International: Digital inheritance and post-mortem privacy in the US and Canada
With the multitude of enhanced protections and rights being introduced to individuals with regard to the protection of their personal data, a cautionary approach has become commonplace for organisations who carry out data processing and consider ownership of data. As such, questions have arisen around what happens to data when an individual is deceased, where difficulties have the potential to arise in affording such rights and protections. In the second instalment of a short series of articles discussing regulatory approaches around post-mortem privacy, Dr Edina Harbinja, Senior Lecturer in Media/Privacy Law at Aston University, investigates the issues around handling deceased people's data in the US and Canada.
In my previous article, International: Digital inheritance and post-mortem privacy in Europe, I identified some key arguments as to why this area is important to consider and regulate. Key legal questions largely remain unanswered, such as whether bereaved family members should be allowed to access the deceased person's digital accounts, and under which circumstances. Is the service provider obliged to enable the family/next of kin such access? Should friends have access to shared content on Facebook, Inc.? Do users have a right to decide what happens to their digital assets and accounts when they die? What about the right of access by the wider public, journalists, archivists, and historians? Is the legal profession well-equipped to deal with the ever-growing digital legacy? Do we have the right to post-mortem privacy?
I also argued that many European countries still struggle to find the right response to the conundrum of questions around the regulation of digital legacy. In my view, none of the European countries so far have found an optimal solution. The US and Canadian model laws and statutes are much more advanced in this area, and there has been some significant case law in the US in particular. The focus of this piece therefore will be on the American and Canadian uniform laws, as well as the most relevant case law in the area.
Statutes and uniform laws in the US and Canada
In my previous article, I explored the general UK principles of non-survivorship of privacy and data protection. Similarly, the American Restatement of Torts, Second states that there can be no cause of action for the invasion of privacy of a decedent, with the exception of 'appropriation of one's name or likeness1.' Some states do provide for the post-mortem protection of so-called 'publicity rights' (rights that usually protect celebrities, but sometimes include all individuals' right to name, image, likeness etc.), up to the limit of 100 years after death2. Thus, it could be generally argued that US state and federal law do not protect post-mortem privacy or personality rights, with some peculiar exceptions such as publicity rights.
Nevertheless, in the area of digital assets and inheritance, US states have been the most active legislators, especially compared to their European equivalents. The first phase of this legislation started as early as 2005. Over the following ten years, more than 20 US states attempted to regulate the area of transmission of digital assets on death. These laws were probably been inspired by the publicity around the case of In Re Ellsworth, No. 2005-296, 651-DE (Mich. Prob. Ct. 2005) ('the Ellsworth Case') and similar controversies reported in the media. The Ellsworth Case illustrates most of the issues surrounding the post-mortem transmission of emails and other digital assets (i.e. post-mortem privacy, confidentiality, remembrance, memes, access, and conflicts of interests of the deceased person and family, contract law issues). State legislative responses that followed the Ellsworth Case were quite partial and piecemeal, rather than comprehensive and evidence-based legal solutions3.
Following the emergence of this piecemeal state legislation, in July 2012 the Uniform Law Commission formed the Committee on Fiduciary Access to Digital Assets ('the Committee') to offer a model law that would aim to harmonise this area. The goal of the Committee was to draft acts and/or amendments to the Uniform Law Commission Acts (the Uniform Probate Code, the Uniform Trust Code, the Uniform Guardianship and Protective Proceedings Act, and the Uniform Power of Attorney Act), which would authorise fiduciaries to manage and distribute, copy or delete, and access digital assets. Under succession law, the personal representative typically has the right to access and manage the assets of the deceased person no matter what the contract says. This is usually enabled via a grant of power from the court, known as obtaining probate, confirmation, etc. This general principle has been revised to an extent in the US and Canadian model laws, as indicated below.
The Committee's attempt took a form of the Uniform Fiduciary Access to Digital Assets Act ('the UFADAA'), which had been drafted and published online on multiple occasions over the three years before the final text was adopted. The process included fierce lobbying by tech companies, connected through a think tank called NetChoice. The companies moved on to lobby for a completely different act, which would replace the UFADAA, resulting in The Privacy Expectation Afterlife and Choices Act of 2015. The Uniform Law Commission then decided to revise the UFADAA, and incorporated some of the industry concerns and pro-privacy stances, adopting the Revised UFADAA ('the RUFADAA') in 20154.
During the drafting process, there were many open issues that the Committee needed to address around the RUFADAA. For instance, in the February 2013 Prefatory Note for the Drafting Committee, the drafters identified the most critical issues to be clarified, including the definition of digital property (Section 2 of the RUFADAA) and the type and nature of control that can be exercised by a fiduciary (Section 4 of the RUFADAA). Some of the most controversial issues that were being disputed within the Committee were clarifying possible conflicts between contract and succession and probate law; and resolving conflicting interest between heirs, family, and friends of the deceased person5.
The final text of the RUFADAA includes important powers for fiduciaries regarding digital assets and estate administration. These powers are limited by a user's will and intent expressed in their choice to use online tools to dispose of their digital assets (e.g. Google LLC's Inactive Account Manager or Facebook's Legacy Contact, see the previous article for more detail on these services). According to the RUFADAA, user choice overrides any provisions of their will. If the user does not give direction using an in-service solution but makes provisions for the disposition of digital assets, the RUFADAA gives legal effect to the user's directions. If the user fails to give any direction, then the provider's terms of service ('ToS'), i.e. contract with the user, will apply. The RUFADAA also gives the service provider a choice of methods for disclosing digital assets to an authorised fiduciary, in accordance with its ToS (i.e. full access, partial access, or a copy in a record). The RUFADAA also gives personal representatives default access to the 'catalogue' of electronic communications and other digital assets not protected by federal privacy law (i.e. the content of communication which is protected and can only be disclosed if the user consented to the disclosure or if a court orders disclosure, according to the Electronic Communications Privacy Act of 1986 ('the ECPA'). Section 9 of the RUFADAA aims to resolve the issues of the potential violations of criminal and privacy legislation. It also tackles jurisdiction, mandating that the choice of law provisions in ToS do not apply to fiduciaries. The RUFADAA abandoned the notion of digital property and kept the concept of digital assets, comprising both the content and the log information ('metadata' i.e. information about electronic communication, the date and time a message has been sent, recipient email address, etc.). The departure from the notion of digital property is welcome in my view, since most digital assets cannot be considered property in the same way as one's offline, tangible assets6. However, the Uniform Law Commission did not base the RUFADAA on these doctrinal and normative considerations. Rather, the final text is a compromise and a product of lobbying. At the time of writing, the majority of states have introduced and enacted the RUFADAA7. Seemingly therefore, the RUFADAA has contributed to the harmonisation of divergent laws, at least in the states that have enacted it.
The Uniform Law Conference of Canada followed the US approach and enacted a similar Act, the Uniform Access to Digital Assets by Fiduciaries Act 2016 ('the UADAFA'). The UADAFA provides a stronger right of access for fiduciaries than the RUFADAA. The UADAFA provides for default access by the fiduciary to the digital assets of the account holder. In UADAFA, the instrument appointing the fiduciary determines a fiduciary's right to access, rather than the service provider. The UADAFA has a 'last-in-time' priority system, whereby the most recent instruction of the deceased person takes priority over an earlier instrument. Interestingly, however, a deceased person who already has drafted a will, but then has nominated a family member or a friend to access their social media account after their death, will have restricted their executor's rights under the will. This is similar to the RUFADAA in that the deceased person's intent takes priority in any case, and the difference is in the mechanism. The RUFADAA is more restrictive in honouring ToS in the absence of user instructions. Service providers are only obliged to disclose the catalogue of digital assets and not the content. I believe that the US solution is more suitable for the online environment, in particular for personal digital assets, intrinsically tied to one's identity, such as their email or social media account.
If we compare these laws with the European laws analysed in my previous article, Article 63(2), the French Digital Republic Act 2016 ('the French Act'), resembles provisions of RUFADAA. The French Act states that anyone can set general or specific directives for the preservation, deletion, and disclosure of their personal data after death. These directives are to be registered with a certified third party or with the service provider who holds the data (e.g. Facebook or Google)8.
Other countries are also considering introducing new legislation to resolve the issues of access in particular. The Law Reform Commission of New South Wales is one of the most recent examples9.
In a more recent US case, Ajemian v. Yahoo! ('the Ajemian Case')12, the Massachusetts Supreme Judicial Court held that personal representatives of a deceased person may provide lawful consent on a decedent's behalf to access his electronic communications, despite the ECPA and, even in the absence of express authorisation in his will. A case in contrast with the Ajemian Case is that of Sahar Daftary. Sahar died at the age of 23 in the UK, and her family applied to the US courts to subpoena records from her Facebook account, as they believed that it 'contain[ed] critical evidence showing her actual state of mind in the days leading up to her death,' which could be used in proceedings in the UK. Facebook had refused to grant access without a court order, citing the ECPA13. The U.S. District Court for the Northern District of California ('the California Court') found that the ECPA prevented it from making an order to compel a US service provider like Facebook from disclosing stored communications in civil proceedings to third parties, even after death, and for the purposes of foreign proceedings as well as in the US14. The California Court also noted that Facebook could choose to disclose the records to the family voluntarily and still be in accordance with the ECPA. It has not been reported if Facebook has done so, and anecdotal evidence suggests that most providers refuse to do so without a court order from the California Court specifically.
Finally, to make the matter even more confusing, in another US case, In re Scandalios15, Ric Swezey died unexpectedly in 2017 and his will did not explicitly authorise his husband, Nicholas Scandalios, to have access to his digital assets, including many family photos in his Apple account. Apple iCloud's ToS provided that, 'any rights to your Apple ID or content within your account terminate upon your death,' unless required by law. The New York County Surrogate's Court ('the New York Court'), however, ordered Apple to give the deceased person's husband and the executor of the estate access to the deceased person's Apple account. The New York Court, in this case, relied on Article 13-A, Administration of Digital Assets, of the New York Consolidated Laws, Estates, Powers and Trusts Law. The New York Court found that while disclosure of electronic communications required 'proof of a user's consent or a court order,' the decedent's photographs stored in his Apple account were not 'electronic communications.' For these reasons, the New York Court ordered that Apple should provide the executor with the opportunity to reset the password to the deceased person's Apple ID.
As suggested in my previous article, the area of digital inheritance is very complex and digital assets need to be examined individually in order to be able to determine which regulatory and legal regime is best suited to deal with their post-mortem transmission. What is common for most digital assets is that they include a myriad of legal relationships and that these surface differently for different types of these assets. Notwithstanding this distinction, all of the digital assets have in common that they are governed primarily by intermediary contracts and that the lack of laws and regulation gives prevalence to these in many jurisdictions. There have been some innovative solutions in countries such as the US, Canada and France, but more effort is required to implement these in practice, harmonise jurisprudence and test the laws as technology develops further. Technological solutions are welcome, but again, these innovations may not be followed by legislative reforms and often conflict with some longstanding legal principles in succession, intellectual property, privacy, or property law.
In my opinion, with all its flaws around the process that proceeded its enactment, the RUFADAA is still an acceptable legal solution for the transmission of digital assets, as it is rather protective of post-mortem privacy through the mechanisms analysed above. A law similar to the RUFADAA should thus aim to recognise technology as a way of disposing of digital assets, as a more efficient and immediate solution online. The appropriate solution would also consider technological limitations, users' autonomy, and the changing landscape of relationships online, as identified in social science literature16.
Therefore, it is necessary to introduce digital asset-specific laws in countries where this is not the case. Generally, all countries who aim to legislate in the area need to make sure that their property, contract, IP, data protection, and succession laws are consistent, otherwise, efforts in one area may be undermined by conflicting provisions in another area. In addition, there should be exceptions to these general provisions of transmission/deletion in order enable access by researchers and archivists, in particular, so as to balance the right to privacy and autonomy with the freedom of expression and public interest. This is particularly important in circumstances where users choose to be forgotten post-mortem, i.e. to have most of their accounts and data deleted. Here, as generally required by data protection and many other laws, privacy and individual rights need to be balanced against the public interest, freedom of expression, research, and archival interests.
The role of the legal profession is crucial here as well. It is important that lawyers are trained to deal with these issues since they encompass so many different areas of law, including, but not limited to, data protection and privacy. A comprehensive perspective by the profession is required here since it is no longer sufficient to rely on traditional knowledge around succession and probate and closely related areas of law. Lawyers need to consider the area holistically in order to be able to initiate conversations around digital assets with their clients. This is, admittedly, very difficult in the area where specific laws do not exist or are inconsistent and problematic. The law reforms are, thus, necessary preconditions for clarifying the area for the legal profession, as well as for service providers, platforms and individuals around the globe.
Dr Edina Harbinja Senior Lecturer in Media/Privacy Law
Aston University, Birmingham
1. American Restatement of Torts, Second, § 652I, 1977.
2. Edwards, L., & Harbinja, E. (2013), Protecting Post-Mortem Privacy: Reconsidering the Privacy Interests of the Deceased in a Digital World, Cardozo Arts & Entertainment Law Journal, 32, 1, p83-129.
3. Lopez, A.B. (2016), Posthumous Privacy, Decedent Intent, and Post-Mortem Access to Digital Assets, George Mason Law Review, 24, p183-242.
5. Harbinja, E. (2017), Legal Aspects of Transmission of Digital Assets on Death (Unpublished PhD thesis), University of Strathclyde.
7. US Uniform Law Commission (2015), Fiduciary Access to Digital Assets Act, Revised (2015): 2018 Introductions & Enactments.
8. For more see Castex, L, Harbinja, L. & Rossi, J. (2018), Défendre les vivants ou les morts? Controverses sous-jacentes au droit des données post-mortem à travers une perspective comparée franco-américaine, Réseaux, 4, 210, 117-148.
9. My response to this consultation, suggesting solutions based on my research, is available at: https://www.lawreform.justice.nsw.gov.au/Pages/lrc/lrc_current_projects/Digital%20assets/Project-update.aspx
10. See the Ellsworth case, and discussion in Baldas T, Slain Soldier's E-Mail Spurs Legal Debate: Ownership of Deceased's Messages at Crux of Issue, 27 Nat'l L.J. 10, 10 (2005).
11. See Associated Press release, 21 April 2005, available at http://www.justinellsworth.net/email/ap-apr05.htm
12. Ajemian v. Yahoo!, Inc.,84 N.E.3d 766 (Mass. 2017), cert. denied, No. 17-1005, 2018 WL 489291 (26 March 2018).
13. In re Request for Order Requiring Facebook, Inc to Produce Documents and Things, C 12-80171 LHK (PSG) (ND California; 20 September 2012).
14. See Request for Order (8)2, citing Theofel v. Farley-Jones, 359 F3d 1066, 1074 (9th Cir 2004).
15. 2017-2976/A N.Y. Surr. Ct. 2019.
16. See Kasket, E. (2013), Access to the Digital Self in Life and Death: Privacy in the Context of Posthumously Persistent Facebook Profiles, SCRIPTed, 10, 7; Kasket, E. (2019); All the Ghosts in the Machine: Illusions of Immortality in the Digital Age, London: Robinson, Pennington, N. (2013); and You Don't De-Friend the Dead: An Analysis of Grief Communication by College Students Through Facebook Profiles, Death Studies 37, 617.