What Happens To Your Personal Data When You Die?

11 March 2022

Purvi Morwal

In 2019, India reported a death rate of 7 people per 1000[i], which is approximately 95,64,924 people, a considerable number of who would have consented to their personal data being processed for some purpose by an organization, whether public or private.

As the global community strives for precision on regulating every aspect of the collection, use, transfer, and destruction of data, an aspect that is often overlooked while discussing rights on data is what happens to it when we die. The materialization of data in recent times has led to increasing parallels being drawn between property and data resulting in a presumption that data, akin to property, would naturally devolve upon the next of kin upon the death of the person that it relates to. However, the internal policies of countless collectors and processors of personal data, and data protection regulations in some countries strongly provide otherwise.

Social media platforms, Facebook and Instagram[ii] address this question by turning the accounts of its deceased users into ‘memorials’ upon receiving proof of the user’s death, where a contact of the deceased is granted limited controls like the option to change the profile picture or delete the account. However, these platforms refrain from disclosing login information of memorialized accounts. Similarly, Google allows its users to decide what happens to an account on its own or certain subsidiary platforms that remains inactive for a period determined by the user.

In addition to organizational policies, port-mortem rights on data are determined by the data protection law of the land.

European provisions on port-mortem rights on data

The European General Data Protection Regulation (“GDPR”) does not apply to the personal data of deceased persons. However, the GDPR enables Member States of the European U to provide their own rules on the same. Accordingly, the data protection laws of Denmark, Slovakia, and Spain contain derogations on the rights of deceased persons on their personal data.

The Italian Personal Data Protection Code[iii] permits any entity having vested interest or acting to protect the deceased data subject as their agent may exercise the rights conferred onto the data subject under the GDPR. Italy’s Data Protection Authority further recognizes the right of lawful heirs to access the personal data of their deceased relatives, including the personal data relating to other individuals such as joint holders of a bank account[iv]. This is permitted in cases where the two sets of data are so inextricably linked that extracting the personal data of merely the deceased relative would render it unintelligible. The right to access personal data of a deceased person does not, however, apply to information relating to third parties such as the beneficiaries of insurance policies.

The French Data Protection Act allows any person to define general or specific guidelines on the storage, communication, and erasure of their personal data after their death. In the absence of any directives, the heirs of the deceased may exercise the rights provided in the law.

The German Federal Court of Justice concluded its first case[v] on the rights to a social media account upon the original user’s death on similar ground. The Federal Court of Justice held that the user agreement between the deceased user and Facebook, the defendant in the case, was a contract that would pass onto the heirs by operation of the German Civil Code and the surviving parents had the right to access the content of their deceased teenager’s Facebook account.

Rights of the Deceased Data Principals in India

The Joint Committee on the Personal Data Protection Bill, 2019[vi] that was recently tabled in the Indian Parliament, recommended the addition of rights of deceased data principals to the Data Protection Bill, 2021 (formerly regarded as the Personal Data Protection Bill, 2019). The recommended provision empowers data principals to exercise their rights through a legal heir or legal representative in the event of death. Further, the deceased data principals have been given the right to be forgotten, and to append the terms of agreement regarding the processing of personal data in the event of the data principal’s death, placing the Indian data protection framework of the rights of deceased persons on a similar footing as the many EU Member States.

What can businesses do about the rights of deceased data principals?

Based on the data protection law that applies in the jurisdiction that the businesses operate in, or its data principals reside in, businesses must strive towards ensuring compliance with the existing provisions on rights of deceased data principals. This exercise may be carried out by first assessing existing data protection and privacy policies and allowing data principals or their heirs the opportunity to exercise the various rights granted to deceased persons under the relevant data protection law.

Further, certain data protection codes, as well as internal business policies enable data principals to appoint or declare heirs or managers for their data and accounts upon their death. Businesses should establish a robust mechanism to accept, store, and communicate such appointments and declarations.




[iv] https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1750768

[v] Urteil des III. Zivilsenats vom 12.7.2018 — III ZR 183/17


Published here: What Happens To Your Personal Data When You Die? | by Reina Consulting | Mar, 2022 | Medium

Disclaimer: This article is the copyright of Reina Consulting LLP. It is not intended to be a form of solicitation or advertising. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is viewed or that it will continue to be accurate thereafter. No person should act on such information without appropriate professional advice based on the circumstances of a particular situation. This information is not to be considered as legal advice or opinion and the firm shall not be liable for any action taken by the user, directly or indirectly, on the basis of such material.