Historically, a personal representative managing a decedent’s estate stood in the shoes of a decedent and was authorized to do most things the decedent could do while alive. However, privacy laws exclude access to digital assets. Many see this as a strange result for probate law because it creates a barrier for personal representatives to satisfy their fiduciary obligations. But this is also a strange result as a matter of privacy law.
US privacy law starts with the Fourth Amendment “right of the people to be secure in their persons, houses, papers, and effects.” In 1986, Congress expanded privacy protection with the Stored Communications Act (“SCA”), which prohibits third-party access to electronic communications without the user’s express consent, and which has been interpreted to protect technology companies from being compelled to disclose them to personal representatives. This privacy-on-by-default approach is not surprising, but what may be surprising is that there is no ‘off’ switch.
Other privacy laws include explicit privacy-off options for users and their personal representatives. Individuals and their attorneys can waive Fourth Amendment rights. The US Privacy Act of 1974 authorizes disclosure of personal information “with the prior written consent of the individual.” HIPAA requires covered entities to disclose protected health information to individuals and “treat a personal representative as the individual.” The Gramm-Leach-Bliley Act permits disclosure of nonpublic personal information “to persons acting in a fiduciary or representative capacity.”
The SCA does not include explicit language regarding personal representatives, and courts have held that express consent may permit but does not require disclosure to personal representatives. Unauthorized access to electronic communications is a federal crime under both the SCA and the Computer Fraud and Abuse Act. The only exception is for governmental entities requiring disclosure of “wire or electronic communication” contents pursuant to a warrant. In other words, the government can access electronic communications without consent for prosecution purposes, but authorized personal representatives acting in a fiduciary capacity cannot access the same records to settle an estate at a decedent’s request. If privacy is fundamentally about protecting personal interests, this is a strange result.