How data processing of deceased persons in regulated under the GDPR and the laws of France, Germany, and Italy? Let’s discuss it in iConsumer.
Mount Eerie is the pseudonym of the American songwriter Phil Elverum, that published a lot of indie-rock music over the last fifteen years. “Real Death” is the opening track of the superb album “A Crow Looked at Me” (2017), that documents the tragic moments that Elverum faced after the death of his wife, Geneviève Castrée.
Death has always been a tricky subject in law too. As is well known, civil law successfully regulates – with tricky provisions, indeed – what comes after the decease of a person, protecting the goods of a person from the different needs of his successors. In more recent times, when the digital revolution became a reality, and social media platforms spread all over the world, we started thinking about digital death. In other words, we began to wonder about the fate of the bonfire of data and information we share every day when we’re gone.
To find a solution and bring some order in this field, EU regulators conceived adequate data protection provisions that will significantly impact on companies, too.
Two precedents: the French Data Protection Act and a recent Facebook case in Germany
In France, from 2016 individuals can regulate the processing of their data after their death. According to art. 40(1) of the French Data Protection Act, individuals can give to data controllers general or specific indications about the retention, erasure, and communication of their personal data after their decease. Within such signs, the data subject can identify a person that will be in charge of ensuring their correct implementation, too.
In July 2018, the German Federal Court of Justice (the Bundesgerichtshof, BGH) jumped to similar conclusions in a case involving Facebook. According to the German judges, heirs have the right to access the Facebook accounts of their dead relatives. A social media profile is inheritable as physical goods.
Death, personal data and the neutrality of the GDPR
For its part, the GDPR clearly states that it does not apply to the personal data of deceased persons, but
“Member States may provide for rules regarding the processing of personal data of deceased persons” (recital 27).
This provision provides significant flexibility to the Member States, that may choose to integrate the GDPR with further rules on the subject at stake. As we’ll see below, the Italian regulators have recently decided to extend protection to deceased persons.
The Italian scenario: the New Data Protection Code
From 19 September 2018, the Legislative Decree 101/2018, that radically amends the Italian Data Protection Code, will be applicable – some days ago Giulio gave a clear overview of this matter. Article 2-terdecies of the new Data Protection now states that
“the rights set out in articles 15 through 22 of the GDPR referred to personal data of deceased persons can be exercised by whom has his/her own interest, or acts in order to protect a data subject, in capacity of his/her appointee, or for family reasons worthy of protection“.
This provision seems rather clear, but the Italian Supervisory Authority (the “Garante“) may find it hard to properly construe the notion of “person that has his/her own interest.” The risk is the extension of the wording to people that have no relation or connection with the deceased person. Indeed, provided that there is no clear definition of “interest,” even a creditor has his/her interest to access data of his/her dead borrower!
Also, the same article of the new Data Protection Code says that
“the exercise of the rights abovementioned is not permitted when it is prohibited by the law or, only in relation to the direct offering of services of the information society, the data subject expressly prohibited it by way of a written declaration sent or communicated to the data controller“.
Moreover, such prohibition shall be
unambiguous, “specific, free and informed“, and “the prohibition shall refer only to some of the abovementioned rights“.
As the ones above mentioned, these provisions show several uncertainties. For example, the meaning of “informed prohibition” is not evident: how is it possible to assess the level of information of a prohibition after the death of a data subject or when s/he releases his/her prohibition? Also, who should assess such level of information?
In the future, the interpretative effort of the Garante and Italian courts may bring clarity to these kinds of questions.
What’s the impact of the provisions regarding deceased persons on the companies?
Companies should ensure the exercise of such rights to the persons listed in art. 2-terdecies of the New Data Protection Code. Such a scenario means that companies should at least update and revise the texts of the data protection policies and information notices, extending the opportunity of exercising such rights to such categories of individuals.
Furthermore, companies should establish efficient means of storage of the written declarations of the prohibition of the exercise of the rights listed above. Such statements may become relevant after many years (i.e., when the data subject dies), and the uncertainty of the moment of death may give rise to doubts concerning the ways companies should undertake.