Court File and Parties

COURT FILE NO.: CV-15-523214-CP DATE: 20170217 SUPERIOR COURT OF JUSTICE - ONTARIO

RE: Daniel Bennett, Plaintiff AND: Lenovo (Canada) Inc. and Superfish Inc., Defendants

Proceeding under the Class Proceedings Act, 1994

BEFORE: Justice Edward P. Belobaba

COUNSEL: Jeff Galway and Kiran Patel for Lenovo / Moving Party Adrienne Boudreau and Sabrina Callaway for Bennett / Responding Party

HEARD: February 10, 2017

Motion to strike pleadings

[1] The defendant Lenovo brings this motion under Rule 21.01(1)(b) to strike the plaintiff’s claim in its entirety. Lenovo says it is plain and obvious that none of the causes of action being advanced by the plaintiff can succeed.

[2] For the reasons that follow, the motion is granted in part and dismissed in part.

Background

[3] The plaintiff, Daniel Bennett, is a lawyer who lives in St. John’s, N.L. He recently purchased a Lenovo laptop computer on-line for personal and business use. After taking delivery, he discovered that the laptop had been pre-loaded with an adware program called Virtual Discovery (“VD”) that was supplied by the co-defendant, Superfish, a Palo Alto-based software company.

[4] According to the statement of claim, the VD adware program intercepts the user’s secure internet connections and scans the user’s web traffic to inject unauthorized advertisements into the user’s web browser without the user’s knowledge or consent. Even more disturbing, says the plaintiff, VD “allows hackers … to collect … bank credentials, passwords and other highly sensitive information” including “confidential personal and financial information.”

[5] In addition to the security issues, the plaintiff also discovered that VD affected the computer’s performance – by increasing power consumption, decreasing battery life, hogging band width, wasting memory, losing data, causing certain web pages to load incorrectly, and generally impeding or slowing the laptop’s operations.

[6] The plaintiff has filed a proposed class action on behalf of “all persons in Canada” who purchased Lenovo laptops with this pre-installed VD adware program.

[7] The proposed class action initially advanced five causes of action: breach of contract, the implied condition of merchantability, the tort of intrusion upon seclusion, breach of provincial privacy laws and negligence. The negligence claim was withdrawn. Lenovo says it is plain and obvious and beyond doubt that none of the remaining four causes of action can succeed.

[8] For the reasons that follow, I am satisfied that three of the four causes of action can remain in place. It is not plain and obvious to me that the claims based on merchantability, intrusion upon seclusion and breach of provincial privacy laws are doomed to fail. However, the breach of contract claim (really breach of an implied term) is certain to fail and should be struck.

Four causes of action

[9] I will discuss each of the four causes of action in the order just noted. The applicable law is not in dispute. The material facts as pleaded must be deemed to be proven or true, the statement of claim must be read generously and the cause of action can only be struck if it is plain, obvious and beyond doubt that it has no chance of success and is certain to fail. [1]

(1) Implied condition of merchantability

[10] The plaintiff claims that because of the significant security risks and performance problems caused by the VD adware program, the affected laptops are not of merchantable quality.

[11] The legal context for this claim can be briefly stated. If new products are purchased under a consumer agreement, as appears to be the case here, the implied conditions of fitness for purpose and merchantability set out in ss. 15(1) and (2) of the Sale of Goods Act [2] cannot be contractually modified or waived. Sections 9(2) and (3) of the Consumer Protection Act [3] make clear that the implied sale of goods conditions are deemed to apply to the sale of goods under a consumer agreement and cannot be varied or waived.

[12] In the Lenovo sales agreement, Articles 5.1 and 5.2 provide a limited warranty for the hardware and a disclaimer of any and all warranties for the installed software. The latter disclaimer properly acknowledges, however, that under provincial or state consumer protection laws “these limitations may not apply.”

5.1 Lenovo hardware Products are warranted in accordance with the Lenovo Limited Warranty accompanying each Lenovo hardware Product ….

5.2 LENOVO MAKES NO WARRANTIES FOR SOFTWARE, SERVICE, SUPPORT OR THIRD PARTY PRODUCTS. SUCH SOFTWARE, SERVICE, SUPPORT AND PRODUCTS ARE PROVIDED “AS IS”, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND. SOME PROVINCES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS OF WARRANTIES, SO THESE LIMITATIONS MAY NOT APPLY TO CUSTOMER …

[13] Lenovo accepts that under ss. 9(2) and (3) of the Consumer Protection Act the plaintiff, in theory, is entitled to argue a breach of the implied condition of merchantability. However, says Lenovo, under the current state of Canadian law the implied merchantability claim has no chance of success - a product that has multiple uses such as the plaintiff’s computer (word processing, storing data, accessing the internet etc) will still be “merchantable” if it can be reasonably used, even with the alleged defect, for at least one of the purposes, such as off-line word processing. [4]

[14] The plaintiff says that the various purposes listed by Lenovo are not multiple purposes but illustrations of the laptop’s over-riding single purpose: to engage in electronic communications that are expected to remain private.

[15] Fortunately, I do not have to resolve this debate on this motion. It is enough for me to find that it is not at all plain and obvious under Canadian law that a laptop that cannot be used on-line because of a hidden defect that has compromised the user’s privacy, and can only be used off-line for word processing, is nonetheless merchantable. As Professor Fridman notes, “If the test for unmerchantability [is] that the article is fit for no use, few goods would be unmerchantable because use can always be found for goods at a price.” [5] Further, it is not plain and obvious that a reasonable computer user today would ever agree to purchase and use an affected laptop, knowing about the security risks created by the VD adware program, without insisting on a substantial reduction in the purchase price.

[16] In short, in the context of computer technology the law is not settled. In my view, the implied condition of merchantability claim is an arguable claim that has some chance of success. It is not plain and obvious that this cause of action is certain to fail.

(2) Intrusion upon seclusion

[17] Nor is it plain and obvious that the intrusion upon seclusion claim has no chance of success.

[18] The plaintiff pleads that the VD program “compromises the security of sensitive personal, financial and otherwise confidential information that is commonly stored on computers and other electronic devices” by allowing hackers “to intercept a user’s internet connections … and collect their bank credentials, passwords and other highly sensitive information” including “confidential personal and financial information.”

[19] The plaintiff further pleads that the defendants “exposed the class members to significant risks, including the risk that their personal and financial information will be stolen and sold to third parties for commercial purposes.”

[20] Counsel for the plaintiff argues that the very act of implanting the software into the plaintiff’s laptop was an intrusion upon the plaintiff’s privacy. The software allowed private information to be sent to unknown servers without the plaintiff’s knowledge or consent. The fact that the installation created additional security vulnerabilities only increased the likelihood that further intrusions, such as third-party hackers, would occur. And further, adds counsel for the plaintiff, a reasonable person would find the secret installation of “unwanted malware” by the very entity that is selling the laptop to be highly offensive and distressful.

[21] In Jones v. Tsige [6], the Court of Appeal recognized a new tort called “intrusion upon seclusion”. The Court identified three elements of this privacy tort: (i) the defendant’s conduct must be intentional or reckless; (ii) the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and (iii) a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. [7] Proof of actual loss is not an element of this cause of action. [8]

[22] The first two elements, recklessness and unlawful invasion of privacy are pleaded. The third element, distress, is not pleaded explicitly but can reasonably be inferred from the content and tone of the pleading, including the claim for punitive damages. I also note that in Jones v Tsige, the Court of Appeal acknowledged that the third element (distress or suffering) is “generally presumed once the first [two] elements have been established.” [9]

[23] The intrusion upon seclusion tort is just evolving. Its scope and content have not yet been fully determined. I am therefore not persuaded that it is plain and obvious and beyond doubt that, on the facts as pleaded, this particular privacy claim has no chance of success and is doomed to fail.

(3) Provincial privacy laws

[24] Nor am I persuaded that it is plain and obvious and beyond doubt that the claims relating to the alleged breaches of provincial privacy laws [10] – in British Columbia, Saskatchewan, Manitoba, and Newfoundland and Labrador – have no chance of success and are certain to fail.

[25] Each of the four provincial statutes declares in essence that the unlawful violation of another’s privacy is an actionable tort, without proof of loss.

[26] The plaintiff pleads that VD is “one of the most malicious and invasive forms of software” that has ever been installed and distributed by a computer manufacturer or retailer. That the “malware” was designed to invade the privacy of the class members, gather information without the user’s consent and exploit that information “for unknown, illicit purposes.”

[27] Lenovo argues that there is no pleading of any actual violation of anyone’s privacy, no allegation that any confidential information was actually hacked and appropriated, and therefore these statutory claims are certain to fail. I do not agree. This court has sensibly recognized an “increased concern in our society about the risk of unauthorized access to an individual’s personal information.” [11] The risk of unauthorized access to private information is itself a concern even without any actual removal or actual theft. For example, if a landlord installs a peephole allowing him to look into a tenant’s bathroom, the tenant would undoubtedly feel that her privacy had been invaded even if the peephole was not being used at any particular time. The same point can be made here.

[28] The scope and content of the provincial privacy laws in question is still evolving. In Jones v Tsige, the Court of Appeal noted that “no provincial legislation provides a precise definition of what constitutes an invasion of privacy.” [12] It is therefore not plain and obvious that the secret installation of a “malware” program “designed …to invade the privacy of and cause harm to the class members” is not actionable as a privacy violation under the four provincial statutes.

[29] I am not persuaded that that the statutory privacy claims are certain to fail.

(4) Breach of contract

[30] This is the claim that, in my view, has no chance of success and should be struck.

[31] The plaintiff pleads the existence of an implied term in the sales agreement that the Lenovo laptops would be free of any defects and at the very least would not have pre-installed software that exposed class members to significant security risks. At first blush, this seems to be a reasonable expectation.

[32] But the case law is clear that a term will not be implied if it is inconsistent or otherwise conflicts with an express provision in the agreement. [13] Here, as already noted, the Lenovo sales agreement that was viewable on-line when the plaintiff purchased his laptop on the defendant’s website and “clicked” his acceptance, made clear in Article 5.2 that the installed software was being sold “without warranties or conditions of any kind.”

[33] The proposition that the parties, had they been asked at the time of sale, would have agreed that the software installed in the computer would be free of any defects is a proposition that is inconsistent and in conflict with what was stated explicitly and unambiguously by one of the parties, namely Lenovo, in Article 5.2 of the sales agreement.

[34] Does it matter if the sales agreement is a contract of adhesion and the consumer-purchaser had no say in the design and content of the one-sided contractual terms? Yes, of course it does. But the answer is found in the protections provided by the Consumer Protection Act (as discussed above at paras. 11 to 16) and not in a strained and unworkable analysis of the law of implied terms.

[35] I am satisfied that the ‘breach of implied contract’ cause of action has no reasonable prospect of success and is doomed to fail.

Disposition

[36] The breach of contract claim is struck without leave to amend. The other three claims – merchantability, intrusion upon seclusion and the violation of provincial privacy laws – remain in place.

[37] Order to go accordingly.

[38] No costs are awarded for the following reasons. Of the five causes of action that were initially pleaded, Lenovo has prevailed on two, breach of contract and negligence, [14] and the plaintiff on three, merchantability, intrusion upon seclusion and the violation of provincial privacy laws. The breach of contract and negligence claims taken together accounted for about half of the time spent on the written and oral submissions. The other three claims taken together also accounted for about half of the time spent on submissions. Success being equally divided, there will be no costs award.

Belobaba J. Date: February 17, 2017

[1] Morden and Perell, The Law of Civil Procedure in Ontario (2014) at 532. [2] Sale of Goods Act, R.S.O. 1990, c S.1. [3] Consumer Protection Act, 2002, S.O. 2002, c. 30, Sched. A. [4] Canada Atlantic Grain Export Company Inc. v. Eilers (1929) 35 Com. Cas. 90 at 102. Also see the case law discussed in Fridman, Sale of Goods in Canada (6th ed.) at 181-85. [5] Fridman, ibid., at 183. [6] Jones v. Tsige, 2012 ONCA 32. [7] Ibid., at para. 71. [8] Ibid., at para. 74. [9] Ibid., at para. 60. [10] Privacy Act, R.S.B.C. 1996, c. 373; The Privacy Act, R.S.S. 1978, c P-24; The Privacy Act, C.C.S.M. c. P125; and Privacy Act, R.S.N.L. 1990, c. P-22. [11] Somwar v McDonald’s Restaurants of Canada Ltd., [2006] O.J. No. 64 (S.C.J.) at para. 29. [12] Supra, note 6, at para. 54. [13] Arora v. Whirlpool Canada LP, 2012 ONSC 4642 at para. 182 referring to the decisions in G. Ford Homes Ltd. v. Draft Masonry (York) Co. (1983), 43 O.R. (2d) 401 (C.A.); Fort Frances (Town) v. Boise Cascade Can. Ltd.; Boise Cascade Can. Ltd. v. Ontario, [1983] 1 S.C.R. 171; Catre Industries Ltd. v. Alberta (1989), 1989 ABCA 243, 63 D.L.R. (4th) 74 (Alta. C.A.), leave to appeal to the S.C.C. refused, [1989] S.C.C.A. No. 447, 65 D.L.R. (4th) vii; M.J.B. Enterprises Ltd. v. Defence Construction (1951) Ltd., [1999] 1 S.C.R. 619. [14] The plaintiff only withdrew the negligence claim in his responding factum.