1. DISPELLING THE MYTHS: THE
IMPACT OF PRIVACY RIGHTS ON
DIGITAL ASSETS
Anita Fineberg, LL.B., CIPP/C
STEP PRESENTATION
September 19, 2012
STEP Toronto Page 1
2. Agenda
The Myths
#1 The expectation of privacy of a deceased person dies with that person
#2 No one could make a breach of privacy claim as a result of an executor’s alleged
breach of the of the privacy rights of the deceased
#3 The location of the physical device of the deceased determines the privacy laws
that may apply
#4: An executor has the right to all digital assets of the deceased as the property of
the estate
#5: In the absence of specific direction from the deceased, it is relatively easy for an
executor to gain access to digital accounts
#6: Social media assets accessed or controlled by employees form part of an
employee’s estate upon their death
Conclusions
Questions
Contact Information
Reference Material: Accessing Online Accounts of a Deceased
STEP Toronto Page 2
3. Myth #1: The expectation of privacy of a
deceased person dies with that person
The Facts
• Canadian privacy law affords protection to personal and
personal health information of individuals after their death
• There are exceptions for the collection, use and disclosure of
personal information solely for personal or domestic
purposes: “non-commercial activities”
STEP Toronto Page 3
4. Myth #1: The expectation of privacy of a
deceased person dies with that person
The Facts
• In the context of a deceased’s “commercial activities”
• Canadian private sector law is not clear
STEP Toronto Page 4
5. Myth #2: No one could make a breach of
privacy claim as a result of an Executor’s
alleged breach of the of the privacy rights of
the deceased
The Facts
• Privacy concerns are frequently raised to advance other
claims
• Disputes over the deceased’s commercial activities may be
“cloaked” as a breach of privacy claim
STEP Toronto Page 5
6. Myth #3: The location of the physical device of
the deceased determines the privacy laws that
may apply
The Facts
• Neither the physical location of the hardware, nor the
geography in which the information was created are
determinative
• Lawson v. Accusearch Inc.
STEP Toronto Page 6
7. Myth #4: An executor has the right to all digital
assets of the deceased as the property of the
estate
The Facts
• Privacy rights of a deceased may act as a barrier to access to
the digital assets of a deceased
• Absent a court order, electronic service providers (ESPs) are
under no legal obligation to cooperate with an Executor to
provide access to a deceased’s digital assets
STEP Toronto Page 7
8. Myth #4: An executor has the right to all digital
assets of the deceased as the property of the
estate
The Facts
• Currently no Canadian laws address this issue
• Facebook v. Stassen
• A number of U.S. states have enacted legislation which
specifically addresses a deceased’s digital legacy; e.g. Rhode
Island, Connecticut (email accounts);Indiana (“electronically
stored documents of the deceased”2007);Idaho and Oklahoma
• Uniform Law Commission Study Committee on fiduciary
power and authority to access digital property and online
accounts during incapacity and after death
STEP Toronto Page 8
9. Myth #5: In the absence of specific direction
from the deceased, it is relatively easy for an
Executor to gain access to digital accounts
The Facts
• All are different in terms of the manner in which they
“balance” the privacy rights of the deceased and the
responsibilities of an executor:
• Processes are difficult to locate on the site
• How they deal with accounts of deceased individuals
• Information required to submit an application
• The information that may be provided
• To whom the information may be provided; e.g. a representative
of the estate or a beneficiary
STEP Toronto Page 9
10. Myth #5: In the absence of specific direction
from the deceased, it is relatively easy for an
Executor to gain access to digital accounts
The Facts
• Clarification of rights of executors required to meet privacy
and other challenges to address deceased digital legacy
STEP Toronto Page 10
11. Myth #6: Social media assets accessed or
controlled by employees form part of an
employee’s estate upon their death
The Facts
• Privacy policies and/or site Terms of Use apply to the
individual use of the site
• Complex issues that may not be addressed by legislation,
corporate policies or social media terms of use
• Issues relate to:
• Ownership of the account (PhoneDog v.Kravitz, 2012)
• Content posted to the account
• Ownership of relationships (Eagle v. Morgan, 2011)
STEP Toronto Page 11
12. Conclusion
• Both privacy laws and site privacy policies and/or terms of
use may act as a “barrier” to an executor’s access to digital
accounts and assets
• Policy questions remain to be addressed
• Distinction between “non-commercial” and commercial uses
of personal information
• Highlights the need for proactive digital estate management
STEP Toronto Page 12
14. Contact Information
Anita Fineberg, LL.B., CIPP/C
Barrister & Solicitor
President, Anita Fineberg & Associates Inc.
416.762.4583 (B)
416.565.5007 (C)
afineberg@sympatico.ca
http://www.linkedin.com/in/anitafineberg
Privacy by Design Ambassador
STEP Toronto Page 14
15. Accessing Online Accounts of a Deceased
LinkedIn:
• can inform about user’s death but cannot ask to provide you
with account details or transfer the account to you
• reporting the death – verification of death form requires the
deceased’s email address
http://help.linkedin.com/app/answers/detail/a_id/2842
• account gets closed
• no references to access by Executor
STEP Toronto Page 15
16. Accessing Online Accounts of a Deceased
Twitter
• when advised of a user’s death, digitalizes all public tweets
and provides them to the beneficiary before closing the
account
• need to provide username and twitter username, copy of
death certificate; government-issued ID
• signed, notarized statement with required information
• the account is not transferred; public tweets are provided
• https://support.twitter.com/articles/87894-how-to-contact-
twitter-about-a-deceased-user
STEP Toronto Page 16
17. Accessing Online Accounts of a Deceased
Facebook
• does not close or transfer the account; “memorializes”
the account so that Facebook friends of the deceased
may log in to post messages
• advise Facebook of user’s death , but need to know the
Facebook URL and email ID of the deceased
• http://www.facebook.com/help/contact/?
id=305593649477238
• “We also may close an account if we receive a formal
request that satisfies certain criteria.”
STEP Toronto Page 17
18. Accessing Online Accounts of a Deceased
Microsoft Hotmail
• to access account of deceased relative
• Microsoft will provide access after six months
• http://answers.microsoft.com/en-
us/windowslive/forum/hotmail-profile/my-family-
member-died-recently-is-in-coma-what-do/308cedce-
5444-4185-82e8-0623ecc1d3d6
STEP Toronto Page 18
19. Accessing Online Accounts of a Deceased
Google
• may or may not provide relatives with access to deceased’s
emails
• http://support.google.com/mail/bin/answer.py?
hl=en&answer=14300
• as of March 1, 2012, Google changed its privacy policy and
terms of service so that one now covers multiple products and
services
STEP Toronto Page 19
Editor's Notes
Good afternoon – thank Elena for inviting me her to speak today. Erin has addressed such issues as Why should we care? What is the law? What is the difference between digital assets vs. accounts and what steps you should take to protect your virtual estate. I’ll speak to privacy issues that an Executor may encounter in protecting a virtual estate as Erin has described. I’ll continue to use Erin’s important distinction between digital accounts vs. digital assets. A few examples of things to keep in mind re: why an Executor or someone else may want to access digital assets and their value which may not be financial - spouse passing away without leaving surviving spouse the userID and password for bank accounts to Facebook accounts where parents want to know why their child committed suicide. Value can be concrete – e.g. Twitter followers or Facebook “likes” for an online company; or emotional as noted; interesting in the context of the sale of a business re: “goodwill”. Paypal accounts with balances
My objectives are to: (i) dispel some commonly held myths related to privacy, death and a deceased’s digital accounts and assets, from both the perspective of privacy legislation and privacy policies of some common sites. The “myths” are actually derived from statements and comments made by some individuals in their discussions of digital estate planning.
This myth is actually a quote from the case of R. v. Sanderson, decided by the then Ontario Court of Justice in 2000. I have heard it used by counsel to claim that privacy issues are ireelevant in the discussion of digital estates. The facts are that Canadian privacy aws must be considered. Canadian privacy laws fall into 3 categories: (i) those that deal with information in the private sector – we have federal and provincial laws; (ii) those that apply in the public sector – such as government; and (iii) in some provinces those applicable to personal health information in both the public and private sectors. It is the private sector laws that will generally apply when dealing with digital accounts and assets. These laws apply to what we call personal information (PI) or personal health information (PHI). And what we see is that this is most commonly defined as “information about an identifiable individual”. There is no reference to whether the individual has to be living, unlike the situation in laws related to PHI. So I think it fair to say that both account information, as well as the information contained in the online files of the deceased will fall within this definition. Based on these exceptions – any pi, such as emails, that are held on a personal computer used exclusively for the deceased’s personal use may thus be accessed by the estate trustee, assuming they know the user ID and password. . This general statement needs to be qualified depending on the jurisdiction (federal or provincial); type of information (personal or PHI) or public or private sector as they are different providing that privacy exists for e.g. 20 or 50 years after death. However, do not assume on the basis of legislation e.g. The BC FOIPA re: personal information of a deceased may be accessed by the deceased’s personal representative that this applies across the board
But what if the exception doesn’t apply – the deceased has run their business from their personal laptop? Does the executor have the right to access that information that may include the personal information not only of the deceased, but of their employees, and potentially their clients and others? Most public sector privacy laws provide such as BC’s Freedom of Information and Protection of Privacy Act does that rights of access to personal information may be exercised by a deceased’s nearest relative or personal representative. However private sector legislation does not afford such rights to an executor. or other representative.
I have been asked who is going to claim damages as a result of an executor’s alleged breach of the deceased’s privacy rights? Fair question – however, as is frequently the case alleged infringement of privacy rights may be used to advance another claim. For example, in this case in a dispute over the assets of the deceased’s business, or between the deceased and an employee creative counsel may well claim that the executor did not have the authority to access the personal information in the first place. It is very important to note that under Canadian law a breach of privacy claim need not be brought by the individual whose personal information was allegedly accessed without the proper authority – anyone can raise the issue.
If we assume that we are considering the application of privacy laws to online content, one of the most vexing questions is to determine what laws apply – as you can appreciate in the online world, information knows no boundaries. So if a deceased created the information in may different places, the physical device is located in Canada but the company; e.g. Facebook is located elsewhere (the US) do Canadian privacy laws even enter into the picture? Like numerous digital issue law is somewhat unsettled. However in the Lawson case [2007] 4FCR 314 the FCC held that the relevant test to determine whether the Federal Privacy Commissioner has jurisdiction under PIPEDA to investigate a complaint against a foreign-based organization is whether there is a real and substantial connection between the subject matter, the parties or the territory to Canada – determined that she did and that’s why she investigated complaints related to Facebook. However in the absence of a complaint, the extraterritorial scope f the application of Canadian privacy legislation has yet to be tested in the courts.
This leads to the next myth – digital assets where the executor does not have access to a User ID and password, and where a site privacy policy or terms of use will govern the executor’s right to access the information of the deceased. Many ESPs have no testamentary policies so conflict- practically how the executor will find the assets, gain control and transfer to the beneficiary
This is where 2 conflicting principles come into play: (i) heirs to the estate should have full access to digital accounts; vs. (ii) online services have a responsibility to protect their users’ privacy, even after death Facebook v. Stassen: son committed suicide; parents wished to access emails and social media posts in an attempt to discover why. Gmail and Facebook were concerned about son’s privacy and denied access. Parents got court orders: Google complied but Facebook did not, continuing to maintains son’s privacy. In June of this year the Stassen’s got a court order ordering Facebook to provide all the contents of their son’s Facebook account to them but as far as I’m aware Facebook has not complied. The US laws addressing this issue vary with respect to their scope. No information re: thoughts of Canadian laws being enacted to deal with this issue
As described in the Stassen case, this is clearly a myth. If the Executor does no know the deceased’s user ID and password for some common social media sites it can be a daunting task. Rather than taking the time to go through this issue now, I have included, as a reference, some summary information and web links on how some common sites – LinkedIn, Twitter, Facebook, Google, Microsoft Hotmail – deal with this Regardless in all cases may be overridden by a Court Order
As you’ll see when reviewing the processes, it is not an easy task and sometimes it is impossible.
While in the cases cited here the former employees are still alive, will be an issue when the employee is deceased and, in addition to the issues raised in these US cases, if arose in Canada, would likely have privacy issues as well because in Canada employees generally have more privacy rights than those in the US.. So in Canada, will arise re: information held on a computer owned by the deceased’s employer. Component parts of such accounts: i) user information; e.g. account’s username and password; ii) user-generated content (UGC) such as pictures , links to a user’s profile and profiles of others; iii)relationships that users have with other users. PhoneDog v. Kravitz – an employee attracted 17.000 followers to his employee-affiliated Twitter account, which was used to distribute information related to the employer’s business. When his employment at the company ended, the now former employee changed the Twitter account’s username and password – effectively converting it to a personal Twitter account – instead of relinquishing the account as requested by the employer. Employer sued former employee to get the Twitter account back Ownership of relationships: Eagle v. Morgan – dispute over former employee’s LinkedIn connections after the employee’s termination. Profile was in the name of the former employee but other employer personnel helped maintain the content and connections.. Employer alleged that former employee wrongfully misappropriated the LinkedIn Account when, after termination, he changed the password and denied the employer access to the account . Misappropriation claim survived a rule 12 challenge because, at least on its face, the employer had expended time and money developing and maintaining the LinkedIn connections. Both PhoneDog and Eagle cases are expected to be heard later this year
Privacy laws well behind the digital world generally and in this area minimal consideration of the issue One of the policy questions that needs to be addressed in my view goes to the heart of privacy issues in online accounts and makes it so important for people to address these issues before they die – Stassen – private parts of a site that one did not want parents or others to access in life – why should we assume the situation is any different when the individual dies?