What Happens To Your Personal Data When You Die?

By Purvi Morwal

In 2019, India reported a death rate of 7 people per 1000[i], which is approximately 95,64,924 people, a considerable number of who would have consented to their personal data being processed for some purpose by an organization, whether public or private.

As the global community strives for precision on regulating every aspect of the collection, use, transfer, and destruction of data, an aspect that is often overlooked while discussing rights on data is what happens to it when we die. The materialization of data in recent times has led to increasing parallels being drawn between property and data resulting in a presumption that data, akin to property, would naturally devolve upon the next of kin upon the death of the person that it relates to. However, the internal policies of countless collectors and processors of personal data, and data protection regulations in some countries strongly provide otherwise.

Social media platforms, Facebook and Instagram[ii] address this question by turning the accounts of its deceased users into ‘memorials’ upon receiving proof of the user’s death, where a contact of the deceased is granted limited controls like the option to change the profile picture or delete the account. However, these platforms refrain from disclosing login information of memorialized accounts. Similarly, Google allows its users to decide what happens to an account on its own or certain subsidiary platforms that remains inactive for a period determined by the user.

In addition to organizational policies, port-mortem rights on data are determined by the data protection law of the land.

European provisions on port-mortem rights on data

The European General Data Protection Regulation (“GDPR”) does not apply to the personal data of deceased persons. However, the GDPR enables Member States of the European U to provide their own rules on the same. Accordingly, the data protection laws of Denmark, Slovakia, and Spain contain derogations on the rights of deceased persons on their personal data.

The Italian Personal Data Protection Code[iii] permits any entity having vested interest or acting to protect the deceased data subject as their agent may exercise the rights conferred onto the data subject under the GDPR. Italy’s Data Protection Authority further recognizes the right of lawful heirs to access the personal data of their deceased relatives, including the personal data relating to other individuals such as joint holders of a bank account[iv]. This is permitted in cases where the two sets of data are so inextricably linked that extracting the personal data of merely the deceased relative would render it unintelligible. The right to access personal data of a deceased person does not, however, apply to information relating to third parties such as the beneficiaries of insurance policies.

The French Data Protection Act allows any person to define general or specific guidelines on the storage, communication, and erasure of their personal data after their death. In the absence of any directives, the heirs of the deceased may exercise the rights provided in the law.

The German Federal Court of Justice concluded its first case[v] on the rights to a social media account upon the original user’s death on similar ground. The Federal Court of Justice held that the user agreement between the deceased user and Facebook, the defendant in the case, was a contract that would pass onto the heirs by operation of the German Civil Code and the surviving parents had the right to access the content of their deceased teenager’s Facebook account.

Rights of the Deceased Data Principals in India

The Joint Committee on the Personal Data Protection Bill, 2019[vi] that was recently tabled in the Indian Parliament, recommended the addition of rights of deceased data principals to the Data Protection Bill, 2021 (formerly regarded as the Personal Data Protection Bill, 2019). The recommended provision empowers data principals to exercise their rights through a legal heir or legal representative in the event of death. Further, the deceased data principals have been given the right to be forgotten, and to append the terms of agreement regarding the processing of personal data in the event of the data principal’s death, placing the Indian data protection framework of the rights of deceased persons on a similar footing as the many EU Member States.

What can businesses do about the rights of deceased data principals?

Based on the data protection law that applies in the jurisdiction that the businesses operate in, or its data principals reside in, businesses must strive towards ensuring compliance with the existing provisions on rights of deceased data principals. This exercise may be carried out by first assessing existing data protection and privacy policies and allowing data principals or their heirs the opportunity to exercise the various rights granted to deceased persons under the relevant data protection law.

Further, certain data protection codes, as well as internal business policies enable data principals to appoint or declare heirs or managers for their data and accounts upon their death. Businesses should establish a robust mechanism to accept, store, and communicate such appointments and declarations.

[i]https://data.worldbank.org/indicator/SP.DYN.CDRT.IN?contextual=aggregate&locations=IN

[ii]https://help.instagram.com/264154560391256/%22%20%5Ct%20%22_blank

[iii]https://www.garanteprivacy.it/documents/10160/0/PERSONAL+DATA+PROTECTION+CODE.pdf/96672778-1138-7333-03b3-c72cbe5a2021?version=1.0

[iv] https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1750768

[v] Urteil des III. Zivilsenats vom 12.7.2018 — III ZR 183/17

[vi]http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf

Disclaimer: Nothing herein should be construed as a legal advice. The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.