Privacy Laws and Internet Mailing Lists
John D. Gregory
General Counsel, Ministry of the Attorney General, Ontario
Chair, Uniform Law Conference of Canada working group on
electronic commerce
The protection of privacy is one of the great challenges of the Internet at present. A lot
of information floats around cyberspace, and a lot of people are creating ways to find it,
to "mine" it, and to use it for commercial purposes. "Protect yourself," say some.
"There ought to be a law," say others(1).
In Quebec, there is a law. The Act respecting the protection of personal information in
the private sector(2) came into force in 1994. It compels all holders of personal
information in Quebec to respect the principles set out in the Act, largely derived from
the OECD Guidelines on the subject. These Guidelines have also influenced the
Canadian Standards Association Privacy Code adopted in 1996.(3)
The Quebec Act defines "personal information" as any information which relates to a
natural person and allows that person to be identified(4). The scope and purpose of this
provision recently came under scrutiny, though not judicial consideration, in the context
of an Internet mailing list.
Mailing lists allow people who subscribe to the list to send messages to a central
address, which then distributes the messages by e-mail to all the subscribers. Several
software packages allow people (the list "owners") to run such lists. The main ones
include "listserv", "listproc" and "majordomo". They all share common features, one of
which is that any member of the list can send a command (usually "WHO") to the central
address and be sent in return the e-mail addresses of all the subscribers to the list.
The operation of this command was challenged by a member of a list run from a server
in Montreal.(5) The member suggested that the Act on private sector privacy prohibited
the owner of the list from releasing these addresses because they were personal
information of the subscribers and the subscribers had not consented to this use of their
personal information.(6)
This suggestion launched a vigorous debate among members of the list, including the
list owner. The owner denied that the addresses were personal information at all. They
told little if anything about the people behind them; some were just numbers, such as
12345.6789@compuserve.com. If the Act extended to such information, then it was
poorly drafted and led to such absurd results that it called its legitimate ends into doubt.
In the alternative, such a broad reading would lead to the creation of many exceptions
for practical reasons. This was not sound legislative policy. Rather the scope of the Act
should be properly defined; then the exceptions should be few.
(There seemed no doubt in anyone's mind that using the list of addresses for
commercial solicitation would be improper in principle and contrary to the law, as the
names had not been assembled for that purpose.)
In the early stages of the debate one member suggested that Quebec law should not
apply in any event, since the list existed in cyberspace, beyond frontiers. (About 20% of
its members are outside Quebec.) At least the principles commonly accepted on the
Internet, including the availability of mailing list members' addresses, should govern.
Since the server was located in Quebec, however, the technical applicability of the law
was not debated for long. The debate turned quickly to principles.
A mailing list, argued the owner, was a public forum. Just as someone listening to or
participating in a debate in a public room may expect to be recognized, so should a
subscriber to a Net forum expect to be identified, at least by e-mail address. (It was
admitted that in special cases the privacy interest might prevail, such as a list for
survivors of abuse.) Besides, it was unfair to expect people to speak without being able
to know to whom they were speaking.
Not at all, came the replies. While one may be recognized in a public place, one was
not compelled to identify oneself. Recognition was left to chance. One could go to the
theatre and listen without revealing one's name. On the Net, the list owner necessarily
collected all the addresses, but releasing them to any member was like compulsory
identification.
Where is the legal right to know whom one is speaking to, asked the privacy advocates.
The law against disclosure was a clear statute. What law could be opposed to it?
Vague principles could not override the Act.
No rule of law was necessary, replied the owner. Knowing whom one is speaking to is a
natural rule of social dealings. One does not need a statute to give one the right to see
who is in a public place. One had to see cyberspace as another kind of public forum,
where the principles of such a forum would apply. Dictating to such a forum from the
base of a law not conceived with the Net in mind was improper.
Besides, participants expected the list to be available; its availability was a common
feature of all the major software. And the Civil Code of Quebec allowed commonly
accepted trade practices to supplement the interpretation of the Code. Some privacy
codes considered whether the individuals have a reasonable expectation of privacy in
the context in question(7), though this criterion does not seem to be part of the Quebec
statute.
Other members stated that having the list available was no different from being in the
phone book. But there one had the option to get an unlisted number and stay out.
Some list software allowed people to join anonymously, at least with the consent of the
owner. In response, it was said that subscribers would feel the presence of anonymous
members as spies. This was a step beyond just "lurking" in silence, which was perfectly
acceptable. No one should be forced to speak, but no one should be able to spy either,
without good reason.
Privacy, from this point of view, was not the supreme value; it was one value to be
balanced against others. The Act might be too one-sided in its promotion of privacy
above all else.
No one judged this debate, so no one won or lost. The debate does provide an example
of how local laws can apply in unforeseen ways to the Internet, and how expectations
among users of the Net might influence the interpretation of local laws.
As a technical matter, some mailing list software allows the "WHO" command to be
turned off; the software for this particular list did not. Some list software allows people
to join anonymously as well. The statutory requirement, at least in one interpretation,
may require list owners to choose one software over another because of its greater
ability to protect privacy.
The privacy debate continues, off that list.
[November 1997(8)]
1. The Information and Privacy Commission of Ontario advocates both legal and
personal steps to protect privacy. Some of its advice on how to protect privacy appears
in its June 1997 brochure, Identity Theft: Who's Using Your Name?.
2. S.Q. 1993 c. 27. This Act does not apply to public bodies, which are already subject
to similar rules in R.S.Q. c. A-2.1.
3. The Uniform Law Conference of Canada is preparing legislation for Canadian
governments that want to legislate private sector standards. The OECD guidelines
appear as an appendix to the Conference's 1996 text. Later reports are on the
Conference's web site.
4. Section 2 of Quebec's Act.
5. The list is called Obiter. It deals with legal issues of interest to francophones,
particularly in information technology law. It runs out of the Centre de recherche en
droit public at the Université de Montréal. Some people argued that the connection with
the university made the law on public bodies applicable. The "list owner" is the Director
of the Centre, Professor Pierre Trudel.
6. Section 13 of the Act prohibits communicating personal information to third persons
without the consent of the persons concerned.
7. For a narrow example see Ontario's Freedom of Information and Protection of
Privacy Act R.S.O 1990 c.F.31, section 43. This Act applies only to government
institutions.
8. Since that time, the federal government has introduced Bill C-54, the Personal
Information Protection and Electronic Documents Act. Part 1 aims to protect privacy in
the private sector, first in federally regulated fields and ultimately in all commercial
collection, use and disclosure of personal information. It is very hard to say how the bill
would affect the issues discussed in this article. Is the field one of federal jurisdiction?
Is it commercial? What are the expectations of the parties?
|