Szabolcs Németh : A legal case about the problematique of personal data after death

It’s been a while since I wrote my last post on the blog. It was becasue of technical issues about the site, but fortunately the problem has been solved. To continue the introduction of the topic of online data after death I publish one of my short studies from May 2018 about a specific legal case in Hungary which drew the attention of the Hungarian Data Protection Authority to this topic.

  1. Introduction

It is unquestionable that the Internet has gradually become a decisive part of our lives since its release, and in the last few years the related processes have accelerated so dramatically that it is difficult to keep up with them.

If we only look at the one but perhaps the most significant segment of the services available on the Internet: In 2017, it is estimated that 269 billion emails per day were sent by humanity. The numbers in connection to the most dynamically developing set of online content, the social networking sites: there are currently around 1.4 billion active Facebook users, so nearly 18.4% of the world’s population already use the most popular social site on a daily basis! This telling information is linked to the fact stated by an author of an article in the summer of 2017: 10,273 users of Facebook die a day. When discussing this topic, the first question is why is it important at all to settle the legal fate of such online data after death? Different types of online data can activate different motivations, whether it is a purely emotional or even real economical interest.In this text we are introducing a legal case from the praxis of the Hungarian Data Protection Authortiy[1] which highlights the basic legal contradiction which is lies in the topic of personal data after death.

  1. The legal case

A letter was sent to the Authority in the autumn of 2015 called for a terrible tragedy. A married woman with two children from a small town in Hungary got in connection with an Indian man on Facebook and a close emotional relationship formed between them in a short time. The man tried to get the woman to help him get to Hungary by sending a letter of invitation for the visa, because he wanted to marry her. She tried to meet the increasingly demanding needs of this man, but her husband became aware of the secret relationship. Then a few days later, the husband brutally murdered his family (his wife and two young children) one night, and then committed suicide.

The terrible tragedy, however, did not end here. The Indian man started to find the lady’s acquaintances and his mother by phone and on Facebook, still claiming for help to getting to Hungary. Since the relatives did not fulfilled his claims, he started to publish intimate photos of the woman on Facebook as well as recordings of their intimate conversations, trying to blackmail the grieving family. Later, he gave interviews for several tabloids and TV shows and kept harassing the family, for example, publicly shared the mourning mother’s phone number. A submission had been sent about this case to NAIH.  This terrible case raises several questions. There can be no doubt about the violation of the legally protected memory of the deceased. The threat of grandmother constitutes the crimes of the Hungarian Criminal Code Coercion and Harassment.

The Indian man is responsible for infringements of Criminal Law and International Civil Law.

Of course, his actions will have to be condemned on a moral basis, but in the point of view of our topic it demands a study carried out deliberately.

From the point of view of data protection law, the NAIH was unable to provide much help in submitting a response to the complainant. The territorial scope of the Hungarian data protection law does not apply to the data controller, since it is applicable to data management in Hungary.

Facebook’s European servers are located in Sweden and Ireland[2], so the only practical tool to remove offensive content is the so-called ” “Report” to alert the service provider to these content.

So, according to his previous practice, Facebook “shoots and then asks” in this respect, meaning that after the report, it removes the content that is suspected of the infringement. The right of protection of personal data provided by the Hungarian Data Protection Act necessarily belongs to the natural person affected by the data, so in this case the rights of the deceased woman could not be enforced because of her death. The disclosure of intimate photos clearly implies a serious violation of the deceased memory.
Section 2:50 of the Hungarian Civil Code states that a person who is a relative of the deceased or a person who has been appointed as a beneficiary in the testament is entitled to launch a lawsuit to the court for violating the memory of the deceased.

The biggest problem is that we can not find any legislation in force that protects the “privacy of the deceased”.

As it was highlighted in the previous section of this study, the death of a natural person means that he will not have his personal rights anymore, so there will not be any person who can take action to protect them. However, in the jurisprudence there is a so-called “progressive“ interpretation of the right to protect someone’s memory. According to this, the personal rights of the person continue to live after his death, and they may be exercised by the “holder” of the pardon law, that means that the violation of the deceased’s memory is primarily offensive for his relatives, offenses their right to remembrance, so after the death of the deceased, they have the legal tools for protection.

We contacted a few data protection authorities all around Europe with a questionnaire about the legal interpretation of similar legal cases. We have got  similar letters referring to obstacles to the enforcement of privacy law. This approach, in our view, follows a correct logic but we can not see its appearance in the effective legal environment. The American regulation, which in some cases designates a “representative” who is acting for the deceased and the legacy during the inheritance process, when settling the fate of tangible and non-tangible property, is also built on this logic.

In our opinion this is can result an erroneous legal interpretation because based on its logic these data get into a legal vacuum by the death of the person who they are connected to. Did they practically lose their legal relevance and drift only as an IT unit in the sea of web 2.0? Scarcely despite of the approaches of effective laws and law enforcement agencies (data protection authorities on the first place). In our point of view, it is still more important in terms of the legal nature of these data that they were connected to a natural person at the time of their creation and could have a lot of relevance even after the death of that person.

  • Summary

Following the case, a recommendation[3] was issued on the subject of online legal death, and the president of NAIH, later turned to the Ministry of Justice calling the attention of the ministry and the legislative backlogs on the subject. In September 2017 the draft of the new Hungarian data protection law – which performs the harmonization of the national law to the GDPR – has been published, and it contains specific regulations in the aspects of posthumous data management issues.[4]This is also the effect of The General Data Protection Regulation which directs the regulatory issues of online data of deceased persons into competence of the Member States. At the moment it is uncertain if GDPR will be the indicator of the legislation about this topic in Europe or it will provide the Member States the opportunity to ignore these questions for more time.[5]

[1] Nemzeti Adatvédelmi és Információszabadság Hatóság – NAIH

[2] As those data are planned to move to the USA to avoid the legal challanges of GDPR: https://www.theguardian.com/technology/2018/apr/19/facebook-moves-15bn-users-out-of-reach-of-new-european-privacy-law

[3] As a recommendation it has no legal coercive force.

[4] The draft has not been enacted by the Parliament despite the real close date of when the GDPR will enter to force (25.05.2018.).

[5] Text closed: 02.05.2018.

Law & Innovation Conference Budapest 27th May 2017 – Review

On 27th May I had the opportunity to take part and make a presentation on an excellent conference in Budapest about law and innovation. Here is a brief review about the event.
18921932_1967724866700594_1550909429437089004_nThe Law and Innovation Conference was organized by ArsBoni, a community of young Hungarian lawyers and law students whose website (http://arsboni.hu/) is about making legal issues understandable for non-lawyer readers by great articles. The event took place in Impact Hub Budapest, a modernized workshop venue.

In the morning, sponsors and the representatives of ArsBoni made presentations in the topic of law and innovation (challenges of IT security, innovative products and services for lawyers or the impact of lawtech on the access to legal knowledge) and in the afternoon young jurists and PhD students were presenting about their topic in 3 sections: Law & Innovation, Internet & Law and Fintech.

We heard lectures about cybersecurity (which was such a popular topic), the legal issues of sharing economy and the impact of ‘uberization’ on labor law, e-governance, questions of copyright in the age of e-books and cloud computing or legal questions of bitcoin.

My presentation was about the legal classification of terms of use on social media, which will be an important topic in the future on this blog, too. There was also a presentation about the main topic of the blog so we had the opportunity to hear the news of legal aspects of online data after death.

The full program is available on this link (only in Hungarian).

All of the presentation was well build-up and the whole event had a great vibe. It’s always a joyful experience to be among young scientist who not just thinking about law as a discipline or a profession but looking for new ways of approach in the 21st century.

Thumbs up for the organizers, all the presenters and guests.

(Photo credit: ArsBoni Facebook page)

Federal Laws Part I. – Computer Fraud and Abuse Act (CFAA)

I haven’t posted on the blog for a long time, but there is a reason why. Lately I’ve been working on a study about the legal classification of the Terms of Service on social media sites. It has finally been published (yet only in Hungarian) and I had the opportunity to present my findings for the first time on a conference for PhD students. I will definitely share my thoughts about this topic on this site in the future, but now I would like to focus on the main subject of the blog, the legal aspects of online data after death. More precisely, on the effective federal laws in the United States, which refer to this issue.

Generally, we can declare there are three federal laws in the USA, which are connected to our topic in an outstanding degree:

  • Computer Fraud and Abuse Act (CFAA)
  • Electronic Communication Privacy Act (ECPA)
  • Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA)

RUFADAA is a federal law enacted by 24 member states at the moment, and it is a law regulating entirely the issue of how relatives (fiduciaries) can get access to the digital assets of their deceased loved one. I know that this is a key law of understanding the topic I am writing my posts about but as a good poker player I would like to delay my trump card for a later post. It is also important to get to know the other two federal laws.

This time I would like to introduce the importance of Computer Fraud and Abuse Act (CFAA).

The Computer Fraud and Abuse Act (CFAA) was enacted by Congress in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. This law has been made to prevent attacks against „protected computers”. At the beginning, this definition was applicable only for computers used by the US Government and its authorities.  It is basically a criminal law, but from 1994 private individuals and companies have the opportunity to start a legal action against the violators of this law.

CFAA name 7 different types of action which can be criminalized by this law. One is really important from our aspect: not only the access of a computer without authorization is a crime, but the exceeding the authorization also. Why is it important for us?

Because service providers often refer to this part of the CFAA when they refuse the request of leftovers for access to the online data of their deceased relative.  They would commit a crime by exceeding the authorization they get from the deceased person for storing their data and give access to the relatives. Naturally, there is no chance to get authorization from the “owner” of these data, unless there are provisions in the will about this problem.

Next time, I am going to introduce the connection of Electronic Communication Privacy Act to the topic of online data after death. And I promise it won’t take 3 and a half months again.

Born In The USA – Level Of Member States

The first legislature of the world which has found our issue to be something worth to take care of was the legal system of the USA. (Of course, I didn’t have a choice to check all the legal systems of the world, so I would receive happily any contradictions in the comments.) It is an interesting question why the USA was the first in this topic. Altought the answer is not as difficult as it seems: all the huge, multinational service providers (Facebook, Google, Yahoo, etc.) are established in America, and – maybe bacause of this fact – using the services of these companies is significantly common among the citizens of the USA.

connecticutAs far as I know, the first state of all was Connecticut in January, 2013 where written acts have been created about the problem of online data which belongs to people who have already passed away [https://www.cga.ct.gov/current/pub/chap_802b.htm#sec_45a-334a]. This act gave the power for the personal representative of the deceased person to access or copy the content of the person’s electronic mail account. The enactment of this act was a historical moment, it is clear.

rhode-islandThe second state was Rhode Islandhttp://webserver.rilin.state.ri.us/Statutes/TITLE33/33-27/INDEX.HTM ], where an act have been enacted word-by-word the same as in Connecticut.

 

 

indianaThe third state was Indiana in the line [http://iga.in.gov/legislative/laws/2016/ic/titles/029/]. This act was really similar to the one from Connecticut and Rhode Island, but used a better terminology by citing „electronically stored information and documents” instead of talking about only the e-mail account.

 

oklahomaThen came Oklahoma [http://www.oscn.net/applications/oscn/DeliverDocument.asp?CiteID=460302] where they tried to find the golden mean between the too specific form used by Connecticut and Idaho and the too general used by Indiana. They put in the focus of their act the following group of data: e–mail account, social networking account, microblogging account, or short messaging service Web site.

idahoIn Idaho [https://legislature.idaho.gov/idstat/Title15/T15CH3SECT15-3-715.htm] we can find the same rules which grant the right for the personal representative of a deceased person’s estate to take control of, conduct, continue, or terminate a deceased person’s e–mail account, social networking account, microblogging account, or short messaging service Web site.

nevadaState of Nevada’s attitude was more conservative [https://www.leg.state.nv.us/NRS/NRS-143.html]. They only gave the right only to terminate the deceased person’s accounts for the personal representative.

 

 

virginiaIn Virginia [ http://law.justia.com/codes/virginia/2014/title-64.2/section-64.2-110/ ], only the personal representative of the deceased minor (person under 21) got right to access the minors online accounts.

 

 

delawareFinally, Delaware enacted a much detailed law based on UFADAA. What is UFADAA? This will be the topic of a following post, so we should stop here.

 

 

 

If we would like to evaluate the initial acts enacted by these states, we can appreciate the efforts and the braveness of creating laws about the online data after death for the first time, but we have to state: these acts by themselves rule only a small part of the big issue, so they are not able to grant a satisfactory solution to the problem.

 

Is this a legal issue at all?

It is a fair question, but the answer is a big indisputable YES. The extremist views about the internet as a law-free zone are left behind for years, but the right answers from legislatures to the sensitive issues of the intemperate use of the web are yet to come.

If we focus on our main topic – legal aspects of online data after death – as far as we know there has been only one legal system until know, where the legislative power tried to find answers for these complicated legal and moral questions.

Of course, we can approach it from a theoretical aspect. If we think of the rules of privacy law, we can be lost easily, because the most of the national privacy laws consider personal data as information which can be connected to a natural person. That means after someones death, his or her online data ceases to be personal data and become… What? There is no answer in these laws for this question.

Only the „right of the dead” which is actually the subsistence of the deceased personal rights, and a legal tool for the relatives can help the mourning relatives to defend their lost loved one’s memory against offending comments and other immoral online actions, but it does not mean they have right to get access to the leftover online data, family pictures, unsent messages, etc. This is the Bermuda Triangle of this topic, where there are so less answers, and several uncleared issues.

As far as we know we can find related acts in the legal system of the United States. There are two levels of these acts: federal and on the level of member states. What is the content of these laws, and what is the relationship from the aspect of application? This is what my next post is going to be about.