News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Member Directory Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | The birth of postmortem privacy Related reading: Chatbots and privacy rights after death: Once again, life imitates art

rss_feed

""

Privacy policy practitioners in the digital age have their hands full as society becomes more aware of personal privacy rights and what information can and cannot be shared. 

Until now, most of the public had not thought about the intersection of technology, privacy and death, despite technology continually pushing legislative and regulatory boundaries. The control of user data has been principally dictated by a content provider's terms of use or terms of service agreement. However, the challenge of postmortem privacy faces chief privacy officers and policy practitioners across every industry and sector. Consumer awareness and marketplace demands have already begun to break through the media surface, seen most recently in Apple's announcement of their Digital Legacy Program available in their fall iOS 15 release.

Planning for the death of an account holder is difficult as there isn't an identifiable date to fixate. Yet, the issues of data ownership and privacy after death is real. Those involved with policy creation face a custodial dilemma when dealing with their clients' accounts upon incapacity and death. Who is responsible for protecting a user's data privacy and the dissemination of asset data after death? What rights does a user have over their digital assets when they can no longer act or when they are no longer with us?

Over the last several decades, we have seen an expanded definition of privacy as expectations change with each generation asking, what is privacy and why is it important? We can assume that "privacy is essential to who we are as human beings," but the differences are relative to the individual and institution. Although definitions evolve and almost every organization invests in policies for the living, very little attention is paid to policies surrounding an account holder's death.

The IAPP outlines that "privacy is now a necessity of doing business," and every organization that interacts with clients online will need to deal with digital assets upon incapacity and death if they haven't been doing so already. The number of deceased persons on Facebook is part of the public narrative and social media alerted us that one's wishes upon death matter to not only the deceased but also to the grieving family and beneficiaries.

Organizational policies are determined by lawyers, security, privacy and compliance officers as well as operations and finance executives. Whether privacy policies are born from marketplace demand, the need for competitive necessity, or regulatory or legislative compliance, they are the underpinnings defining data use, disclosure and security. Organizations with an online presence or those that handle an individual's data or digital assets must have privacy policies for handling the data of incapacitated or deceased account holders. What actions do content providers and data holders need to take? 

When did estate planning of digital assets become an issue for chief policy officers?

Digital asset estate planning has been a frequently overlooked topic, but now everyone needs to pay attention to planning for this asset class, especially with the pandemic accelerating this requirement through the rise of global internet use by forcing more personal and business communications to a digital or virtual setting. The deathcare and estate industries have only just begun to address the category of digital property by enhancing existing business processes and client management platforms. This environment gets further complicated with jurisdictionally different laws and regulations. These issues emerged long before the pandemic but have accelerated as countries navigate public health rules and the continued digitization and commoditization of our data. 

Privacy practitioners should take note of an individual's digital assets as an emerging asset class. A general definition of digital assets boils down to identifying them "as an electronic record that individuals have a right or interest." It usually does not include an underlying asset or liability, unless that asset or liability is itself an electronic record. Common examples of digital assets include social media accounts, digital photos and videos, domains, websites, and electronic communications, such as email and instant messages; although, the category is much broader, including cryptocurrencies, digital collectibles and nonfungible tokens. 

Global postmortem privacy — How pervasive is the issue?

Although the estate industry has yet to see an overwhelming number of cases regarding postmortem access to digital assets, the actual cases tried in the court of law and in the court of public opinion reveal alarming outcomes. The amount of money, time and effort required by families and beneficiaries when struggling with service providers to gain access to a deceased person's accounts or digital assets is troubling.

Very few global tech companies have pre-planning options for their users, but Facebook and Google do. If used, they allow for access, retention or transfer of specified data and information. As many of the global tech giants are based in the United States, many of these organizations point to U.S. privacy laws or the U.S. model legislation for states called the Revised Uniform Fiduciary Access to Digital Assets Act. Likely unbeknownst to many consumers and still new to estate planners is that the default rule under RUFADAA requires the user to provide an explicit directive in estate planning documents, in instruments like a power of attorney, will or trust, or in an online tool through a service provider, which incorporates options for the disclosure or non-disclosure and deletion of the digital asset at the time of a user's death or incapacity. If no such directive is provided, absent a court order — which can be an expensive and time-consuming process to obtain — the service provider's TOSA controls the outcome. It should be noted that digital assets of an employer used by an employee in the regular course of the employer's business are not typically accessible by a fiduciary under RUFADAA.  

Global postmortem privacy landscape                                            

In many countries, there are multiple jurisdictional-specific laws that apply to accessing, storing and managing digital assets. Often these laws are silent or inconsistent as to what happens upon the incapacity or death of the account holder. In addition to inconsistent laws and TOSA provisions, one of the major challenges in planning for digital assets is maintaining the information's privacy, which is not guaranteed. Privacy matters considerably more for digital assets, especially electronic communications, than other traditional property interests given the virtual and data-driven nature of this asset class and their nature to exist into perpetuity.

There isn't an easy method to navigate this complex environment. Every digital asset has unique characteristics that must be considered during estate planning, coupled with the fact that every individual has different wishes and preferences about how they want their digital assets to be handled and what they consider secure. From a legal perspective, these issues make unpacking digital assets in estate planning complicated and the results varied, on top of the technical implications and other traditional estate planning considerations, such as valuation and tax matters. 

Where do executives and chief privacy officers begin?

Privacy and compliance officers should learn about their client's individually held digital assets (and those owned by small businesses), their estate and business planning policies, and how succession planning will affect organizational policies. 

  • Review your organization's TOSA to determine if it addresses incapacity or death of the account holder.
  • Review policies on sharing passwords, account holder impersonation and security protocols.
  • Create an internal process for approval/denial requests for responding to incapacity or death of the account holder questions and information requests. Make the policies publicly available.
  • Review your jurisdiction's privacy and fiduciary access to digital content laws to determine if incapacity or death of the account holder is addressed.
  • Develop and implement a plan for customer service, security and operations teams, increasing their awareness of digital assets, probate and estate laws, and newly enacted legislation.  

Postmortem privacy is an emerging area for privacy and compliance officers as tech constantly evolves. Regulations governing consumer rights, privacy and estate planning for digital assets also must evolve with industry standards determined by concerned stakeholders ensuring proposed protocols are balanced in addressing remaining gaps. 

Photo by Dayne Topkin on Unsplash


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Authors
Headshot Lee Poskanzer Nonmember Contributor
Headshot Jennifer Zegel Nonmember Contributor
Headshot Sharon Hartung Nonmember Contributor
Tags
Big Data
Privacy Operations Management
Privacy Opinion
Social Networking
1 Comment

If you want to comment on this post, you need to login.

  • comment Betsy Ehrenberg • Jul 10, 2021 
    <p>Great insights and good advice for launching a discussion to guide families creating a plan for a meaningful Digital After Life as a gift to the next generation.
Related Stories
CNIL offers guidance on handling data of the deceased
France's data protection authority, the Commission nationale de l'informatique et des libertés, released guidance regarding data of deceased individuals. “In the same way that we talk about managing our life online, it is logical to wonder about the fate of our data after our death,” the CNIL stated...
Read More queue Save This
Related Stories
Tags
Big Data
Privacy Operations Management
Privacy Opinion
Social Networking
Recent Comments