This is the third and final entry in a three-part blog series about the current state of estates law vis-à-vis privacy law. Part I focused on the relevant federal and provincial privacy legislation. Part II examined significant court decisions relating to this area. Part III will look at solutions for lawyers to help their clients manage their estate planning to be compliant with privacy law requirements.
The previous two entries in this blog series provided legislative and jurisprudential approaches to the issues surrounding digital assets, particularly with respect to instances where an organization refuses to disclose the personal information that it has collected about a deceased person to the executors and trustees (together, the “legal representatives”), as well as the beneficiaries, of that deceased person’s estate. Those two entries have made it clear that the law, overall, is unclear in these situations. That being said, this final entry seeks to propose potential solutions to reconcile the rights and obligations between the legal representatives and beneficiaries of a deceased person’s estate, on one hand, and an organization who has collected such deceased person’s personal information, on the other.
Some Popular Websites Allow for Post-Death Account Management
First, note that a number of popular online organizations do provide services that enable their users to arrange for the management, closure and/or deletion of such users’ accounts. For example, Facebook and Instagram have a “memorialization” process, which allow their users to designate individuals who are authorized to take certain limited actions with respect to their accounts after their death. Google has an Inactive Account Manager, an automated service which will notify certain pre-selected individuals if it detects that the user’s account has been inactive for a specified period of time. For a comprehensive list and explanation of many of these services, please take a look at this bulletin that I wrote on the topic.
The good thing about these types of services is that they provide certainty to the organizations that facilitate them. Such services require a user to personally authorize them directly through the relevant platform. As such, an organization offering such services will not have to worry about the validity of a document like a will. Simply put, these services work because the organizations that operate them have control over all of their parameters. This would not be the case if, for these purposes, such organizations needed to rely on a testamentary direction (like a will) that a third party had drafted.
That being said, there are some drawbacks to these types of services. First, of course, each such service is limited only to the organization that is providing it. This can be problematic because it would mean that the legal representatives of a deceased person’s estate would have to keep track of each different service’s requirements and authorizations. On that note, rarely does any such service offer the legal representatives the flexibility to do anything they deem as necessary with respect to the relevant account. Often, it is simply the case that the service allows for the closure and/or deletion of the account. Due to privacy concerns discussed in the previous entries in this series, such services usually will not allow the legal representatives to, for example, see all of the deceased person’s messages, or even upload files onto the deceased person’s account.
However limited these services may be, the closure/deletion of a deceased person’s online accounts may be all that such person intends to happen to such accounts. Therefore, it is prudent for everyone to take advantage of all such services that may be relevant to them. Of course, the problem with this principle is that many people often do not know about or neglect to use these services, which is one of the reasons why there is often conflict between the legal representatives of a deceased person’s estate and online organizations. A further contributing factor to this conflict is that not every online organization offers these types of services.
Using Independent Digital Asset Management Services Can Be Effective
At this point, it seems that a highly effective solution to these problems is the use of services that are dedicated to managing a person’s digital assets that may be facilitated by many different organizations. These services are sometimes referred to as “Smart Digital Vaults” (“SDVs”), as they typically allow a user to store information about their digital assets in a central location without requiring any passwords. The very purpose of SDVs is to make digital estate administration easier, as the legal representatives of the estate of a deceased person who used an SDV could either work in tandem with such SDV or could “outsource” the digital estate administration to the SDV as an agent (similarly to how one would use a real estate agent, for example).
A great example of such a service is Directive Communication Systems (“DCS”). DCS contains a comprehensive list of hundreds of different popular online websites. A DCS user can provide their account information for an account with any number of these websites—but not password information—in order to prove that they are the owner of such account. The DCS user can then provide individualized directions for what is to happen to each account after they die. The DCS user would also need to put a clause referring to DCS in their will. The DCS user should also provide information about their legal representatives to DCS.
DCS is effective for many reasons. First, it provides a great deal of flexibility and customizationto its users, more so than the individual post-death account management services that online organizations themselves provide. Notably, a DCS user can, for example, direct for the disclosure of the contents of an account, including emails or other types of messages. Furthermore, DCS does not require the disclosure of any passwords, which is effective as such disclosure can be problematic for multiple reasons (as discussed later in this blog entry).
However, the most compelling part of DCS is that it indicates that it has worked directly with online organizations like Facebook and Google, and that such organizations have agreed that they will cooperate with the directives that a DCS user makes via the DCS platform. As these blog entries have deduced, the main issue for the conflict between estates law and privacy law is that organizations that have collected personal information about a deceased person do not want to be liable for improperly disclosing such information. In response to this concern, DCS provides a way for such organizations to verify that the DCS user in question and the organization’s user are the same person, and such person has authorized such disclosure.
The issue with any SDV, however, is that, just as with services that online organizations themselves provide, it is incumbent on the user themselves to use the platform and to make the necessary directives. That being said, for those with online accounts who are actively engaging in estate planning, a SDV seems to be critical to have amidst the uncertainty of the law in this area.
Try Providing Consent in the Will
For those who are unable or unwilling to use the services outlined above, a possible alternative is to consent, for the purposes of privacy legislation such as the federal Personal Information Protection and Electronic Documents Act (PIPEDA), to the disclosure of their personal information by third party organizations to the legal representatives of their estate. As the previous entries in this blog series have identified, there is a difference between “property” for the purposes of Ontario’s Succession Law Reform Act and “personal information” for the purposes of PIPEDA. A written consent pursuant to privacy law has never been a common provision to include in a will, but as more and more people are having trouble in this area of the law, it is becoming apparent that peoples’ wills ought to address privacy law in some capacity.
Assuming that a person would like to disclose the contents of and/or means of accessing their digital assets, as the case may be, to their legal representatives, it would also be prudent for them in their will not only to provide the relevant consent for the purposes of PIPEDA but also for the purposes of all privacy laws and legislation applicable to a given account. For example, many online organizations are based in the U.S., particularly in California. A blanket consent for the purposes of all privacy laws and legislation in any jurisdiction in a deceased person’s will may demonstrate to an organization that such person agreed to and intended for the disclosure of their personal information, no matter the circumstance.
The problem with this strategy is that it is more or less untested. While, in theory, such consent should be the assurance that an organization needs to legally be able to disclose a deceased person’s information to the legal representatives of their estate, in the absence of any
legislative provision or common law principle that specifically compels such disclosure, there is no impetus on such organization to do so. As Part I of this series pointed out, PIPEDA suggests that even with the deceased person’s consent, organizations are not obligated to disclose their information to a third party. In an age where privacy concerns and data breaches are hot-button issues, it is unsurprising that organizations, keeping their reputations in mind, would refuse any disclosure of personal information that is not legally necessary for them to make.
Sharing Passwords is Ineffective
Lastly, one might assume that a surefire way of ensuring the transfer of any digital asset is to simply, prior to their death, inform the people whom they have chosen to be the legal representatives of their estate all of their relevant passwords (or similar relevant electronic credentials). The theory is that if the legal representatives have these passwords, they will not need to directly contact any organization facilitating the associated digital assets in order to access such digital assets, and thus can manage such digital assets in accordance with the deceased person’s directions.
There are multiple issues with this. Firstly, to open an account with virtually any online-based organization, one must agree to a “Terms of Service” or similar agreement. The vast majority of such agreements expressly disallow the individual seeking to open an account pursuant to such agreement to share their password or other electronic credentials with anyone else. Even organizations themselves emphasize that they will never ask for a user’s password, as it is many times the case that anything such organization needs to retrieve from or do in relation to a user’s account is possible for such organization to do via its own system (and thus without the use of the actual password). Depending on the organization and the value of the digital assets involved, violating a “Terms of Service” agreement could have significant consequences to an estate.
Furthermore, sharing a password inherently subjects the password to a higher risk of being abused. When written down and given to someone, for example, it is hard to tell who might have access to or be able to intercept that document. Even emailing a password or sending it as part of a document file can be dangerous, considering that data breaches are becoming more and more of a reality with each passing year.
Even the use of password “vaults” is not advisable for the purposes of estate planning. For those who are unfamiliar, a password vault’s purpose is to provide an easily-accessible place for one to store all of their passwords. Of course, such a vault usually requires a master password to access, and the sharing of that master password carries with it all of the same issues as changing any other password.
All of the above is assuming, of course, that any given shared password is even valid by the time the legal representatives of a deceased person’s estate are to use it. Many organizations mandate their users to change their passwords at regular intervals. Thus, in order for password-sharing to be effective, the deceased person would have to be vigilant in providing updated passwords to their legal representatives.
“Vigilance” is a common theme among the strategies for managing one’s digital assets for the purposes of their estate planning, as every successful strategy requires active input from the deceased person themselves to have occurred prior to their death. If our legal system were clearer on the intersection between estates law and privacy law, then perhaps such a high level of intervention would not be necessary; for now, however, it is.