Practitioners and clients alike have come to realize that there can be numerous legal challenges to administering a testator’s digital assets, including, among them, ambiguous or restrictive privacy legislation. For most Canadian provinces,[1] the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) does not appear to grant executors, trustees, or personal representatives any powers or capabilities with respect to the disclosure of a testator’s personal information.

However, in November 2020, the Government of Canada introduced new legislation that would overhaul existing privacy laws and fill in significant policy gaps. The Digital Charter Implementation Act, 2020, (“DCIA“) aims to “significantly increase protections to Canadians’ personal information by giving Canadians more control and greater transparency when companies handle their personal information”.[2] This would apply to entities such as social media platforms, online businesses and cryptocurrency exchanges.

Although the DCIA proposes numerous changes to Canada’s existing privacy framework, most notably the DCIA would replace Part I of PIPEDA with the new Consumer Privacy Protection Act (“CPPA”).

Part I of PIPEDA contains numerous limitations on an organization’s ability to use and disclose the personal information of an individual that it has collected. This includes, generally, the inability to disclose such personal information without the consent of the individual. While such limitations are subject to exceptions, none of the exceptions are applicable to an estate administration (with the exception that such information can be disclosed without the individual’s consent 20 years after the death of the individual,[3] which is not helpful for estate administration as very few estates are administered for such a long period of time).

Conversely, CPPA would provide authority relevant to digital assets in estate administration. The proposed section 4 of CPPA states the following:

 Authorized representatives

4 The rights and recourses provided under this Act may be exercised

(a) on behalf of a minor or an individual under any other legal incapacity by a person authorized by or under law to administer the affairs or property of that individual;

(b) on behalf of a deceased individual by a person authorized by or under law to administer the estate or succession of that individual, but only for the purpose of that administration; and

(c) on behalf of any other individual by any person authorized in writing to do so by the individual.

PIPEDA does not contain an analogous provision, making this a huge step towards providing executors, trustees, and personal representatives the legal authority to manage a testator’s digital assets. In addition, this section would apply to digital asset management for attorneys acting under an attorney for property, which is an equally (if not more) ambiguous legal area.

Under subsection 63(1) of the CPPA, an organization must inform an individual, upon that individual’s request, whether it has any personal information about them, how it uses such personal information, and whether it has disclosed such personal information. It also must give the individual access to that personal information. Therefore, through subsection 4(b) of CPPA, executors, trustees and personal representatives should be able to rely upon subsection 63(1) of CPPA to obtain, for example, the account information of a testator’s online accounts.

Note that while CPPA significantly overhauls PIPEDA, certain concepts have stayed the same; for example, personal information continues to be defined as “information about an identifiable individual”.

However, despite these legislative changes, in practice there still may be major challenges with respect to digital assets in estate administration. As I describe in my three-part blog series on this issue, the challenge often stems from the unwillingness of an online service provider (e.g. Facebook, Amazon, Google) to disclose a testator’s account information to their executors, trustees or personal representatives. A lack of consent under privacy legislation is one reason as to why online service providers might decline such disclosure. Therefore, it is possible that CPPA may be sufficient authority for online service providers to feel comfortable disclosing account information in this context.

Yet, as we have seen from the fallout of cases such as Henry v. Bell Mobility,[4] even a legal authority as strong as a Canadian court order may not be enough to compel an online service provider to disclosure.[5] This is partly because online service providers may want court orders from their home jurisdiction (often California). Such court orders would provide additional comfort and protection to an online service provider that such a disclosure would not violate the laws of their home jurisdiction.

In addition, many online service providers have Terms of Service which prevent a user’s account from being assigned to an individual; it is unclear at this time how such agreements would interact with section 4 of the CPPA if it were to be enacted.

The DCIA has currently undergone a first reading. It is unclear if and when it will eventually come into force, and if so if there will be any changes to it. It is entirely possible that technology stakeholders may argue that its powers are too broad; this was certainly the case with the original version of the United States Revised Uniform Fiduciary Access to Digital Assets Act, which, after drawing criticism from numerous entities (including the American Civil Liberties Union), was edited to significantly reduce the powers of executors, trustees and personal representatives.[6] Nevertheless, any improvement to PIPEDA in this regard would be a welcome change for a highly ambiguous, but highly important area of the law. After all, as technology continues to evolve, so too must the law.

[1] With the exception of British Columbia, Alberta and Quebec, which have their own privacy legislation.

[2] Government of Canada, “Fact sheet: Digital Charter Implementation Act, 2020” (17 November 2020), online: Government of Canada <https://www.ic.gc.ca/eic/site/062.nsf/eng/00119.html>.

[3] Subparagraph 7(3)(h)(ii) of PIPEDA.

[4] 2017 ONSC 6070, 284 ACWS (3d) 416.

[5] Jonathan Ore, “Ottawa mother’s quest for her late son’s passwords an uncharted legal road, say experts”, CBC (24 November 2019), online: <https://www.cbc.ca/radio/outintheopen/diy-justice-1.5351892/ottawa-mother-s-quest-for-her-late-son-s-passwords-an-uncharted-legal-road-say-experts-1.5366292>; see also Molly Hayes, “Pressing Google and Facebook for answers in her son’s death, an Ontario mother stirs the digital-privacy debate”, The Globe and Mail (27 August 2019), online: <https://www.theglobeandmail.com/canada/article-pressing-google-and-facebook-for-answers-in-her-sons-death-an/>.

[6] Betsy Simmons Hanibal, “The Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA)” online: Nolo <https://www.nolo.com/legal-encyclopedia/ufadaa.html>.