07 Sep iConsumer #5 – Death is real. How rights of deceased persons are treated under data protection laws
How data processing of deceased persons in regulated under the GDPR and the laws of France, Germany and Italy?
Mount Eerie is the pseudonym of the American songwriter Phil Elverum, that published a lot of indie-rock music over the last fifteen years. “Real Death” is the opening track of the superb album “A Crow Looked at Me” (2017), that documents the tragic moments that Elverum faced after the death of his wife, Geneviève Castrée.
Death has always been a tricky subject in law too. As is well known, civil law successfully regulates – with tricky provisions, indeed – what comes after the decease of a person, protecting the goods of a person from the different needs of his successors. In more recent times, when the digital revolution became reality and social media platforms spread all over the world, we started thinking about digital death. In other words, we began to wonder about the fate of the bonfire of data and information we share every day when we’re gone.
To find a solution and bring some order in this field, EU regulators conceived effective data protection provisions that will significantly impact on companies, too.
Two precedents: the French Data Protection Act and a recent Facebook case in Germany
In France, from 2016 individuals have the possibility to regulate processing of their data after their death. According to art. 40(1) of the French Data Protection Act, individuals can give to data controllers general or specific indications about the retention, erasure and communication of their personal data after their decease. Within such indications, the data subject can identify a person that will be in charge of ensuring their correct implementation, too.
In July 2018, the German Federal Court of Justice (the Bundesgerichtshof, BGH) jumped to similar conclusions in a case involving Facebook. According to the German judges, heirs have the right to access the Facebook accounts of their dead relatives – in other words, a social media profile can be inherited as physical goods.
Death, personal data and the neutrality of the GDPR
For its part, the GDPR clearly states that it does not apply to the personal data of deceased persons, but
“Member States may provide for rules regarding the processing of personal data of deceased persons” (recital 27).
This provision provide significant flexibility to the Member States, that may choose to integrate the GDPR with further provisions on the subject at stake. As we’ll see below, the Italian regulators have recently chosen to extend protection to deceased persons.
The Italian scenario: the New Data Protection Code
From 19 September 2018, the Legislative Decree 101/2018, that radically amends the Italian Data Protection Code, will be applicable – some days ago Giulio gave a clear overview on this matter. Article 2-terdecies of the new Data Protection now states that
“the rights set out in articles 15 through 22 of the GDPR referred to personal data of deceased persons can be exercised by whom has his/her own interest, or acts in order to protect a data subject, in capacity of his/her appointee, or for family reasons worthy of protection“.
This provision seems rather clear, but the Italian Supervisory Authority (the “Garante“) may find hard to properly construe the notion of “person that has his/her own interest“. This wording may be dangerously extended to people that have no relation or connection with the deceased person – indeed, provided that there is no clear definition of “interest”, even a creditor has his/her own interest to access data of the his/her dead borrower!
In addition, the same article of the new Data Protection Code says that
“the exercise of the rights abovementioned is not permitted when it is prohibited by the law or, only in relation to the direct offering of services of the information society, the data subject expressly prohibited it by way of a written declaration sent or communicated to the data controller“.
Moreover, such prohibition shall be
unambiguous, “specific, free and informed“, and “the prohibition shall refer only to some of the abovementioned rights“.
As the ones abovementioned, these provisions show several uncertainties. For example, the meaning of “informed prohibition” is not evident: how is it possible to assess the level of information of a prohibition after the death of a data subject or when s/he release his/her prohibition? Also, who should assess such level of information?
In the future, the interpretative effort of the Garante and Italian courts may bring clarity to these kinds of questions.
What’s the impact of the provisions regarding deceased persons on the companies?
Companies should ensure the exercise of such rights to the persons listed in art. 2-terdecies of the New Data Protection Code. This means that companies should at least update and revise the texts of the data protection policies and information notices, extending the opportunity of exercising such rights to such categories of individuals.
Furthermore, companies should establish efficient means of storage of the written declarations of prohibition of exercise of the rights listed above. Such declarations may become relevant after many years (i.e. when the data subject dies), and the uncertainty of the moment of death may give rise to doubts with regard to the ways companies should undertake.
Stay tuned and register to our newsletter!
Also, if you find this article interesting, please share it on your favorite social media!