The “Flo” of Information: Users Sue Over Leaked Health Data
I. Pulse Check: Here’s What’s Happening
Two Canadian class action lawsuit applications, one in Quebec and one in British Columbia (Flo lawsuits), have been launched against Flo Health Inc. (Flo), the company that developed the Flo Health & Period Tracker digital application (App). First launched in Canada in 2016, the App provides both a free and paid version (external link, opens in new window) . The App collects users’ sensitive personal health information such as duration of menstrual cycles, frequency of sexual activity and bodily functions to keep track of reproductive health and support conception. When users download the App they must consent to Flo’s Privacy Policy, a standard form agreement that changed 13 times during the duration of the Flo lawsuits, yet continued to assure users their health data would not be shared with third parties (external link, opens in new window) .
On February 22nd, 2019, the Wall Street Journal published an article (external link, opens in new window) that claimed Flo had been sharing users’ health data with companies such as Facebook. The day after the article was published, Flo updated their Privacy Policy to state that aggregated information may be shared with third parties, but assured users their data would not be identifiable (external link, opens in new window) . The Wall Street Journal article sparked outrage amongst American and Canadian users of the App, prompting the Flo lawsuits in Canada.
Both Canadian class action applications have been certified. This means legal counsel for the plaintiffs – the App users who are suing – were able to prove there is a group of people with similar enough claims that would benefit from proceeding as a class action against the defendant, Flo. While the Flo lawsuits share the common purpose of seeking compensation through the courts for the unauthorized use of health data by Flo, they are pursuing different legal approaches.
On November 30th, 2022, the Superior Court of Quebec authorized a (PDF file) class action application (external link, opens in new window) (Quebec lawsuit) to proceed on behalf of anyone living in Quebec who used the App between June 1st, 2016 and February 23rd, 2019. The Quebec lawsuit will be based on Flo’s failure to uphold their contractual obligations set out in the terms of the Privacy Policy, by allegedly sharing health data without consent, as well as violating the Quebec Charter of Rights and Freedoms (external link, opens in new window) (Quebec Charter), the Quebec Consumer Protection Act (external link, opens in new window) and the federal Competition Act (external link, opens in new window) .
As of March 7th, 2024, the Superior Court of British Columbia certified a class action lawsuit (external link, opens in new window) (BC lawsuit) against Flo to proceed on behalf of all Canadian residents, except for those residing in Quebec, who used the App between June 1st, 2016 and February 23rd, 2019. The BC lawsuit is based on tort law, specifically, the tort of intrusion upon seclusion which protects individuals from the intentional invasion of their private affairs, the tort of breach of confidence which protects individuals from the unauthorized use of their confidential information and violations of applicable provincial/territorial privacy legislation (external link, opens in new window) .
II. The State of Privacy Law in Canada
The Flo lawsuits will test Canadian privacy laws in a digital age where millions of people input their personal information into virtual platforms with minimal regulation. While privacy is not explicitly protected in the Canadian Charter of Rights and Freedoms (external link, opens in new window) (Canadian Charter), it may be regarded as a quasi-constitutional right that is indirectly protected via some Charter provisions. In particular, section 8 (external link, opens in new window) protects informational privacy by prohibiting unreasonable search and seizure, while section 7 (external link, opens in new window) safeguards life, liberty and security of the person and has been interpreted by Canadian courts to include certain privacy interests such as bodily autonomy. Further, privacy has been interpreted as having quasi-constitutional status because of the importance of moral autonomy over sensitive digital data and the potential harm of cyber privacy invasions (external link, opens in new window) .
Privacy protections vary across provinces and territories, with Quebec having more stringent privacy laws. In particular, the Quebec Civil Code (external link, opens in new window) and the Quebec Act Respecting the Protection of Information in the Private Sector (external link, opens in new window) provide a legal framework for privacy protection. Additionally, the Quebec Charter explicitly safeguards privacy under section 5 “respect for his private life (external link, opens in new window) ” which protects an individual’s autonomy over decisions regarding when and how their personal information is (PDF file) disclosed (external link, opens in new window) .
III. Why Suing Flo is Not So Simple
Despite the Flo lawsuits being certified to proceed as class actions, the plaintiffs face several legal hurdles in pursuing their case.
A. Ownership of Data
The first challenge is the ongoing academic debate on whether data should be considered a novel form of property in the digital age. If the plaintiffs can establish ownership rights over their data, they will be in a stronger position to claim a privacy breach. However, the intangible nature of data has complicated the discussion because data challenges the typical concepts used to define property ownership, such as exclusion and possession.
In the BC lawsuit, Justice Blake cited the plaintiff’s lack of possession and exclusive control over their health data as reasons why the tort of conversion – the wrongful interference with an individual’s personal property – cannot be established as a cause of action (external link, opens in new window) , meaning a valid reason to sue. This decision illustrates the importance of determining whether data should be considered property and whether individuals can retain property ownership rights over their data imputed into virtual apps.
B. Jurisdictional Differences
The second obstacle the plaintiffs face is differences in privacy protection laws between the provinces and territories. For example, the tort of intrusion upon seclusion – the intentional or reckless invasion of a person’s private affairs that is highly offensive and has caused distress, humiliation or anguish – has had varying treatment by courts across the country (external link, opens in new window) . The tort has been recognized by courts in Ontario, New Brunswick, Nova Scotia, Manitoba, as well as Newfoundland and Labrador, while remaining unsettled in British Columbia (external link, opens in new window) . The tort has not been considered by courts in Saskatchewan, Prince Edward Island nor the territories and was rejected by the Court of King’s Bench of Alberta in D(SJ) v P(RD), 2023 ABKB 84 (external link, opens in new window) .
The differences in treatment of the tort of intrusion upon seclusion, which could potentially protect health app users against data invasions, illustrate the varying attitudes towards privacy between the provinces and territories of Canada. While the federal Personal Information Protection and Electronic Documents Act (external link, opens in new window) (PIPEDA) sets a national standard and will be the main piece of legislation used in the Flo lawsuits, the BC lawsuit will engage with differing privacy legislation in the provinces and territories that offer varying levels of privacy protection. For instance, Alberta and British Columbia have private-sector privacy legislation that is similar to PIPEDA (external link, opens in new window) .
C. Harm/Distress Requirement
A third challenge the plaintiffs face is that legal causes of action often require the plaintiffs to prove they have been harmed or experienced distress as a result of the alleged data breaches. This limits the legal causes of action the plaintiffs are able to pursue because it is difficult to quantify and prove that the plaintiffs suffered harm or distress as a result of the alleged privacy breaches. The plaintiffs in the BC lawsuit attempted to add negligence, unjust enrichment, breach of the Competition Act (external link, opens in new window) and conversion as causes of action, but Blake J struck out each because they found the plaintiffs had not suffered a sufficient amount of harm or distress as a result of the alleged privacy breaches.
Notably, the Quebec lawsuit approved breach of the Competition Act (external link, opens in new window) as a valid cause of action, further reflecting the differences in legal attitudes towards privacy protection across the country. Overall, the requirement of harm/distress in privacy violations highlights the gaps in Canadian privacy laws to address digital data breaches that are unique because of the lack of specific quantifiable harm or distress.
IV. What These Cases Mean for Your Health Data
Neither lawsuit has set a date for trial, but when they do, Canadian privacy law will be challenged. Preliminarily, the Flo lawsuits indicate that Canadian privacy law does not yet offer comprehensive protection for health data collected in apps.
While national legislation such as PIPEDA (external link, opens in new window) provides a baseline standard, it does not cover all areas of privacy issues because the federal and provincial/territorial governments share responsibility for privacy. The federal government primarily regulates privacy in the public and private sectors, however, provinces/territories may create additional private sector privacy laws, leading to a patchwork of inconsistent legal protection. Without strong legal protection, Canadians are susceptible to having their health data breached, and companies may continue sharing sensitive health data without repercussions.
It should be noted that even if the plaintiffs can make their case, they may be limited by an exclusion of liability clause in Flo’s Privacy Policy, as the defendant asserted the plaintiffs were contractually precluded from damages (external link, opens in new window) . Although exclusion of liability clauses is not a bar to initiating a class action lawsuit, the issue will be raised at trial and may impact the quantum of damages class members are entitled to (external link, opens in new window) .
V. Before you Download: Vetting Health Apps
The Flo lawsuits have turned a spotlight on privacy and data collection concerns regarding reproductive health apps. Unfortunately, high profile cases such as the Flo lawsuits have the potential to create mistrust and fear of reproductive health apps, which can be useful for people with ovaries to identify possible health and fertility issues. To keep your health data private, here are some factors to consider when choosing an app:
- Read privacy agreements
It is always a good idea to read the privacy agreement when signing up for an app, and specifically take note of policies on data protection and sharing. - Local storage
Look for reproductive health apps that save your health data on your phone rather than on the web to minimize the risk of your data being breached. - Opt out of data sharing
Some apps may ask permission to share your information. You can usually adjust your preferences within the app’s settings. - Research and read reviews
Just because an app is well-known does not necessarily mean it will keep your data safe. Look for reviews by reputable sources to learn more about the app’s privacy policies to ensure they are as concerned about protecting your health data as they claim to be.