Horizon Blog

Dr Edina Harbinja, University of Hertfordshire – Death and GDPR – are our data and identities protected after death?

What’s all the fuss about?

The grieving parents of a dead 15-year-old in Germany were denied access to their daughter’s Facebook account last year. They wanted to read her personal communications to see if she was being bullied, but Facebook argued that doing so would compromise the privacy of her contacts – and the court agreed. This, however, does not take into account what the teenager would have wanted. Who would want their parents to see all their messages?

Many users might not want their families to have this sort of access. Instead, users might want control over the very sensitive personal content and data found on social media profiles and their digital identities associated with these. The legal recognition of post-mortem privacy (here – the protection of deceased’s personal data) would enable users to decide what happens to their data and related online assets after death. They could request full or partial deletion, transfer of some of their data to friends or family, or some other option. UK law, however, does not protect post-mortem privacy at the moment, so this is impossible.

 GDPR helps?

The UK Data Protection Act 1998 in section 1 defines personal data as ‘data which relates to a living individual’, denying any post-mortem rights. The reason behind is the lack of the deceased’s ability to consent to the processing of data. Going forward, The General Data Protection Regulation (GDPR), Recital 27, permits member states to introduce some sort of protection for the deceased’s data, and some states have already provided for this protection (e.g. The French Digital Republic Act 2016). The UK Government (and the Parliament for now) has chosen to keep the ‘living individual’ term in the definition of personal data (see Data Protection Bill 2017), refusing the protection of post-mortem privacy once more. This is not an ideal situation in the UK and does not contribute to the legislative harmonisation within the EU either, Brexit notwithstanding.

What could be done?

In my research, I argue that autonomy and freedom should extend online and enable individuals to decide what happens to their online “wealth” (mainly their personal data) when they die. This would be an online equivalent of the old principle of testamentary freedom – that is, the freedom to make a will and bequeath your assets to (arguably) whomever you wish. Only 38% of people surveyed in England and Wales in 2015 had a will, meaning most people hadn’t made legal provisions for their deaths. However, I still think that the law should offer this protection. So even if most people don’t care about protecting their online data after they die, in principle there should still be a way for someone to do so.

 Are we on the right track?

Digital assets, which would be a subject of post-mortem privacy, have become very valuable to online users in the UK. From a lay person’s perspective, these could be anything valuable online, any asset (account, file, document, digital footprint) that has a personal, economic or social attachment to an individual. Despite the growing value and importance, legally, the area is far from clear in this country. Users, solicitors and service providers struggle to navigate through the complex laws around property, wills and succession, trusts, intellectual property, data protection, contracts, jurisdiction.

A widespread practice in the UK now is that the individuals are advised by solicitors to list their accounts and passwords for their heirs to use after his death. The list may be included in a letter left with the will, but not in the will itself, as it becomes a public document once admitted to probate. This is a practical solution, however, it is in breach of most user agreements (e.g. Facebook’s terms of service). Also, passwords should change over time and individuals may not remember to update the list that they prepared at the time they made their will. This should be discouraged as a solution.

Future law and death

Trying to respond to some of these problems, The Law Commission has pointed out that digital assets ‘…fall outside the sort of property that is normally dealt with by a will.’, which is true as research shows. However, the Commission has also has failed to acknowledge conflicts between wills and the existing ways of sorting out one’s digital assets online (through, for instance, Google Inactive Account Manager), which should be considered during this reform. This is quite a disappointing proposal, it does not help harmonising scattered legislation, and it defeats the Commission’s general aim in this reform of the law of wills (to introduce a comprehensive reform). Prof Lilian Edwards and I argue that the Commission should consider digital assets in the ongoing reform of wills, as putting it off just creates more confusion. A holistic approach requires addressing some of the issues through the law of wills. Other issues can be addressed in a digital asset – specific law reform, including the necessary data protection reform, as I pointed out above. The reform should be introduced as soon as possible if the UK wishes to follow the good examples of France and the US and legislate in this critical and growing area.