Estates Law and Privacy Law: An Incomplete Intersection (Part I)

This is the first entry in a three-part blog series about the current state of estates law vis-à-vis privacy law. Part I will focus on the relevant federal and provincial privacy legislation. Part II will examine significant court decisions relating to this area. Part III will look at solutions for lawyers to help their clients manage their estate planning to be compliant with privacy law requirements.

An ever-growing issue in estates law is the ability (or perhaps inability) for the executors, trustees and beneficiaries of a deceased person’s estate to access their digital assets. A major contributing factor as to why this is such an issue is that the term “digital assets” includes not only electronic property of financial value (like cryptocurrency), it also encompasses one’s personal information that may be stored with a private third party (i.e. Facebook, Google, Amazon). The problem is that the main statute in Canada for the regulation of personal information held by private third parties, the Personal Information Protection and Electronic Documents Act[1] (PIPEDA), does not seem to adequately address situations where the executors, trustees and beneficiaries of a deceased person’s estate are requesting the disclosure of their personal information from third parties with which they had online accounts.

It is often the case that a private third party will refuse to disclose a deceased person’s personal information to their executors, trustees and beneficiaries, even if those individuals are the spouse and/or children of the deceased, because the deceased did not previously provide consent to that private third party for such disclosure. Such organizations are frequently in the public eye for data breaches and/or violations of privacy law, so it is only natural that they exercise the utmost caution in disclosing any personal information without prior consent from the person whom the information is about. Furthermore, it is possible that in such situations, absent any specific instruction in their will, a deceased person would not want anyone, even their family, to have access to their personal information. Then again, a deceased person may have digital assets of significant financial or sentimental value only accessible through a private third party’s disclosure of their personal information, and thus such information may be necessary to their executors and trustees in order to, well, do their job. In any event, practitioners feel that these situations could more easily be reconciled if PIPEDA and the Office of the Privacy Commissioner of Canada[2] (the “Office”) had clearer guidelines for parties who find themselves in such situations.

First, in ascertaining where such certainty is required, it is important to look at the scope and purpose of PIPEDA. PIPEDA applies to the collection, use and disclosure of individuals’ personal information by private organizations. Thus, it does not apply to public (government) institutions.[3] PIPEDA quite broadly defines the term “personal information” as “information about an identifiable individual”,[4] and the Office has provided a thorough list of judicially-supported guidelines for interpreting the phrase.[5] An organization can only collect, use and disclose an individual’s personal information with the knowledge and consent of that individual, and PIPEDA also contains thorough guidelines addressing this “knowledge and consent” principle.[6]

That being said, it is the rules surrounding the disclosure of personal information by private third parties that is the heart of the issue here. Interestingly, subsection 7(3) of PIPEDA outlines the various situations where an individual’s knowledge and consent is not required for such disclosure.[7] However, this subsection contains no exception directly related to either the duties of executors and trustees of a deceased person’s estate or the entitlements of beneficiaries of that estate. The closest related exception is paragraph 7(3)(h), which allows for disclosure without the requisite knowledge and consent if such disclosure is made the earlier of:

• 100 years after the record containing the information was created; and
• 20 years after the death of the individual whom the information is about.[8]

Considering that very few estate administrations continue 20 years after the death of the individual, these exceptions are unhelpful. The larger obstacle is that while PIPEDA has garnered criticism for its lack of certainty for the executors, trustees and beneficiaries of a deceased person’s estate, paragraph 7(3)(h) implies that a deceased person’s information does not become automatically accessible to others upon their death. Furthermore, the language of subsection 7(3) states that an organization “may” make such disclosure; thus, even at the 20-year mark, there is no impetus on a private third party to disclose the personal information if there is no requirement for them to do so.

Yet, despite the fact that neither PIPEDA itself nor any of its regulations even contain the phrases “executor”, “trustee”, “personal representative” or “estate”,[9] the Office has published material that is helpful for this issue on its website, stating that “[i]n cases where a person has been dead for less than 20 years, only the executor or administrator of the estate, or liquidator of the succession may request the personal information. However, they may only access information that will allow them to fulfill their legal responsibilities”.[10] Helpful as this commentary may be, the issues with it are threefold. First, as mentioned earlier, this concept is not codified in the legislation itself, and it is difficult to determine the legal strength of a page on the Office’s website. Second, neither the page nor any related jurisprudence seem to provide an ascertainable standard for the meaning of “only […] information that will allow them to fulfill their legal responsibilities”. Third, this commentary comes in the context of federal government agencies, and not of private third parties.[11]

Yet, in other commentary, the Office asserted that a beneficiary of an estate is only entitled to personal information from third parties “that can be considered their own personal information (i.e., only information that is “about” them, within the meaning of [PIPEDA])”.[12] At the same time, in guidance for organizations who allow for family or joint ownership of accounts, the Office states that “in the case of a deceased individual’s account, information should not be disclosed to simply any relative or family member, but only to an individual who is authorized to administer the estate of the deceased, such as an executor”.[13]

A final point to note is that, in contrast with PIPEDA, certain provincial legislation does regulate the disclosure of personal information with respect to the executors and trustees of a deceased person’s estate. There are three provinces which have provincial privacy legislation in lieu of PIPEDA: British Columbia, Alberta and Quebec.[14] Section 3 of the British Columbia Personal Information Protection Act Regulations[15] assigns the right to disclosure of an individual’s personal information under Section 23 of the British Columbia Personal Information Protection Act[16] to, if that individual is deceased, their “personal representative”, their “nearest relative” or a lawyer assisting with the administration of their estate. Similarly, subparagraph 61(1)(d)(i) of the Alberta Personal Information Protection Act explicitly assigns “any right or power conferred on an individual” by the statute, including the right to disclosure, to the individual’s “personal representative if the exercise of the right or power relates to the administration of the individual’s estate”[17] Somewhat contrastingly, while there are sections of the Quebec legislation containing material relating to the administration of a deceased person’s estate, they do not appear to provide the same type of positive rights that the British Columbia and Alberta legislation provide; rather, they suggest that executors (referred to as “liquidators” in Quebec), as well as beneficiaries, may request a deceased person’s personal information.[18]

In conclusion, although British Columbia, Alberta and Quebec have each provided some form of explicit statutory treatment for this issue, it is unclear why PIPEDA has yet to provide any similar form of certainty. That being said, the next blog post in this series will look to relevant jurisprudence that may answer some questions left unaddressed by PIPEDA.

[1] Personal Information Protection and Electronic Documents Act, SC 2000, c 5 [PIPEDA].

[2] The Office of the Privacy Commissioner of Canada is the regulatory body that enforces PIPEDA (among other privacy legislation).

[3] There are separate frameworks for the regulation of information collected, used and disclosed by public bodies. These frameworks, while important to know, are beyond the scope of this blog series (although the author hopes to address them in future posts).

[4] PIPEDA, supra note 1 at s 2(1).

[5] Office of the Privacy Commissioner of Canada, “Personal Information” (October 2013), online: Office of the Privacy Commissioner of Canada <https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation-bulletins/interpretations_02/> [Personal Information].

[6] PIPEDA, supra note 1 at Schedule 1, s 4.3.

[7] Ibid at s 7(3).

[8] Ibid at ss 7(3)(h)(i)-(ii).

[9] Note that section 4.3.6 of Schedule 1 of PIPEDA does state that one can give consent “by an authorized representative (such as a legal guardian or a person having power of attorney)”. However, this seems to pertain to consent by an individual while they are still alive, and thus does not seem to have relevance for the purposes of an individual’s estate.

[10] Office of the Privacy Commissioner of Canada, “Accessing your personal information – federal government” (July 2019), online: Office of the Privacy Commissioner of Canada <https://www.priv.gc.ca/en/privacy-topics/accessing-personal-information/api_gov/> [Accessing your personal information].

[11] Note that the Government of Canada provides similar commentary on its own website: Government of Canada, “Can I get personal information about someone who is deceased?” (January 2020), online: Government of Canada <https://www.cic.gc.ca/english/helpcentre/answer.asp?qnum=466&top=1> [Government of Canada].

[12] Office of the Privacy Commissioner of Canada, “Beneficiary’s access to estate information is limited to his own personal information under PIPEDA (PIPEDA Report of Findings #2013-005)” (2 October 2013), online: Office of the Privacy Commissioner of Canada <https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2013/pipeda-2013-005/> [Beneficiary’s access to estate information].

[13] Office of the Privacy Commissioner of Canada, “Guidance on managing family member/household accounts” (February 2014), online: Office of the Privacy Commissioner of Canada <https://www.priv.gc.ca/en/privacy-topics/accessing-personal-information/obligations-for-organizations/gd_fam_201402/> [Guidance].

[14] Thus, PIPEDA applies to the remaining Canadian provinces and territories.

[15] Personal Information Protection Act Regulations, BC Reg 473/2003 at s 3 [B.C. Regulations].

[16] Personal Information Protection Act, SBC 2003, c 63 at s 23 [B.C. PIPA].

[17] Personal Information Protection Act, SA 2003, c P-6.5 at s 61(1)(d)(i) [Alberta PIPA].

[18] Act respecting the protection of personal information in the private sector, CQLR c P-39.1 at ss 30, 43 [Quebec Act].