Published on the 15/08/2018 | Written by Pat Pilcher
It’s trickier than it sounds…
The New South Wales government has kicked off a review of the laws around what happens to your data once you shuffle off this mortal coil.
The handling of wills and estates has always been a delicate matter, and now we are confronted with digital lives that carry on after their owners depart.
It is a tricky issue, and the stakes can be high. Consider the wealth that can be accumulated, and lost, in cryptocurrencies attached to an individual’s digital identity. Then there are multiple online banking accounts across personal and business financial institutions, credit cards, PayPal etc. Adding to this are social media, photos and emails, all of which have sentimental value to family members.
Gaining access to the data of a deceased person can be stressful. In 2016, Apple refused to provide 72-year-old Canadian Peggy Bush with her dead husband’s Apple ID and password. Apple said the Bush family needed a court order. After a social media campaign and pressure from the press, the Bush family eventually got the Apple ID and password. No doubt countless others have had less public challenges.
Keen to avoid similar issues in Australia, NSW Attorney General Mark Speakman appointed Federal Court judge Dr Annabelle Bennett to head up the Law Reform Commission, which will review what happens to data upon the death of its creator. The Commission will examine state, Commonwealth and international laws and is also expected to look at both policies and terms of service agreements for digital service providers.
The move puts Australia well ahead of New Zealand, which lacks any legal framework for managing the digital footprint left behind by deceased Kiwis.
With Australians averaging a staggering 10 hours a day online, and one in six Kiwi teens online for six-plus hours daily, a review is needed.
The NSW review is likely to be a complicated undertaking, especially given that its scope includes reviewing the policies and terms of service for digital service providers operating in Australia. One of the first obstacles that the commission is likely to encounter will revolve around the sheer diversity in how digital service providers handle personal data after its user dies, if at all.
Facebook lets users nominate a trusted person and allows them full or limited access to memorialise the deceased person’s facebook profile. Users can also enable Facebook to delete their account once they have been made aware of their death. Google has an ‘Inactive Account Manager’ setting. It will notify a trusted person of your inactivity and allow them to share your information or delete it.
Convincing multinational online services to add Australian or New Zealand changes to their policies and terms of service is unlikely. Given Facebook’s track record of co-operation with the UK/EU government over the Cambridge Analytica scandal and the recent war of words with New Zealand’s Privacy Commissioner, Facebook would be unlikely to change the policies it already has in place in over 40 countries to reflect Australian and New Zealand specific legislation.
Another significant (and equally intractable) obstacle that the Commission and Kiwi lawmakers will face is data sovereignty and privacy legislation.
With the bulk of Australasian data stored offshore, firmly out of reach of the laws of both countries, the practicalities of related laws such as data privacy (which will dictate how easily grieving families can access a deceased family member’s data) could drive up compliance costs for the Australian and New Zealand arms of multinational digital service providers.
In Australia, organisations (including the Australian branches of multinational digital service providers) must ensure all international data storage complies with the Australian Privacy Principles (APP).
Australian digital service providers are expected to take reasonable steps to ensure that any data used does not breach any of the APP principles or practices. In the event of a data breach or similar event, it is also possible that the Australian Government could hold the cloud service provider accountable.
Similarly, a Privacy Bill recently tabled in New Zealand’s Parliament introduces changes to New Zealand’s privacy regulatory framework. It aims to give additional protection to individuals whose data gets exported overseas. The bill requires that agencies make sure that the jurisdiction they’ve sent the data to has privacy laws comparable to New Zealand. Frustratingly, there is no clarification as to what ‘comparable’ actually means.
Then there is the differing nature of how data privacy gets handled in the two key jurisdictions where Aussie and Kiwi data tends to end up at – the EU and the US. Both have different privacy frameworks, so much so that New Zealand and Australian lawmakers are likely to be debating how American data holders can comply with GDPR, and how compatible the privacy frameworks of both regions are with Australasian laws for the foreseeable future.
Given the challenges policy makers face, you might be forgiven for having a wee cheat sheet in your personal files that at the very least allows your close ones to log on to your laptop and phone (and, probably at the same time, your e-mail accounts). But we’d never recommend that.