Digital legacies refer to the data we leave behind when we pass. During our lifetimes, we inevitably and voluntarily generate large amounts of data. We create, share, and store content on the internet, through platforms such as social media sites, user reviews, online banking, and many others.
While countries are developing regulations for digital legacies, and there are several multilateral fora to discuss regulations on digital assets, such as cryptocurrency, international efforts for digital legacies have yet to evolve. Given the digital footprints that we leave behind and the borderless nature of the internet, it is essential for the international community to develop sound policy on digital legacies.
Digital property can be categorised into either personal digital property or personal digital property with monetary value.
Personal digital property refers to computers, external hard drives, flash drives, information stored electronically (i.e. online, in the cloud, or on a physical device), domain names, intellectual property, etc.
Personal digital property with monetary value may include websites or blogs through which you gain revenue; art, photographs, music, eBooks that generate revenue; accounts that are used to manage money (e.g. Paypal, online banking, etc.); and digital currency. These two categories may overlap; for instance, computers and other electronic communication devices have monetary value.
Digital assets are regulated by laws surrounding data privacy and unauthorised access to computer systems. Terms of service agreements for online services also place restrictions on or prohibit access to digital assets by individuals other than the user themselves. In the context of the deceased, both of these safeguard mechanisms are still evolving to ensure the right to access digital assets while respecting their privacy and will.
The increased popularity and prevalence of digital currency, such as Bitcoin, adds importance to establish a regulatory framework for digital assets as they clearly have monetary value. While a traditional bank or broker typically requires executors to provide an original death certificate and letters of testamentary in order to take control of accounts of the deceased, cryptocurrency requires the fiduciary to have the passcode of the decedent to access and transfer the account for estate administration purposes, according to the American Bar Association. However, the ease of administration is accompanied with certain risks, as the fiduciary, for instance, could make a transfer that is not authorised by the estate planning document. Also, the fiduciary needs to be aware of existing laws and the terms of service agreement of the platform and ensure that actions taken on the deceased’s account are not violating any policy.
It is extremely important for those who own digital currency to let their family or representative know their password. Bitcoin.org warns that ‘if the location of your […] passwords are not known by anyone when you are gone, there is no hope that your funds will ever be recovered’.
Policymaking at the national level
Since there is no common agreement at the international level, the existing instruments which address digital legacies are enacted and implemented at the national level. There are two main types of legislation pertaining to digital legacies: data protection laws and succession laws. While uploaded data is protected as long as a data owner is alive, it may not be once they pass away. This is because data protection laws, such as the EU’s General Data Protection Regulation (GDPR) do not apply to data of the deceased or do not explicitly address its applicability to those who passed away. Perhaps the most comprehensive law related to digital legacies is the Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA) in the US. While the Act grants the right to access and manage the data and digital assets of the deceased with a fiduciary, some may question that it may infringe the privacy of the deceased.
United States of America
In terms of establishing a legally binding instrument addressing the management and succession of digital legacies after death, the US is one of a few countries that has introduced a law that exclusively addresses the handling of digital legacies. In 2015, the RUFADAA was drafted by the Uniform Law Commission (ULC) and has been adopted by 41 states and the US Virgin Islands as of March 2020.
The RUFADAA grants fiduciaries the authority to access digital assets of the deceased or incapacitated when they ‘expressly consented to the disclosure of the content of the digital assets, either through what the RUFADAA refers to as an ‘online tool’ or an express grant of authority in the user’s estate planning documents or power of attorney’ (Walker 2017). In case the user provides no direction via either an online tool or other applicable documents, the terms of service agreement (TOSA) of the provider will govern the rights of the fiduciary.
The Uniform Access to Digital Assets by Fiduciaries Act was proposed in 2016 by the Canadian Uniform Law Commission, however it has yet to be adopted. Therefore, it is up to an individual to plan and protect their digital assets after their passing or in case of incapacitation. The proposed legislation, similar to the American RUFADAA, governs the rights of fiduciaries to access digital assets of the deceased or incapacitated persons. The province of Alberta is the only Canadian jurisdiction that has specific legislation: The Personal Information Protection Act (PIPA) is in place to ensure the fiduciary to access and administer digital assets of the deceased.
The Data Protection Act 2018 defines personal information as any information relating to an identified or identifiable living individual. Personal information of the deceased, therefore, is not covered under the Act and subjected to the terms of services of any given website. However, the personal information of the deceased held by public authorities is accessible upon request under the Freedom of Information Act (FOIA) enacted in 2000.
Member States of the European Union
Since the EU’s GDPR does not apply to the data of decedents, member states; develop their own legal frameworks to protect the data and privacy of the deceased. While some countries in the EU have revised their privacy protection laws to ensure that the deceased’s data is secure and will be deleted after a certain amount of time, others have yet to clarify the conditions in these circumstances.
The Spanish Data Protection Act (DPA) explicitly states that the personal data of the deceased is not covered by the DPA. However, it recognises that individuals have the right to digital will. Also, it acknowledges that the heirs of the deceased have the right to access, erase, and correct data unless the deceased would have prohibited it or it is not in accordance with applicable law.
While German law has not established a rule on the management and protection of personal data after death, in a court case in 2018, the Federal Supreme Court of Justice overturned a lower court ruling and granted the parents of a deceased girl the right to access her Facebook account, citing the principle of universal succession.
As a leading country of digital transformation, Estonia has one of the most developed regulatory measures in place to handle digital legacies. Article 9 of the Personal Data Protection Act explicitly states in regard to the processing of personal data of the deceased that ‘the consent of a data subject shall remain valid during the lifetime of the data subject and for 10 years after the death of the data subject, unless the data subject decided otherwise. If the data subject died as a minor, his or her consent shall be valid for the term of 20 years after the death of the data subject’. In addition, the processing of a deceased person’s personal data is permitted only with the consent of the successor, unless 10 years have passed since the death of a data subject, or 20 years have passed since the death of a data subject who was a minor.
Article 7 of the Personal Data Protection Law explains the stipulations concerning the protection of the personal data of a deceased person. The processing of the deceased’s data is permissible with the consent of an immediate family member, or when 30 years have passed since the death. Also the law allows for the processing of the deceased’s data when it is necessary for inheritance rights to be realised. However, post-mortem data processing is impermissible if a data subject before their death had prohibited it in writing.
The Privacy Protection Law (PPL), enforced since 1981, prohibits the collection, storage, and use of personal data by online media or services without consent from a data owner. The PPL states that the following infringes privacy:: The publication of a photograph of a deceased person in a way that the person can be identified without the deceased’s prior permission, permission of their immediate family, or before fifteen years have passed since their death.
United Arab Emirates (UAE)
The UAE does not have a comprehensive privacy protection law. However, Article 378 of the UAE Penal Code prohibits the infringement of one’s privacy unless authorised by law, or without prior consent.
The General Rules of the Civil Law of China, which came into force in October 2017, states that digital assets are lawful personal properties of ‘natural’ persons and can be lawfully inherited. People can list their virtual properties, such as cash deposits in AliPay, WeChat, or an online gaming account in their wills. In May 2020, China revised its inheritance law for the first time when the country adopted its first civil code. The updated inheritance law allows citizens to inherit their internet property, including cryptocurrency and online gaming items.
As of March 2020, the Korean Personal Information Protection Act does not apply to the personal information of the deceased. The term ‘personal information’ is defined as any information capable of identifying a living person.
Japan does not currently have a regulation in place regarding digital legacies. The personal information protection law does not apply to the personal data of the deceased. Therefore, digital assets, such as personal information stored online and loyalty points, are subject to the terms of service agreement of a platform. Also, as of March 2020, digitised wills have not been approved in the country because a digitised version cannot prove that the will is created by the individual of interest before their death. Only a hand-written will is recognised as a legally binding directorate to manage the assets of the deceased.
The Personal Data Protection Act (PDPA), enacted in 2013 and revised in 2019, applies to the personal data of natural persons (living and deceased). The applicability of the PDPA expires 10 years after the death of a deceased individual.
The Personal Data Protection Act in Thailand will come into force in May 2020. However, it explicitly states that the personal data of deceased persons is not subject to the Act.
India has passed the Personal Data Protection (PDP) Bill, however it does not state that the personal data of deceased individuals is subject to the law.
The Federal Law on Protection of Personal Data Held by Private Parties grants citizens the right to request data protection; However, it states that ‘a request will be dismissed where the data owner dies’, In regard to digital assets succession, the Fintech Law, published in March 2018, outlines that account holders of Electronic Payment Funds must appoint beneficiaries, so that Electronic Payment Fund institutions can grant the funds to designated beneficiaries. If no beneficiaries have been appointed, the funds must be granted to the deceased user’s succession, according to the applicable Mexican laws.
The Personal Data Protection Act, which was enacted in 2000, protects all personal information of natural persons (living and deceased). The deceased’s heir is entitled to exercise the right to access information on the deceased’s behalf, and the requested information from a public or private database must be provided within 10 calendar days.
Brazil’s General Data Protection Law (LGPD) was enacted in 2018 and is scheduled to come into force in August 2020. The LGPD, however, only applies to the personal data of a natural person. There is no specific regulation for the succession of digital assets, therefore the general succession rule shall apply.
While Ethiopia does not have a privacy protection law, the Mass Media Proclamation defines personal information as data and information that can identify an individual. Article 2(8) states that the information of a deceased person who died more than 20 years ago is not considered personal information.
The Data Protection Regulation of Nigeria does not explicitly provide for the data protection rights of deceased individuals. The definition of a data subject is an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical physiological, mental, economic, cultural, or social identity.
Tech giants’ policy on digital legacies
Tech giants have developed and are implementing policies on digital legacies. While some hand over a deceased person’s data and information to their family members, others do not in order to respect and protect the privacy of the deceased. The aforementioned personal data protection laws hold tech companies liable in case of data breaches and information thefts. Such safeguarding mechanisms may lead tech companies to inhibit families and beneficiaries from accessing the deceased users accounts in order to adhere to the regulations.