Law & Innovation Conference Budapest 27th May 2017 – Review

On 27th May I had the opportunity to take part and make a presentation on an excellent conference in Budapest about law and innovation. Here is a brief review about the event.
18921932_1967724866700594_1550909429437089004_nThe Law and Innovation Conference was organized by ArsBoni, a community of young Hungarian lawyers and law students whose website (http://arsboni.hu/) is about making legal issues understandable for non-lawyer readers by great articles. The event took place in Impact Hub Budapest, a modernized workshop venue.

In the morning, sponsors and the representatives of ArsBoni made presentations in the topic of law and innovation (challenges of IT security, innovative products and services for lawyers or the impact of lawtech on the access to legal knowledge) and in the afternoon young jurists and PhD students were presenting about their topic in 3 sections: Law & Innovation, Internet & Law and Fintech.

We heard lectures about cybersecurity (which was such a popular topic), the legal issues of sharing economy and the impact of ‘uberization’ on labor law, e-governance, questions of copyright in the age of e-books and cloud computing or legal questions of bitcoin.

My presentation was about the legal classification of terms of use on social media, which will be an important topic in the future on this blog, too. There was also a presentation about the main topic of the blog so we had the opportunity to hear the news of legal aspects of online data after death.

The full program is available on this link (only in Hungarian).

All of the presentation was well build-up and the whole event had a great vibe. It’s always a joyful experience to be among young scientist who not just thinking about law as a discipline or a profession but looking for new ways of approach in the 21st century.

Thumbs up for the organizers, all the presenters and guests.

(Photo credit: ArsBoni Facebook page)

Federal Laws Part I. – Computer Fraud and Abuse Act (CFAA)

I haven’t posted on the blog for a long time, but there is a reason why. Lately I’ve been working on a study about the legal classification of the Terms of Service on social media sites. It has finally been published (yet only in Hungarian) and I had the opportunity to present my findings for the first time on a conference for PhD students. I will definitely share my thoughts about this topic on this site in the future, but now I would like to focus on the main subject of the blog, the legal aspects of online data after death. More precisely, on the effective federal laws in the United States, which refer to this issue.

Generally, we can declare there are three federal laws in the USA, which are connected to our topic in an outstanding degree:

  • Computer Fraud and Abuse Act (CFAA)
  • Electronic Communication Privacy Act (ECPA)
  • Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA)

RUFADAA is a federal law enacted by 24 member states at the moment, and it is a law regulating entirely the issue of how relatives (fiduciaries) can get access to the digital assets of their deceased loved one. I know that this is a key law of understanding the topic I am writing my posts about but as a good poker player I would like to delay my trump card for a later post. It is also important to get to know the other two federal laws.

This time I would like to introduce the importance of Computer Fraud and Abuse Act (CFAA).

The Computer Fraud and Abuse Act (CFAA) was enacted by Congress in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. This law has been made to prevent attacks against „protected computers”. At the beginning, this definition was applicable only for computers used by the US Government and its authorities.  It is basically a criminal law, but from 1994 private individuals and companies have the opportunity to start a legal action against the violators of this law.

CFAA name 7 different types of action which can be criminalized by this law. One is really important from our aspect: not only the access of a computer without authorization is a crime, but the exceeding the authorization also. Why is it important for us?

Because service providers often refer to this part of the CFAA when they refuse the request of leftovers for access to the online data of their deceased relative.  They would commit a crime by exceeding the authorization they get from the deceased person for storing their data and give access to the relatives. Naturally, there is no chance to get authorization from the “owner” of these data, unless there are provisions in the will about this problem.

Next time, I am going to introduce the connection of Electronic Communication Privacy Act to the topic of online data after death. And I promise it won’t take 3 and a half months again.

Born In The USA – Level Of Member States

The first legislature of the world which has found our issue to be something worth to take care of was the legal system of the USA. (Of course, I didn’t have a choice to check all the legal systems of the world, so I would receive happily any contradictions in the comments.) It is an interesting question why the USA was the first in this topic. Altought the answer is not as difficult as it seems: all the huge, multinational service providers (Facebook, Google, Yahoo, etc.) are established in America, and – maybe bacause of this fact – using the services of these companies is significantly common among the citizens of the USA.

connecticutAs far as I know, the first state of all was Connecticut in January, 2013 where written acts have been created about the problem of online data which belongs to people who have already passed away [https://www.cga.ct.gov/current/pub/chap_802b.htm#sec_45a-334a]. This act gave the power for the personal representative of the deceased person to access or copy the content of the person’s electronic mail account. The enactment of this act was a historical moment, it is clear.

rhode-islandThe second state was Rhode Islandhttp://webserver.rilin.state.ri.us/Statutes/TITLE33/33-27/INDEX.HTM ], where an act have been enacted word-by-word the same as in Connecticut.

 

 

indianaThe third state was Indiana in the line [http://iga.in.gov/legislative/laws/2016/ic/titles/029/]. This act was really similar to the one from Connecticut and Rhode Island, but used a better terminology by citing „electronically stored information and documents” instead of talking about only the e-mail account.

 

oklahomaThen came Oklahoma [http://www.oscn.net/applications/oscn/DeliverDocument.asp?CiteID=460302] where they tried to find the golden mean between the too specific form used by Connecticut and Idaho and the too general used by Indiana. They put in the focus of their act the following group of data: e–mail account, social networking account, microblogging account, or short messaging service Web site.

idahoIn Idaho [https://legislature.idaho.gov/idstat/Title15/T15CH3SECT15-3-715.htm] we can find the same rules which grant the right for the personal representative of a deceased person’s estate to take control of, conduct, continue, or terminate a deceased person’s e–mail account, social networking account, microblogging account, or short messaging service Web site.

nevadaState of Nevada’s attitude was more conservative [https://www.leg.state.nv.us/NRS/NRS-143.html]. They only gave the right only to terminate the deceased person’s accounts for the personal representative.

 

 

virginiaIn Virginia [ http://law.justia.com/codes/virginia/2014/title-64.2/section-64.2-110/ ], only the personal representative of the deceased minor (person under 21) got right to access the minors online accounts.

 

 

delawareFinally, Delaware enacted a much detailed law based on UFADAA. What is UFADAA? This will be the topic of a following post, so we should stop here.

 

 

 

If we would like to evaluate the initial acts enacted by these states, we can appreciate the efforts and the braveness of creating laws about the online data after death for the first time, but we have to state: these acts by themselves rule only a small part of the big issue, so they are not able to grant a satisfactory solution to the problem.

 

Is this a legal issue at all?

It is a fair question, but the answer is a big indisputable YES. The extremist views about the internet as a law-free zone are left behind for years, but the right answers from legislatures to the sensitive issues of the intemperate use of the web are yet to come.

If we focus on our main topic – legal aspects of online data after death – as far as we know there has been only one legal system until know, where the legislative power tried to find answers for these complicated legal and moral questions.

Of course, we can approach it from a theoretical aspect. If we think of the rules of privacy law, we can be lost easily, because the most of the national privacy laws consider personal data as information which can be connected to a natural person. That means after someones death, his or her online data ceases to be personal data and become… What? There is no answer in these laws for this question.

Only the „right of the dead” which is actually the subsistence of the deceased personal rights, and a legal tool for the relatives can help the mourning relatives to defend their lost loved one’s memory against offending comments and other immoral online actions, but it does not mean they have right to get access to the leftover online data, family pictures, unsent messages, etc. This is the Bermuda Triangle of this topic, where there are so less answers, and several uncleared issues.

As far as we know we can find related acts in the legal system of the United States. There are two levels of these acts: federal and on the level of member states. What is the content of these laws, and what is the relationship from the aspect of application? This is what my next post is going to be about.