Malaphor: Digital Health Law in Canada

health + tech in law = mixing chalk + cheese

Class Actions for Misrepresentations of Privacy Practices

Since the reports of the large fines that have been issued under GDPR have started making the rounds in the last couple of years, I have seen an increase in concern about being compliant with privacy laws here in Canada. In particular, a couple of questions that I sometimes get asked are “What could happen if our company is not compliant with PIPEDA? Will the Privacy Commissioner come after us with huge fines?” It’s usually a surprise to the asker when I say that, relative to its European counterparts, the Privacy Commissioner has little power in privacy enforcement.

Privacy enforcement by class action
Privacy enforcement by class action

Privacy Enforcement by Class Action

I also tell the asker that this doesn’t mean you can disregard privacy. For one, users and customers do care whether companies respect their data. Even if this were not the case, a company’s privacy law troubles could come from elsewhere. While legislators are only now busy looking at giving the Privacy Commissioner more power in enforcing privacy laws, class action lawyers have been busy finding targets to sue. For an entertaining read, here is a case where two class action lawyers fight for carriage of the case against Equifax.

These class action cases have been mainly been focused on the defendants’ actions (or lack of actions) in privacy breaches as the wrongful act. In these case, the grounds for the plaintiffs’ claims have not relied so much on PIPEDA as other grounds such as tort (“intrusion upon seclusion”). An interesting basis for the claims made in the Equifax case was that Equifax made “false, misleading or deceptive representations” in regards to their security practices in contravention of consumer protection laws.

Misrepresentations Are Wrong Too

If you think about it, companies are making more than representations about their security practices in their privacy policies. Could there be some basis for claims based on other aspects of the privacy policy or other representations regarding privacy? Also, this phrase – “false, misleading or deceptive representations” – or something similar to it pops up in many legal areas. Indeed, this idea that the misrepresentation of privacy practices as the wrong seems to be a new frontier for privacy enforcement.

A year ago today, the Commissioner of Competition (who has greater enforcement power) entered into a Consent Agreement with Facebook, which included a $9 million dollar fine (plus $500,000 in costs). This Consent Agreement was based in part on the Commissioner’s conclusion that “Facebook’s privacy representations were false or misleading in a material respect, contrary to paragraph 74.01(1)(a) of the [Competition] Act.”

Although this was an enforcement action by a government body, I would expect seeing lawsuits including allegations about privacy (mis)representations in civil courts in Canada becoming more prevalent. In the US, there is already at least one such high-profile case: Google is currently facing a class action lawsuit (Complaint here) for the “Incognito Mode” feature of its Chrome browser. According to the report from Bloomberg, a judge, in allowing the case to move forward, found that even in Incognito Mode, Google continues to collects data from users and Google does not notify users of such collection.

I would be interested to see what happens if there is a parallel case in Canada.