumer products - the so-called Internet of Things (IoT) – manufacturers are now installing software on a broader range of household devices, extending from televisions to refrigerators to automobiles.
There are a number of existing privacy and other laws that regulate the collection and use of personal information for commercial purposes in Canada. In addition, there is now federal legislation in Canada that specifically regulates the installation of computer programs on specific devices. More specifically, since January 15, 2015, Canada’s anti-spam law (CASL) has prohibited the installation of a computer program on another person's computing device, in the absence of express consent from the owner of the device. However, to date, there has been relatively little civil litigation that tests the scope and meaning of these provisions. While Parliament adopted a private right of action for damages for breaches of this regime under CASL, the federal government directed that this right of action will not come into effect until July 2017.
A recent Ontario class action decision, however, suggests that private plaintiffs may have latitude to pursue claims in respect of the installation of computer devices and other security vulnerabilities before the private right of action comes into effect in July 2017. In short, in its decision in Bennett v. Lenovo, the Ontario Superior Court declined to strike a plaintiff’s claims in tort and under consumer protection legislation in a significant class action relating to the alleged installation of software/adware on a computer.
As a result, the Court’s decision may create an opening for future class actions that assert claims for security vulnerabilities or other privacy issues associated with pre-installed software on consumer devices -- even when the risk may not materialize into an actual privacy breach, let alone material financial or other harm.
The plaintiff in Bennett v. Lenovo had brought a proposed privacy class action against a Lenovo (a well-known computer manufacturer) on behalf of Canadian purchasers of certain Lenovo laptops. In short, the plaintiff allegedly discovered that an adware program had been pre-loaded on his new laptop. The plaintiff further alleged that the adware intercepted and monitored web traffic to inject advertisements into the web browser without consent. He also alleged that the adware affected the computer’s performance.
Lenovo questioned whether the plaintiff had brought a viable claim in respect of the installation of adware on a computer. Accordingly, Lenovo brought a motion to strike the claim prior to certification and succeeded in striking out a claim based on a breach of an implied contractual term. However, in its decision, the Ontario Superior Court declined to strike out the remaining three claims, which were based on an alleged breach of the implied conditions of merchantability and fitness for purpose under consumer protection legislation, the tort of intrusion upon seclusion, and statutory causes of action under privacy legislation in British Columbia, Saskatchewan, Manitoba, and Newfoundland and Labrador. (The plaintiff also dropped a negligence claim before the motion was decided.)
In reaching his decision, Justice Belobaba of the Ontario Superior Court made two significant findings that may impact future privacy class actions: first, he found that a software defect creating a security vulnerability could arguably breach the implied conditions of fitness for purpose and merchantability, even if the product is otherwise useable, and second, he found that the creation of a privacy risk was potentially sufficient to establish liability under privacy statutes – an actual violation of privacy was not necessarily required.
The first point concerned the conditions of fitness for purpose and merchantability set out in the Ontario Sale of Goods Act. Under the Ontario Consumer Protection Act, these conditions are deemed to apply to the sale of goods under a consumer agreement and cannot be varied or waived. The plaintiff alleged that the security and performance issues created by the pre-installed adware breached these implied conditions.
Lenovo accepted that the plaintiff could argue a breach of the implied conditions but argued that if a product has multiple uses, it is still “merchantable” if it can be reasonably used, even with the alleged defect, for at least one of the purposes.
Justice Belobaba rejected this argument, and held that “it is not at all plain and obvious under Canadian law that a laptop that cannot be used on-line because of a hidden defect that has compromised the user’s privacy, and can only be used off-line for word processing, is nonetheless merchantable.” Justice Belobaba emphasized that the law governing these implied conditions was not settled in the context of the computer technology.
The second significant point arose from Lenovo’s argument that the claims under privacy legislation should be struck out because plaintiff had failed to allege an actual violation of privacy or confidentiality as a result of the adware.
Justice Belobaba rejected this argument. In particular, he observed: “The risk of unauthorized access to private information is itself a concern even without any actual removal or actual theft.” The court was therefore not willing to strike out, at the early stage of the litigation, claims made under privacy legislation based on alleged “malware… designed …to invade the privacy of and cause harm to the class members”.
Justice Belobaba’s decision in Bennett v. Lenovo establishes that the Ontario courts are prepared to treat computers or other devices containing pre-installed or embedded software as “products” subject to warranties of quality under consumer protection and sale of goods legislation, regardless of language in license agreements or service terms excluding such warranties.
As a result, although the Court decided only that the plaintiff’s allegations could proceed beyond the pleadings stage, the Court’s ruling arguably makes it easier to pursue a class action based on alleged security vulnerabilities or privacy risks in pre-installed or embedded software in devices sold to Canadian consumers, regardless of whether those vulnerabilities are ever exploited.
Finally, it is noteworthy that the court was prepared to allow a privacy claim based on pre-installed software alleged to be malware. As a result, the Court’s decision may provide an avenue for pursuing claims based on pre-installed or embedded software before the private right of action under CASL comes into force.