A group of lawyers are pressuring EU legislators to propose rules that could force internet platforms to hand over data that belongs to another person who had died or is being cared for.
Lawyers pushing for new legislation argue that there is a need to create rules that apply across the bloc because internet companies, banks and social media firms might be headquartered in a different member state from where a person’s guardian or heir lives.
“We definitely need uniformity of law in this digital area,” said Sjef van Erp, a professor who is directing research on digital inheritance through the European Law Institute.
Van Erp said that American companies already comply with a similar law in the United States. A 2015 model law is in effect in most US states, other states are not required to implement it.
But Van Erp said the US version could be a cautionary tale: the EU should avoid a patchwork system so that lawyers can easily find out whether people have bank accounts or profiles on social media and other online services regardless of where they’re based.
“We’re afraid in Europe that some member states will follow the law and some won’t at all,” he said.
Van Erp said he plans to draft his own proposal for new legislation early next year and share it with the European Commission.
The Commission is planning to propose separate legislation in early 2018 to help police collect so-called e-evidence, or data needed in investigations across EU borders. But van Erp said there needs to be another law addressing when family, guardians and even debt collecting bailiffs can access data.
Often, family members or debt collectors do not know if a person has digital accounts at all, and they can only find out with proof that they have the right to access it.
“This is not about looking for evidence, it’s about looking for the asset itself,” van Erp said.
Other legal experts argue that binding legislation on digital accounts won’t be as effective as a softer approach. Companies could agree voluntarily to include terms of service that address how other people can access users’ data. Many firms already do that.
An association of Italian lawyers set up a working group with Microsoft and Google to try to hammer out a voluntary agreement on when the firms will give people access to someone else’s account data. But their meetings stopped months ago, one source with knowledge of the meetings said.
Some lawyers think it isn’t worth the effort to draft a new EU law that would touch on inheritance issues – a broader area where legislation differs widely between member states.
“It could definitely be helpful in some cases, but nothing will happen for a long time. Every country has its own rules,” said Paul Grötsch, director of the German forum for inheritance law.
“We don’t have this kind of EU law for real estate inheritance. There’s no need to create one just for digital heritage if we don’t have it for property,” he added.
Legal struggles over access to digital assets have recently grabbed headlines in Germany. In May, a Berlin appeals court ruled in favour of Facebook’s decision not to give parents of a deceased teenager access to her account after someone else had already asked the social media platform to shut it down. The court cited data protection reasons for its decision to side with Facebook.
In August, a Facebook executive summed up the firm’s policy in a blog post: “Where the law permits, we try to respect the wishes of those who have passed away. Sometimes, however, we simply don’t know what the person would have wanted.”
Van Erp said privacy has become one of the main concerns for lawyers trying to trace a person’s digital accounts and assets – and Facebook’s case in Germany is a glaring reminder of that.
France passed a new national law in October 2016 regulating the use of data, and it also included measures creating the right for people to give instructions for how their data is used after they die.
Olivier Proust, a partner at the law firm Fieldfisher in Brussels, said the French law is “one of the only data protection laws in the world that grants this right to individuals.”
Since the law went into effect one year ago, France’s data protection agency CNIL has received 10 complaints from people who wanted to access a deceased person’s data, a spokeswoman said.
The French law goes further than any EU rules so far: A broad data protection regulation that will go into effect across the bloc next year does not extend rights to the dead.
Privacy lawyers argue that with no laws outlining when companies must give access to someone’s data after they die, companies should follow the same rules that apply to living people – if the person did not have a will specifying what should happen to their online accounts.
“In many circumstances the deceased will not leave clear instructions as to what they wish to happen with their personal information/data and in this case data controllers should respect the data protection principles in GDPR [EU data protection regulation],” said Ailidh Callander, a legal officer at the NGO Privacy International.
Van Erp said his draft will differentiate between the different rights that should be given to guardians, heirs to digital assets or accounts and bailiffs seeking to collect debt.
“Normally you’d say email is personal, but after death, how on earth will you find out if it’s a correspondence with a bank?” he said.