Protection of Privacy of Third Parties Against Email Service Providers

In this modern age of cyber space, the use of communication through emails is increasing rapidly. People nowadays prefer to communicate with others, whether it may be a business communication or any other form of communication, it is done through email which is quite simple and easy method of communication. The use of letters for communicating with others is decreasing because of increasing internet connections world wide. But with this, the problems are also increasing. People who communicate through emails know little about how they travel and what privacy they would get in that communication. Emails are the most vulnerable form of communication and privacy in them is very less as compared to other forms of communication. The right to privacy in Internet activity is a serious issue facing society.[1]

Privacy according to Westin is “the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.”[2] It is the ability of an individual or group to keep their lives and personal affairs out of public view, or to control the flow of information about them. Right to privacy is more of an implied obligation. It it’s the ‘right to be let alone’.[3] The protection of electronic mail from unauthorized access and inspection is known as electronic privacy.[4]

Privacy in technology driven world is difficult proposition. Technology has become a kind of double-edged sword, on one hand it equips the person to safeguard his privacy and on the other it helps in blowing the privacy cover, one may have had.[5] Email may feel like a private, one-to-one conversation safe from prying eyes, but email is about as confidential as whispering at the White House.[6] There exists mere illusion of privacy in email in the minds of people which is created by having password to access ones’ email account. But in fact, ones’ messages can be intercepted and read from anywhere in the transit, or reconstructed and read off of backup devices, for a potentially infinite period of time.[7]

Thus, concerns over privacy of individuals in electronic mails are raised and are given certain amount of legal protection in developed countries. There are laws to protect the privacy of first parties in the email communication which grant them protection against all others who try to intercept their communication. The major concern is about the various policies of the email service providers who are inserting such terms and conditions about usage of email service that it has become difficult to protect privacy in emails as there is no law to govern them. This project work aims at the analyzing the current position of the third parties in the email communication to have a right to privacy in that communication against the email service providers. I have tried to analyze that how far the third person does have a right to privacy and can prevent the email service provider who is the third party to the communication from analyzing or monitoring his emails.

 

CHAPTER I: The problem with the privacy of third parties

As seen privacy is an important aspect of electronic mails. Electronic mails are not sent in a closed environment. It is quite open for a person to send an email to a subscriber of some other email service provider. Also it is quite possible that the subscriber may send some email to the other person. Communication can take place only when there are atleast two parties to it. Thus, the question is what are the privacy rights of both such parties? Privacy is guaranteed to all the individuals by A. 12 of UN Declaration of Human Rights. It reads as:

“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

In the present times, the increasing use of internet and emails has led to the question of protection of such a privacy guaranteed to all the individuals against the terms and conditions of email service providers. The email service providers, looking at the increasing demands of using the email communication, are taking unfair and undue advantage of such need and are doing away with the privacy of individuals in order to gain advantage and earn extra profits. For example, google provides the service of Gmail on which it provides people with email accounts. One of the terms of its privacy policy states that “We serve highly relevant ads and other information as part of the service using our unique content-targeting technology.” If any person wants to subscribe to Gmail services, he need to consent to this term. This term gives Gmail power to analyze all incoming and outgoing emails of the subscriber using “content extraction” in order to target the advertising to the user thereby doing away with the privacy of that individual. Also many other email service providers like big companies and all monitor and regulate the email sent and received by their employees. These employees have consented to such a monitoring and also have agreed to consider such an email a part of company’s property. Thus, a question arises as to what about the person who is in no way related to such a contract i.e. the person who is not at all a subscriber. What about his right to privacy as communication involves two parties and both the parties have equal rights of privacy over that communication?

The non-subscribers are involuntarily subjected to such terms and conditions which exist only between the subscribers and the email service provider.[8] The subscribers may willingly opt-in to whatever onerous the email service provider’s terms of service may provide, but the third party correspondents i.e. the non-subscribers are afforded no such opportunity. In such a circumstance the question arises as to how far can that legal contract between the subscriber and the email service provider, be considered valid in order to take away privacy from the third party? The third party has neither agreed with such a term nor has given up the reasonable expectation of privacy in the electronic mail.

The above questions become more relevant when we consider some confidential and personal information of the third party being transferred through the email which is monitored. The companies can sell this personal data to obtain more benefits or exchange them with other companies to obtain more information about costumers.[9] This is what precisely happened in the case of United States v. Councilman[10] where a person being an email service provider monitored the emails of his clients and sold the information in it for his own benefits. With the growing in of demands about using email services and people being least bothered about the terms of service, the email service providers take an advantage and make the most out of it. With no law governing them, the time is not far when such conditions would be put in contracts which may provide the email service provider with the property rights over the emails of subscriber or may provide him with the complete right to monitor the emails and take relevant portion out of it and sell it or use it himself to gain benefits. This is already happening on a smaller scale in companies and firms where the email service provider being the company or the firm, have such contracts with their employees who are the subscribers, so as to monitor all the emails of the employees and to have property rights over such emails.[11] No law prohibits such contracts. But the point to be pondered upon is the privacy right of third parties that is breached and violated involuntarily and without taking their consent. This has now become a global issue.

 

 

CHAPTER II: The Law on Privacy

Privacy laws are well defined in developed countries. But online privacy is a new concept and hence all the laws in this field are at a nascent stage. These laws are not that exhaustive and do not cover many aspects of privacy. One such aspect is the privacy of third parties in electronic mail conversations. In many countries the laws that apply to telephonic conversations and letters are applied to the email conversations. But these countries fail to understand that the electronic mail conversation involves a whole lot of different aspects and requires more stringent and separate laws.

Privacy, as stated above, is guaranteed to each and every individual globally by A. 12 of UN Declaration of Human Rights. The European Directive on Data Protection, 2002 is another Directive which provides protection to privacy of an individual online. European Convention on Human Rights and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data also guard the privacy of an individual. The confidentiality of communications is protected by Article 5 of Directive 97/66/EC.

Electronic Communications like telegraph, email, etc are guarded from being intercepted in many developed countries by specific laws. In United Kingdom, the laws preventing such interceptions are Interception of Communications Act 1985 and Data Protection Act 1998. In United States of America, the laws that protect such privacy are the Electronic Communications Privacy Act, 1986 and the Federal Wiretap Act. All these laws govern the online interception and surveillance of emails.

But all the above laws have loopholes. These laws are based on the notion of one-party consent. This means that if any one party to the communication gives his consent, then another person can legally intercept, monitor, analyze, etc, one’s emails. This means that a person who is not a party to the communication gets free access to that communication whether or not all the parties agree to grant him of such an access. This is a major drawback as even if one or more parties to the conversation are not willing to grant permission i.e. to do away with their privacy, their privacy will be involuntarily taken away even if one of the parties to that conversation agrees so. This provides a loophole to the email service providers to get away Scott free even after breaching privacy of someone. The email service providers take consent of the subscribers in either terms of service or privacy policy which means that they have got consent from one of the parties to the communication and thus do not require permission of the third party and can play with the privacy of that party.

This has led to think on whether third parties should be given a right to privacy and equal protection as their counterparts get? The answer is yes. I feel that their consent must also be taken before breaching their privacy. This can be done only by accepting all party consent laws which state that any person who wants to intercept or monitor or analyze any of the email or electronic conversation, must take consent of all the parties to that communication before breaching the privacy. This means that the person wanting to monitor, intercept or analyze an email would have to take consent of not only the sender and receiver of the email but in case such email has been forwarded, then the consent of all the parties to that email i.e. all the persons who forwarded that email. Such laws are accepted in a few states in United States of America. A number of U.S. states require that, before you can record the contents of an “oral” or telephonic communication (or before you can “intercept” such a communication) you must have the consent of all parties to the conversation. Such is the law in Massachusetts (Mass. Ann. Laws ch. 272), Michigan (§99 Michigan, Mich. Comp. Laws §750.539c), Nevada (Nev. Rev. Stat. Ann. §200.620 - by court decision, and N. H. Rev. Stat. Ann. §570-A:2) South Carolina (S.C. Code Ann. §16-17-470), and Washington State (Wash. Rev. Code § 9.73.030).

Some states expressly extend this “all party consent” philosophy to “electronic” communications. This includes California (Conn. Gen. Stat. §52-570d:), Delaware (Del. Code Ann. tit. 11, §2402(c)(4)), Florida, (Fla. Stat. ch. 934.03), Hawaii, (Haw. Rev. Stat. §803-42), Illinois (720 ILCS 5/), Louisiana (La. Rev. Stat. §15:1303), Maryland (Md. Code Ann., Courts and Judicial Proceedings §10-402), Montana ( Mont. Code Ann. §45-8-213) and Pennsylvania (18 Pa. Cons. Stat. §5703). Other states impliedly extend these laws to electronic communications.

The validity of such all party consent laws has been upheld in many cases and even in case of conflict of laws, such laws are held to prevail. For ex., a person who is located in a state where one party consent law applies wants to intercept a communication. In that case even if one of the parties to the communication is located in the state where the all party consent law applies, the person who wants to intercept has to take permission of all the parties to the communication. He cannot escape merely by taking consent of one of such parties even though he is located in a state where one party consent law applies or even if all the parties except one are located in state where one party consent law applies. This was held by the case of Kearny v. Salomon Smith.[12] The California court held that in case of conflict of laws, one has to balance competing interests and the court held that California’s interests prevailed and the law of California where all party consent philosophy applies must prevail. This has also been held by Florida and Georgia courts.[13] Thus, laws wanting all party consent are held to be valid.

India lags behind in formation of such laws. There are no laws on privacy in India. There is no law on email privacy or data privacy in India. But Article 21[14] of Constitution of India guarantees every individual a right to privacy under the umbrella of the notion personal liberty. In Kharak Singh v. State of Uttar Pradesh[15], the Supreme Court has equated “right to privacy” with “protection of life and personal liberty”. In PUCL v. Union of India[16], the Supreme Court held that telephone tapping by Government under Section 5(2) of Telegraph Act amounts infraction of Article 21.

The law on privacy in case of electronic communications is undeveloped. India still has no laws to protect privacy in emails. There is no law to protect privacy either of the first party or of any other party in email communications. The Personal Data Protection, Bill is still pending before the legislature and is yet to be passed. But this Bill is also based on one party consent philosophy. So there is no protection given to the third parties as far as India is concerned. Once the subscriber has consented to the email service provider, the third party has no remedy expressly provided under the law.

 

CHAPTER III: The remedies for Third Parties

There is no express law providing remedy to the third parties for the breach of their privacy by the email service providers. The only resort left with them according to me is to go for common law remedies. These remedies are given under contract law, tort law, copyright law, etc. which are available only under certain circumstances.

As far as the contract law is concerned, the third party can sue the email service provider on the basis of the contract between the email service provider and the subscriber. The third party can sue on the point that the condition put in by the email service provider in the contract is invalid as it violates his right to privacy guaranteed to him under the constitution. But the basic question comes in is regarding the privity of contract between the subscriber and the email service provider. As far as the third party is concerned, he is not a party to that contract and according to the principle of privity of contract, he cannot sue on the basis of that contract. But an exception is carved out these days to the rule of privity of contract. It states that in case, a contract is entered into for the benefit of the third party, then the third party can sue any of the contracting parties on the basis of that contract. Two U.K. Court of Appeals judgements i.e. St. Martin’s Corporation Ltd v Sir Robert McAlpine (1993) and Darlington Borough Council v Wiltshier Northern Ltd (1994) brought in this exception to the rule of privity of contract. Thus, the third party must first prove that the contract entered into between the email service provider and the subscriber is a contract for his benefit and thus he can sue. This he can do by stating that the basic purpose of entering into that contract was to facilitate the communication between the subscriber and the third party. This contract enabled the subscriber to send emails to third party and to receive emails from him and thus benefited the third party too as the third party was able to communicate with the subscriber which would not have been possible if the subscriber did not have that email account. Thus, the contract entered into was for the benefit of the third party and so the exception to the rule of privity of contract would apply.

The second issue that would arise in mind is the validity of such contracts. Generally such contracts entered into by the subscribers with email service providers are online click wrap contracts. The validity of such contracts was upheld in various U.S. cases such as Feldman v. Google Inc.[17], Hotmail Corp. v. Van$ Money Pie[18], I. Lan Sys., Inc. v. Netscout Serv. Level Corp.[19], etc. However, the courts have held in quite a number of cases that all the terms in the clickwrap contracts may not be enforceable. The leading judgement on this point is ProCD Inc. v. Zeidenberg[20], where the court held that only those conditions which are not unconscionable are valid and enforceable. Others are invalid. Thus, if a third party can prove that the terms of service asking for monitoring or intercepting or analyzing the email are based on unconscionable circumstances, then he can get a remedy and claim damages.

The protection of interception is given only upto the mark that the email is in the process of communication. The U.S. court in United States v. Councilman[21], held it by majority that interception “includes transient electronic storage that is intrinsic to the communication process for such communications.” But the court failed to consider or decide upon the point that what happens after a message has crossed the finish line of transmission i.e. if the email service provider views or monitors emails after it has reached the subscriber, then will it be interception? The law is not clear on this point as nothing is yet decided.

Another remedy available to the third party is based on the law of negligence. The third party can claim that the email service provider has negligently breached his right to privacy by intercepting or monitoring or analyzing his email and thus is liable to pay compensation to him. This remedy was formulated in the well known English case of Donoghue v. Stevenson[22] wherein the court in order to provide a remedy to the third party who is not a party to the contract established the principle of duty to care. But this kind of remedy is available to the third party only if he has suffered certain damages by the act of the email service provider and only if he can prove that the email service provider had a duty to take care of the right to privacy of the third party provided by the law. Thus, this remedy is available in limited cases.

Another remedy which is available to the third parties is the protection of copyright. But this remedy is also available in only a few cases or certain particular cases. It is available only when the third party has sent or is to receive from the subscriber some copyrighted content over which he has a copyright. Further, the third party has to prove that the email service provider has copied that data in order to either make use of it or sold it to someone, etc based on the terms of that contract between the subscriber and the email service provider. This remedy is thus available in limited circumstances.

According to me, the above are a few remedies available to the third party in case his privacy in email communications is compromised with by the email service provider. But these remedies are available only in particular and limited cases. There is no specific remedy provided expressly or directly by law even when the right to privacy of every individual is recognized.

 

CONCLUSION

  The right to privacy of every individual is recognized on international as well as national levels by various declarations and constitutions of different countries. Even then there is a lacuna in the legal system all over the world as it fails to provide a legal framework giving remedy to the third party against email service providers for violating his right to privacy. The law provides for a right but does not provide for a remedy for its violation.

It is recommended that the international community as well as the national legislatures should think upon this problem and frame some laws to govern such a situation. Everyone has a right to privacy which must be protected as right to privacy is a human right as well as it forms a part of right to life and personal liberty. It could be curtailed only in cases of public interests by laying reasonable restrictions and in no other case. Stringent laws should be framed in order to prevent email service providers form infringing privacy of third parties without their consent. This kind of breach must be made a crime in order to secure and preserve privacy in electronic mails. Only then can a safe correspondence be guaranteed to each and every individual. Rest there would be a lot of business secrets lost and lot of infringements of copyrights in absence of such laws to prevent it.

.

BIBLIOGRAPHY

  Articles, Books, Websites, Reports and others:

1)            Privacy issues on http://www.netatty.com/privacy/privacy.html (last visited on 27th November, 2007).

2)           Westin, AF, Privacy and Freedom, 1967, London: Bodley Head.

3)           Warren and Brandeis, ‘The Right to Privacy’ (1890) Harvard Law Review, IV (5).

4)           http://en.wikipedia.org/wiki/E-mail_privacy (last visited on 28th November, 2007).

5)           Vakul Sharma, Information Technology and law Practice, 2004, Universal Law Publishing Company Pvt. Ltd, First Edition.

6)           “Email Privacy” at http://www.nolo.com/article.cfm/objectId/286D456E-73C7-414A-B174343E0225C4C8/104/284/220/ART/ (last visited on November 30, 2007).

7)           “DRM and the False Privacy of Email” at http://www.oreillynet.com/onlamp/blog/2004/05/drm_and_the_false_privacy_of_e.html (last visited on November 28, 2007).

           http://en.wikipedia.org/wiki/Donoghue_v._Stevenson

9)           http://en.wikipedia.org/wiki/Duty_of_care

10)        http://www.theregister.co.uk/2006/08/02/workplace_email_privacy/page2.html

11)        http://www.opsi.gov.uk/si/si2003/20032426.htm

12)        http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=5th&navby=case&no=9730408CV0&exact=1

13)        http://www.legalserviceindia.com/articles/econtracts.htm

14)       http://www.linksandlaw.com/news-update49-feldman-google.htm

15)        http://en.wikipedia.org/wiki/Unconscionability

16)       http://www.netlitigation.com/netlitigation/ecommerce.htm

17)       http://www.netatty.com/privacy/privacy.html

  Dictionaries:

1)            H. Black, Black’s Law Dictionary (5th ed., St Paul: West Publishing Co., 1979) 1059.

2)           The Concise Oxford Thesaurus compiled by Kirkpatrick Betty; Oxford University Press.

3)           Webster’s New English Dictionary; Black Dog & Leventhal Publishers Inc, 2nd Edn 1995.

  Case laws:

1)              United States v. Councilman, 418 F. 3d 67 (1st Cir. 2005).

2)             Kearny v. Salomon Smith (US)

3)             Kharak Singh v. State of Uttar Pradesh, AIR 1963 SC 1295.

4)             PUCL v. Union of India, (1997)1 SCC 301

5)             St. Martin’s Corporation Ltd v Sir Robert McAlpine (1993)

6)             Darlington Borough Council v Wiltshier Northern Ltd (1994)

7)             Feldman v. Google Inc., No. 06-2540, 2007 WL 966011 (E.D. Pa. Mar. 29, 2007).

              Hotmail Corp. v. Van$ Money Pie, No. 98-20064, 1998 WL 388389 (N.D. Cal. Apr. 16, 1998).

9)              I. Lan Sys., Inc. v. Netscout Serv. Level Corp., 183 F. Supp. 2d 328, 336

10)          ProCD Inc. v. Zeidenberg, 86 F.3d 1447 (7th Cir. 1996).

11)           Donoghue v. Stevenson, [1932] AC 562, 1932 S.C. 31, All ER Rep 1