chevron-down Created with Sketch Beta.
January 01, 2016

What Happens to Your Big Data after You Die?

Much “big data” is generated easily and voluntarily, if unwittingly, by individuals engaged in ordinary life. Each time they use a Web-based email service, store a photograph online, post a message on Facebook, or make an online financial transaction, they contribute to the growth of big data.

An individual’s contributions to big data end with death. But one passes away without notifying the cloud, and information an individual placed online remains long after that person shuffles off the mortal coil. Retrieving that data, however, can be a significant challenge.

Unlike in the physical world, where family members, executors, administrators, or trustees can place their hands on a person’s correspondence, touch photographs, and review financial records, a deceased person’s survivors can encounter significant legal difficulties in locating and collecting a person’s digital remains. This poses a serious problem for family members and fiduciaries of estates who have legal duties to account for, and dispose of, assets of a decedent’s estate.1 Furthermore, as records move online, fewer paper records are left behind, and some valuable assets exist only in digital form.

These issues were summarized in the ABA Section of Science & Technology Law’s September 22, 2015, CLE webinar, “Privacy, Probate, and What Happens to Your Digital Data after You Die?”2 The program discussed the model law to address these issues that the Uniform Law Commission has approved—and revised—for consideration by state legislatures. The program also discussed why privacy advocates initially opposed that effort, as well as tools that online service providers have developed to enable individuals to express their preferences.

The Trusts and Estates Bar

To the trusts and estates bar, the issue is straightforward. Their task is to identify the assets of a decedent’s estate and dispose of those assets as directed by law and any appropriate will or trust documents left by the decedent. This duty is unaffected by whether the assets of the estate are on paper or stored in the cloud.

Accordingly, the trusts and estates bar wants access to the records of a decedent’s online accounts (to know what’s there) and to digital assets that have inherent value (domain names, items bought within games) in order to carry out legal duties. But online service providers, finding themselves constrained by federal laws and, often, their own terms of service, have presented challenges.3

Online Service Providers

First, those online service providers that want to provide a decedent’s digital remains to an executor may fear that the federal Stored Communications Act (SCA) prohibits them from doing so. The SCA, codified at 18 U.S.C. § 2702, generally provides that online service providers shall not “knowingly divulge to any person . . . the contents of a communication while in electronic storage by that service.”

Many online service providers interpret the SCA to mean that they may not disclose the contents of a communication stored by that service to a fiduciary. Notably, the SCA makes no exception for executors, other fiduciaries, or family members. Although an exception allows disclosure to an agent of the “intended recipient” or with the “consent” of the originator or recipient, the language does not extend the exception to fiduciaries of the sender or the user of an account. Nor, unhelpfully, does the SCA define “consent.” Consequently, some online service providers have been reluctant to release the contents of a deceased user’s account where family members or executors have presented a death certificate, lest the service provider be deemed to be in violation of federal law; providers instead have insisted that the fiduciary obtain a court order.4

“Records”—as opposed to contents—are treated differently under the SCA. The SCA allows the online provider to divulge records about contents of a digital account to any person other than a governmental entity. This means, for example, that a service provider could confirm to a fiduciary that the provider has information about a deceased user, but could not, without more, divulge the contents of any communication stored on the service.

Second, under the Computer Fraud and Abuse Act (CFAA), someone who “intentionally accesses” a protected computer “without authorization or exceeds authorized access, and thereby obtains” information has committed a crime.5 In theory, any access by a fiduciary—no matter how well intentioned—could be “unauthorized” and thus illegal unless the decedent had given consent before dying. Although prosecutors would seem unlikely to bring charges against an executor for attempting to locate an estate’s assets, few executors would want intentionally to engage in a criminal act.

Third, many online service providers feel constrained by language in their terms of service providing that data will be shared or transferred only at the direction of the user. Such terms might further provide that neither the account nor any private contents therein are transferable at death.6 Some providers have argued that they are bound not to disclose data to a fiduciary or family member because neither is the “user.” Furthermore, disclosing information to anyone other than the user may expose a provider to liability for engaging in a deceptive trade practice under section 5 of the Federal Trade Commission Act. The FTC has brought numerous enforcement actions against providers that allegedly failed to live up to their privacy commitments.

UFADAA

To address this predicament, the Uniform Law Commission drafted a model act intended to give fiduciaries access to a decedent’s digital assets. The Uniform Fiduciary Access to Digital Assets Act (the UFADAA),7 as initially drafted (it has since been revised, see below), provides for access to digital data by four types of fiduciaries:

  1. Executors or administrators of deceased persons’ estates;
  2. Court-appointed guardians or conservators of protected persons’ estates;
  3. Agents appointed under powers of attorney; and
  4. Trustees.

The general approach taken by the UFADAA is that a court-appointed fiduciary would have the same rights as the decedent to access and manage the decedent’s digital assets and may distribute or dispose of those assets to the same extent as for physical assets unless the decedent had expressly provided otherwise. In effect, this constitutes a default right of access by the fiduciary. This approach reflects the views of the trusts and estates bar that an executor should have equal ability to access an online account and a bricks-and-mortar account. The UFADAA also provided that terms of service that blocked disclosure would be void as against public policy.

In February 2015, the ABA House of Delegates approved a resolution declaring the UFADAA to be “an appropriate Act for those states desiring to adopt the specific substantive law contained in the Act.” Nevertheless, the 2014–2015 state legislative sessions were rough on the UFADAA. Although introduced in some 27 states, not one enacted it, although Delaware had enacted an earlier version of what became the UFADAA.

This lack of success was due to opposition from online service providers and privacy advocates. They generally believed that the UFADAA did not establish an appropriate degree of privacy protection for digital data. In particular, they objected to the default that all data was accessible to the fiduciary unless the user had expressly provided otherwise, which was viewed as insufficiently protective of the privacy interests of both the decedent and of third persons with whom the decedent had communicated online. A related concern was that the sheer quantity of digital data meant that it should not simply be treated as equivalent to paper records.

Revised UFADAA

Motivated in part by the UFADAA’s lack of success in the states, the Uniform Law Commission revisited the UFADAA in early 2015 and, after consultations with online providers, adopted a revised version (the revised UFADAA or RUFADAA) that made a number of changes to address the privacy concerns that plagued the original UFADAA.8

Perhaps the most significant change in the revised UFADAA is a reversal of the default position regarding access to the contents of communications. The original UFADAA provided that the representative has presumptive access unless the decedent had provided otherwise. The RUFADAA reverses this default, providing that the representative is permitted access only if the decedent had consented to disclosure. In contrast, in the case of other digital assets, the RUFADAA continues to provide that a fiduciary has access unless the decedent had directed otherwise, which was the default for such assets in the original UFADAA.

Another change is in the treatment of boilerplate language in website terms of use. The original UFADAA provided that a blanket prohibition on fiduciary access contained in terms of service would be void as contrary to public policy. The RUFADAA replaces that default with a new approach that grants greater recognition to the decedent’s wishes. First, the decedent’s direction in a will, trust, power of attorney, or other record will override an online service provider’s terms of service. Second, if the decedent expressed a direction using an online tool offered by an online service provider, that direction takes precedence over both an offline direction and the terms of service, but only if the decedent could have changed the direction in the online tool at any time. Finally, if the decedent gave no direction, either online or offline, the terms of service would control.

Prospects for the RUFADAA in state legislatures are more promising than for the original UFADAA because the RUFADAA addresses the principal concerns that online service providers and privacy advocates had with the original version of the model law. Of course, as with any model law, the details may vary among the states, so lawyers should pay close attention to the jurisdictions of interest to them.

Retrieving Assets from Big Data after Death

Although several years may elapse before the RUFADAA becomes the law in many states, individuals, online service providers, and their attorneys now have a likely framework in which to make plans. The result should be a greater opportunity for individuals to control what will happen to their digital assets after their death that is similar to their ability to do so in the paper-based world but adapted to the characteristics of the digital world. Trusts and estates attorneys will want to be sure to ask their clients about these matters, and attorneys for online service providers should do the same.

Individuals wishing to ensure that their digital assets can be retrieved from online accounts after their death, or who wish to ensure that certain communications are not made known, can take steps today. Truly organized people could prepare an inventory of their digital accounts and indicate what assets, if any, may be stored on each, and indicate where that document resides. The Center for Democracy and Technology, a public interest advocacy group that provided a panelist at the September 22, 2015, webinar, has published a set of recommended actions for individuals.9 These include, among other things, that users should make use of tools provided by particular online platforms, such as Google’s Inactive Account Manager or Facebook’s Legacy Contact, to make their intentions clear.10

Taking steps such as these may enable individuals to control the disposition of digital assets after their death. Indeed, this may be one of the few aspects of big data that individuals are in a position to affect and control.

Endnotes

1. For example, the San Jose Mercury News reported on the difficulties the father of the late author Marsha Mehran had in gaining access to manuscripts that she had stored in DropBox. Matt O’Brien, Who Owns Your Digital Afterlife?, San Jose Mercury News, Aug. 28, 2015, http://www.mercurynews.com/business/ci_28721510/who-owns-your-digital-afterlife.

2. A recording of the CLE program can be downloaded at shopaba.org.

3. For an early summary of some of these problems, see James D. Lamm et al., The Digital Death Conundrum: How Federal and State Laws Prevent Fiduciaries from Managing Digital Property, 68 U. Miami L. Rev. 385 (2014). See also Alexandra Elliott, Comment, Death and Social Media Implications for the Young and Will-Less, 55 Jurimetrics 381 (2015).

4. See In re Facebook, Inc., 923 F. Supp. 2d 1204, 1206 (N.D. Cal. 2012).

5. 18 U.S.C. § 1030. In addition, every state has a law that criminalizes unlawful access to computers; typically these were enacted to prevent spyware or hacking.

6. For example, Yahoo!’s terms of service provide that a user’s account “is non-transferable and any rights to your Yahoo ID or contents within your account terminate upon your death.” Yahoo Terms of Service, Yahoo!, https://policies.yahoo.com/us/en/yahoo/terms/utos/index.htm (last updated Mar. 16, 2012).

7. Available at http://www.uniformlaws.org/shared/docs/Fiduciary%20Access%20to%20Digital%20Assets/2014_UFADAA_Final.pdf.

8. Available at http://www.uniformlaws.org/Act.aspx?title=Fiduciary%20Access%20to%20Digital%20Assets%20Act,%20Revised%20(2015).

9. See Alethea Lange, Everybody Dies: What Is Your Digital Legacy?, Center for Democracy & Tech. (Jan. 23, 2015), https://cdt.org/blog/everybody-dies-what-is-your-digital-legacy/.

10. See Inactive Account Manager, Google, https://www.google.com/settings/u/0/account/inactive; What Will Happen to My Account If I Pass Away?, Facebook Help Center, https://www.facebook.com/help/103897939701143.

Entity:
Topic:
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.