In August of 2013, California-based company Yahoo! Inc. weathered a data breach that affected an unprecedented three billion users worldwide. The lost or stolen information included these users’ names, email addresses, phone numbers, birthdays, scrambled passwords, and a mix of encrypted and unencrypted security questions and answers. It took Yahoo! three years to discover and disclose this breach to the public and its users.
In late 2014, Yahoo! suffered another such attack, this time compromising 500 million user accounts, making the hack second only to the 2013 Yahoo! hack in terms of the number of users affected. The fact of this hack was disclosed in September 2016.
One way in which the many users of online services may seek compensation for damages incurred as a result of data breaches is through privacy class action law suits. Such suits are growing in popularity in Canada; while none have, as of yet, been heard on their merits, more and more are being “authorized” to be heard by the courts.
Typical of motions to authorize class action suits are jurisdictional debates: do Canadian courts have jurisdiction to hear motions involving American corporations, some without any establishment in the given Canadian province?
One of such cases is Demers v. Yahoo! Inc. Demers, a resident of Québec and a Yahoo! user whose personal and financial privacy was affected by the breaches, asked the Superior Court of Québec for authorization to bring a class action on behalf of all Yahoo! users residing in Québec whose information had been similarly compromised in the 2013 and 2014 incidents.
Québec residents who use Yahoo! are required to agree to Yahoo!’s “terms of service” which stipulate that the relationship between the user and Yahoo! will be governed by the laws and courts of Ontario.
On September 19th 2017, the Superior Court of Québec rejected Yahoo!’s motion to dismiss Demers motion for authorization of class action based on the jurisdictional argument founded in these “terms of service”. The court found that the “terms of service” constitute a consumer contract, reversing a previous Québec decision that found that a consumer contract would not be found in situations where users do not pay for the service (as is the case with Yahoo! users). In justification of this reversal, the court said:
“ The counsel for the Applicant does not dispute the fact that there is no charge to the user for the services rendered by the Defendants. He adds however, that the latter receive an advantage from the “affluence” on their website. In other words, the more users Yahoo has the more income it is likely to receive from advertisers, etc. Therefore, each party draws an advantage from the contract they have entered into. The Defendants earn more advertising revenue the more users they have, while the users get an email address free of charge.”
This modern conception of fees on the consumer through online advertisement is in line with the 2017 Supreme Court opinion on the matter in Douez v. Facebook.
In Québec, the finding of a consumer contract means that art. 3149 of the Civil Code of Québec applies:
“Québec authorities also have jurisdiction to hear an action based on a consumer contract or a contract of employment if the consumer or worker has his domicile or residence in Québec; the waiver of such jurisdiction by the consumer or worker may not be set up against him.”
Article 22.1 of Québec’s Consumer Protection Act has a similar effect to the above C.C.Q. article. Québec courts have jurisdiction to hear motions to authorize class action suits against free, online, American services such as Yahoo! and Facebook.
The conclusion that Québec’s Consumer Protection Act is relevant and applicable to free, online, non-Québec-based services is important; among other things, the Act regulates advertising to children, unilateral changes to the consumer contract, and class action waivers.
Following this decision, increasingly common privacy class action suits based on data breaches will face one less road block on their path to compensation in Québec.
This blog post was written by a CCLA-PBSC RightsWatch student. Opinions expressed do not necessarily reflect the views of the CCLA or PBSC.