Privacy Laws and Internet Mailing Lists

John D. Gregory

General Counsel, Ministry of the Attorney General, Ontario

Chair, Uniform Law Conference of Canada working group on

electronic commerce

The protection of privacy is one of the great challenges of the Internet at present. A lot of information floats around cyberspace, and a lot of people are creating ways to find it, to "mine" it, and to use it for commercial purposes. "Protect yourself," say some. "There ought to be a law," say others(1).

In Quebec, there is a law. The Act respecting the protection of personal information in the private sector(2) came into force in 1994. It compels all holders of personal information in Quebec to respect the principles set out in the Act, largely derived from the OECD Guidelines on the subject. These Guidelines have also influenced the Canadian Standards Association Privacy Code adopted in 1996.(3)

The Quebec Act defines "personal information" as any information which relates to a natural person and allows that person to be identified(4). The scope and purpose of this provision recently came under scrutiny, though not judicial consideration, in the context of an Internet mailing list.

Mailing lists allow people who subscribe to the list to send messages to a central address, which then distributes the messages by e-mail to all the subscribers. Several software packages allow people (the list "owners") to run such lists. The main ones include "listserv", "listproc" and "majordomo". They all share common features, one of which is that any member of the list can send a command (usually "WHO") to the central address and be sent in return the e-mail addresses of all the subscribers to the list.

The operation of this command was challenged by a member of a list run from a server in Montreal.(5) The member suggested that the Act on private sector privacy prohibited the owner of the list from releasing these addresses because they were personal information of the subscribers and the subscribers had not consented to this use of their personal information.(6)

This suggestion launched a vigorous debate among members of the list, including the list owner. The owner denied that the addresses were personal information at all. They told little if anything about the people behind them; some were just numbers, such as If the Act extended to such information, then it was poorly drafted and led to such absurd results that it called its legitimate ends into doubt.

In the alternative, such a broad reading would lead to the creation of many exceptions for practical reasons. This was not sound legislative policy. Rather the scope of the Act should be properly defined; then the exceptions should be few.

(There seemed no doubt in anyone's mind that using the list of addresses for commercial solicitation would be improper in principle and contrary to the law, as the names had not been assembled for that purpose.)

In the early stages of the debate one member suggested that Quebec law should not apply in any event, since the list existed in cyberspace, beyond frontiers. (About 20% of its members are outside Quebec.) At least the principles commonly accepted on the Internet, including the availability of mailing list members' addresses, should govern. Since the server was located in Quebec, however, the technical applicability of the law was not debated for long. The debate turned quickly to principles.

A mailing list, argued the owner, was a public forum. Just as someone listening to or participating in a debate in a public room may expect to be recognized, so should a subscriber to a Net forum expect to be identified, at least by e-mail address. (It was admitted that in special cases the privacy interest might prevail, such as a list for survivors of abuse.) Besides, it was unfair to expect people to speak without being able to know to whom they were speaking.

Not at all, came the replies. While one may be recognized in a public place, one was not compelled to identify oneself. Recognition was left to chance. One could go to the theatre and listen without revealing one's name. On the Net, the list owner necessarily collected all the addresses, but releasing them to any member was like compulsory identification.

Where is the legal right to know whom one is speaking to, asked the privacy advocates. The law against disclosure was a clear statute. What law could be opposed to it? Vague principles could not override the Act.

No rule of law was necessary, replied the owner. Knowing whom one is speaking to is a natural rule of social dealings. One does not need a statute to give one the right to see who is in a public place. One had to see cyberspace as another kind of public forum, where the principles of such a forum would apply. Dictating to such a forum from the base of a law not conceived with the Net in mind was improper.

Besides, participants expected the list to be available; its availability was a common feature of all the major software. And the Civil Code of Quebec allowed commonly accepted trade practices to supplement the interpretation of the Code. Some privacy codes considered whether the individuals have a reasonable expectation of privacy in the context in question(7), though this criterion does not seem to be part of the Quebec statute.

Other members stated that having the list available was no different from being in the phone book. But there one had the option to get an unlisted number and stay out. Some list software allowed people to join anonymously, at least with the consent of the owner. In response, it was said that subscribers would feel the presence of anonymous members as spies. This was a step beyond just "lurking" in silence, which was perfectly acceptable. No one should be forced to speak, but no one should be able to spy either, without good reason.

Privacy, from this point of view, was not the supreme value; it was one value to be balanced against others. The Act might be too one-sided in its promotion of privacy above all else.

No one judged this debate, so no one won or lost. The debate does provide an example of how local laws can apply in unforeseen ways to the Internet, and how expectations among users of the Net might influence the interpretation of local laws.

As a technical matter, some mailing list software allows the "WHO" command to be turned off; the software for this particular list did not. Some list software allows people to join anonymously as well. The statutory requirement, at least in one interpretation, may require list owners to choose one software over another because of its greater ability to protect privacy.

The privacy debate continues, off that list.

[November 1997(8)]

1. The Information and Privacy Commission of Ontario advocates both legal and personal steps to protect privacy. Some of its advice on how to protect privacy appears in its June 1997 brochure, Identity Theft: Who's Using Your Name?.

2. S.Q. 1993 c. 27. This Act does not apply to public bodies, which are already subject to similar rules in R.S.Q. c. A-2.1.

3. The Uniform Law Conference of Canada is preparing legislation for Canadian governments that want to legislate private sector standards. The OECD guidelines appear as an appendix to the Conference's 1996 text. Later reports are on the Conference's web site.

4. Section 2 of Quebec's Act.

5. The list is called Obiter. It deals with legal issues of interest to francophones, particularly in information technology law. It runs out of the Centre de recherche en droit public at the Université de Montréal. Some people argued that the connection with the university made the law on public bodies applicable. The "list owner" is the Director of the Centre, Professor Pierre Trudel.

6. Section 13 of the Act prohibits communicating personal information to third persons without the consent of the persons concerned.

7. For a narrow example see Ontario's Freedom of Information and Protection of Privacy Act R.S.O 1990 c.F.31, section 43. This Act applies only to government institutions.

8. Since that time, the federal government has introduced Bill C-54, the Personal Information Protection and Electronic Documents Act. Part 1 aims to protect privacy in the private sector, first in federally regulated fields and ultimately in all commercial collection, use and disclosure of personal information. It is very hard to say how the bill would affect the issues discussed in this article. Is the field one of federal jurisdiction? Is it commercial? What are the expectations of the parties?