Federal Laws Part II. – The Stored Communication Act

The Electronic Communications Privacy Act (and its part, the Stored Communication Act) can also be the limit of access to the deceased’s online data for the personal representative. The Stored Communications Act specifically regulates that for the service providers it is forbidden to disclose any data in connection of the electronic communication they provide. The Act’s privacy protections have been a significant obstacle for fiduciaries and family members seeking access to the contents of a deceased individual’s online user accounts. However this prohibition can be broken in defined exceptional situations. Thus, the electronic communication provider is the recipient of such communication (for example, if you did not send that email), if the deceased gave his or her lawful consent for the person requesting access or for the law enforcement offices (if it is likely that the data contains information for a crime).

The full text of the Stored Communications Act available here.

In these exceptional cases, the provider is required to disclose the deceased’s online data. On this issue the law contains a provision that regulates voluntary data disclosure. However, this can only be done by “service providers” that are not provide public electronic communication services. For this a good practical example can be an employer who can consider whether to release for the relatives the dead employee’s professional letters, and the private letters he or she sent or received on the company e-mail.

The Stored Communication Data Act was interpreted in the very new case of Ajemian v. Yahoo by the the Supreme Judicial Court of Massachusetts. The briefs filed in this case by the parties are available here.

The Supreme Court concluded  that the personal representatives may provide lawful consent on the decedent’s behalf to the release of the contents of the email account.

This is a really significant action in the legal aspects of online data after death: the Supreme Court broadened the circle of people who can give lawful consent for the release of online data such as e-mail accounts.

Jim Lamm, the great expert of this topic dedicated a post to this subject on his blog, which you can reach here.

Federal Laws Part I. – Computer Fraud and Abuse Act (CFAA)

I haven’t posted on the blog for a long time, but there is a reason why. Lately I’ve been working on a study about the legal classification of the Terms of Service on social media sites. It has finally been published (yet only in Hungarian) and I had the opportunity to present my findings for the first time on a conference for PhD students. I will definitely share my thoughts about this topic on this site in the future, but now I would like to focus on the main subject of the blog, the legal aspects of online data after death. More precisely, on the effective federal laws in the United States, which refer to this issue.

Generally, we can declare there are three federal laws in the USA, which are connected to our topic in an outstanding degree:

  • Computer Fraud and Abuse Act (CFAA)
  • Electronic Communication Privacy Act (ECPA)
  • Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA)

RUFADAA is a federal law enacted by 24 member states at the moment, and it is a law regulating entirely the issue of how relatives (fiduciaries) can get access to the digital assets of their deceased loved one. I know that this is a key law of understanding the topic I am writing my posts about but as a good poker player I would like to delay my trump card for a later post. It is also important to get to know the other two federal laws.

This time I would like to introduce the importance of Computer Fraud and Abuse Act (CFAA).

The Computer Fraud and Abuse Act (CFAA) was enacted by Congress in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. This law has been made to prevent attacks against „protected computers”. At the beginning, this definition was applicable only for computers used by the US Government and its authorities.  It is basically a criminal law, but from 1994 private individuals and companies have the opportunity to start a legal action against the violators of this law.

CFAA name 7 different types of action which can be criminalized by this law. One is really important from our aspect: not only the access of a computer without authorization is a crime, but the exceeding the authorization also. Why is it important for us?

Because service providers often refer to this part of the CFAA when they refuse the request of leftovers for access to the online data of their deceased relative.  They would commit a crime by exceeding the authorization they get from the deceased person for storing their data and give access to the relatives. Naturally, there is no chance to get authorization from the “owner” of these data, unless there are provisions in the will about this problem.

Next time, I am going to introduce the connection of Electronic Communication Privacy Act to the topic of online data after death. And I promise it won’t take 3 and a half months again.

Is this a legal issue at all?

It is a fair question, but the answer is a big indisputable YES. The extremist views about the internet as a law-free zone are left behind for years, but the right answers from legislatures to the sensitive issues of the intemperate use of the web are yet to come.

If we focus on our main topic – legal aspects of online data after death – as far as we know there has been only one legal system until know, where the legislative power tried to find answers for these complicated legal and moral questions.

Of course, we can approach it from a theoretical aspect. If we think of the rules of privacy law, we can be lost easily, because the most of the national privacy laws consider personal data as information which can be connected to a natural person. That means after someones death, his or her online data ceases to be personal data and become… What? There is no answer in these laws for this question.

Only the „right of the dead” which is actually the subsistence of the deceased personal rights, and a legal tool for the relatives can help the mourning relatives to defend their lost loved one’s memory against offending comments and other immoral online actions, but it does not mean they have right to get access to the leftover online data, family pictures, unsent messages, etc. This is the Bermuda Triangle of this topic, where there are so less answers, and several uncleared issues.

As far as we know we can find related acts in the legal system of the United States. There are two levels of these acts: federal and on the level of member states. What is the content of these laws, and what is the relationship from the aspect of application? This is what my next post is going to be about.