BILL ANALYSIS Ó AB 691 Page 1 ASSEMBLY THIRD READING AB 691 (Calderon) As Amended April 30, 2015 Majority vote -------------------------------------------------------------------- |Committee |Votes |Ayes |Noes | |----------------+------+--------------------+-----------------------| |Judiciary |10-0 |Mark Stone, Wagner, | | | | |Alejo, Chau, Chiu, | | | | |Gallagher, Cristina | | | | |Garcia, Holden, | | | | |Maienschein, | | | | |O'Donnell | | | | | | | |----------------+------+--------------------+-----------------------| |Privacy |11-0 |Gatto, Wilk, Baker, | | | | |Calderon, Chang, | | | | |Chau, Cooper, | | | | |Dababneh, Dahle, | | | | |Gordon, Low | | | | | | | | | | | | -------------------------------------------------------------------- SUMMARY: Establishes the Privacy Expectation Afterlife and Choices Act (Act) to provide a judicial framework for the disclosure of electronic information from a communication service provider, as defined, to the executor or administrator of the estate of a deceased user of the service for the purpose of AB 691 Page 2 administering the estate. Specifically, this bill: 1)Authorizes a probate court that has jurisdiction of a deceased user's estate to order an electronic communication service or remote computing service (provider) to disclose certain types of information pertaining to the account of the deceased user that is stored with the provider, if the court makes all findings of fact specified to enable the disclosure of that type of information. 2)With respect to a record of communications or other information pertaining to a deceased user's account, but not the contents of communications or stored contents, (hereafter "record" or "catalog of communications"), the probate court must find all of the following facts: a) The user is deceased. b) The deceased user was the subscriber to or customer of the provider. c) The account belonging to the deceased user has been identified with specificity, including a unique identifier assigned by the provider. d) There are no other owners of, or persons or entities who have registered with the provider with respect to, the deceased user's account. e) Disclosure is not in violation of another applicable federal or state law. AB 691 Page 3 f) The request for disclosure is narrowly tailored to the purpose of administering the estate. g) The executor or administrator demonstrates a good faith belief that the information requested is relevant to resolve issues regarding assets or liabilities of the estate. h) The request seeks information spanning no more than 18 months prior to the date of death, or the requester has made a request for information that specifically requests data older than 18 months prior to the date of death. i) The request is not in conflict with the deceased user's will or other written, electronic, or oral expression of the deceased user's intent regarding access to or disposition of information contained in or regarding the user's account. 3)With respect to the contents of communications or stored contents (contents), the probate court must find all of the following facts: a) The findings required by 2a) through 2h) above; and b) The will of the decedent, or a choice made by the deceased user within the product or service or otherwise regarding how the user's contents can be treated after a set period of inactivity after the user's death, or other event evidences the decedent's express consent to the disclosure of the requested contents. 4)Clarifies that the court must make all of the above findings of AB 691 Page 4 facts based upon a sworn declaration of the personal representative, or based upon other admissible evidence. 5)Requires a provider to disclose to the executor or administrator of the estate the contents of the deceased user's account, to the extent reasonably available, only if the executor or administrator gives the provider all of the following: a) A written request for the contents of the deceased user's account. b) A copy of the death certificate of the deceased user. c) An order of the probate court with jurisdiction over the estate of the deceased that includes all of the findings required for disclosure of contents of communications or stored contents. (see 3) above) d) An order that the estate shall first indemnify the provider from any and all liability in complying with the order. 6)Prohibits a provider from being compelled to disclose a record or the contents of communications if any of the following apply: a) The deceased user expressed an intent to disallow disclosure through either deletion of the records or contents during the user's lifetime, or an affirmative indication, through a setting within the product or service, of how the user's records or the content of communications can be treated after a set period of inactivity or other event. AB 691 Page 5 b) The provider is aware of any indication of lawful access to the account after the date of the deceased user's death or that the account is not that of the deceased user. c) Disclosure would violate other applicable law, including, but not limited to, electronic communications privacy provisions or copyright law. 7)Provides that a provider served with an order compelling disclosure of deceased user records or contents may make a motion to quash or modify the order within a reasonable time after receiving the order, in which case the court shall do any of the following: a) Modify the order to the extent that the court finds that compliance with the order would cause an undue burden on the provider, or quash the order if the court finds that the order cannot be modified so as to avoid the undue burden. Further clarifies that a cost that the requester offers to pay shall not be considered when a court is making a determination whether a request constitutes an undue burden. b) Quash the order if any of the applicable required findings of fact 2) and 3), above) are not met. c) Quash the order if the court finds, based upon the preponderance of the evidence submitted by the provider or any other person, that any of the circumstances set forth in 6) (above) apply. 8)Allows a provider to require the requester to pay the direct costs of producing a copy of the record or other information pertaining to the account of the deceased, when those records are not already available for production during the ordinary AB 691 Page 6 course of business. 9)Provides that disclosure of the contents of the deceased user's account to the executor or administrator of the estate shall be subject to the same license, restrictions, terms of service, and legal obligations, including copyright law, that applied to the deceased user. 10)Protects a provider from liability for good faith compliance with a court order issued pursuant to the Act. FISCAL EFFECT: None COMMENTS: This bill, introduced at the request of the Internet Association and TechNet, seeks to provide a clear legal framework to help probate courts resolve questions about how to balance competing privacy and estate administration concerns when a decedent's estate representative seeks information or records from, typically, the email or social media account of the deceased user for the purpose of settling the estate. According to the author, "The Privacy Expectations Afterlife Choices Act ("the Act") ensures Californians have the right to decide what happens to their online private lives after they die. The Act honors individual choices while allowing fiduciaries to get the information they need to settle an estate. This bill strikes a balance between providing a clear path for fiduciaries to access relevant information to handle the deceased person's estate, while respecting the privacy choices of not just the deceased person but those with whom the deceased was communicating." Stronger privacy interest in contents of communications vs. record AB 691 Page 7 of communications. This bill adopts many key definitions consistent with federal law, the Electronic Communications Privacy Act of 1986 (ECPA). "Contents" are defined to mean information concerning the substance, purport, or meaning of communications and include the subject line of the communication. This is distinguished from the "record" of communications, which means the record of a communication sent or received by a user, not including the contents but including things like the account logs that record account usage, cell-site data for mobile phone usage, and online addresses of other persons with whom the user has communicated. Like ECPA, this bill recognizes the stronger privacy interest that users have in the content of their communications on social media and through email. This interest is reflected in the requirements in this bill for disclosure of contents compared to disclosure of the record of communications. Contents of communications: Evidence of express consent by decedent needed to authorize disclosure of contents of communications. This bill establishes a checklist of eight findings of fact that the court must make in order to authorize disclosure of information to an estate administrator. These eight findings (see Summary 2) apply to both the contents and the record of communications. With respect only to the contents of communication, this bill requires that the court find that the will of the decedent, or a choice made by the deceased user within the product or service or otherwise regarding how the user's contents can be treated after a set period of inactivity after the user's death, or other event evidences the decedent's express consent to the disclosure of the requested contents. In other words, there must be some evidence that the decedent expressly consented to disclosure of the contents to authorize disclosure. Otherwise, there is no disclosure of the contents. This bill contemplates that evidence of express consent can come in the form of 1) a decedent's will; 2) a choice made by the deceased user within the product or service (e.g. a checkbox or setting within a Facebook account); or 3) some other event. If any one of these forms evidences the user's express consent to disclosure, then that may be sufficient for the court to make the finding AB 691 Page 8 authorizing disclosure. It should be noted that in many cases, the decedent will have left either no will, or a will that is silent with respect to electronic communications or digital assets. In such cases, the only expression of the decedent's wishes may be in the form of the account settings within the service or platform itself. Proponents note that the account setting may indicate how the user's contents can be treated after there has been a set period of inactivity, rather than a setting directly indicating consent to disclosure after death. The settings may be more nuanced as well, indicating the user's wishes with respect to some kinds of contents but not other kinds. The way that settings are set up will certainly differ between service providers, but this bill respects this flexibility and leaves room for innovation by simply looking to any evidence of consent to disclosure. While the account settings provide a valuable opportunity to indicate the user's wishes, it is also axiomatic that many users of social media and email services do not closely monitor these settings or make affirmative decisions with respect to every checkbox within a list of account settings. As a result, in the absence of a will or other event, it may be that the default setting - either a checked box or an unchecked box, as determined by the service provider - is the only indication of a user's wishes with respect to the disclosure of information. Under this bill, the default setting would have to "evidence express consent to disclosure." Because the author seeks to establish a standard that is strongly protective of privacy and to limit disclosure of the contents of communications, this approach appears consistent with the intent of the legislation. Record of communications: Disclosure authorized if request for record does not conflict with decedent's will or other expression of intent regarding access to such information. With respect to the record of communications, this bill requires that the court AB 691 Page 9 find that the request for disclosure is not in conflict with the deceased user's will or other written, electronic, or oral expression of the deceased user's intent regarding access to or disposition of information contained in or regarding the user's account. In contrast to the more protective rule for contents of communications (which have a greater expectation of privacy), this bill does not specifically require express consent of the decedent to authorize disclosure of the record of communications, and recognizes that an expression of intent in the decedent's will controls if there are any conflicting indications. This bill also provides that a provider shall not be compelled to disclose either the record or the contents under certain circumstances. If disclosure would violate other applicable privacy law or copyright law, then disclosure is not compelled. Similarly, if the provider becomes aware that the account does not belong to the deceased user, or that there is other lawful access to the account after the user's death (indicating a shared account with at least one other authorized, living user), then disclosure would not be compelled. Finally, disclosure is not compelled under this bill if the deceased user expressed an intent to disallow disclosure through either deletion of the records or contents during the user's lifetime, or an affirmative indication, through a setting within the product or service, of how the user's records or the content of communications can be treated after a set period of inactivity or other event. According to the author, this treats any evidence that the user, while alive, took affirmative steps to delete either the records or contents as sufficient to 1) establish that the user did not expressly consent to disclosure, in the case of contents; or 2) establish that disclosure would conflict with an expression of the user's intent not to disclose, in the case of communications. Specific requests for information older than 18 months must be AB 691 Page 10 honored, if made. Recent amendments to this bill remove the requirement that the requester provided evidence of a need to obtain information going back more than 18 months, or potentially be denied access to such information. Because the request for disclosure already must be narrowly tailored to the purpose of administering the estate, there is less justification to impose an arbitrary 18-month time limit on the information that may be disclosed without requiring presentation of evidence not otherwise defined in this bill. As amended, this bill instead requires the provider to disclose information older than 18 months whenever a specific request for information older than 18 months is made. Rules for determining that a request for information creates an undue burden for the provider. This bill authorizes a court, in response to a motion to quash or modify an order compelling disclosure of a user's records or contents, to modify the order to the extent that it finds that compliance with the order would cause an undue burden on the provider. This bill provides that the term "undue burden" shall be interpreted consistently with Code of Civil Procedure Section 2031.310, relating to undue burden in response to a demand for inspection in civil discovery. According to the author, the intent of the undue burden provision is "to address scenarios where [the estate] demands production of an overwhelming amount of contents, for example, dozens of terabytes." Requests for large amounts of information may pose cost and inconvenience problems for service providers, but such concerns should be mitigated, however, when the requester is willing to pay the costs of retrieving the information. In response to concerns that the undue burden provision should not be construed to prevent disclosure when the requester will pay the provider's costs, the author has amended this bill to clarify that 1) a cost that the requester offers to pay shall not be considered when a court is making a determination whether a request constitutes an undue burden; and 2) a provider may require the requester to pay the direct costs of producing a copy of the record or other information when those records are not already available for production during the ordinary course of business. AB 691 Page 11 Analysis Prepared by: Anthony Lew / JUD. / (916) 319-2334 FN: 0000293