How to handle and ask for the data of recently dead relatives?

How to handle and ask for the data of recently dead relatives?

How to handle and ask for the data of recently dead relatives?

article précédent

article suivant

“The dead man is not quite dead… if he has heirs”
J.-D. Bredin ^[Translated from French: “ Le mort n’est pas tout à fait mort… s’il a des héritiers” in, J.-D. Bredin “Le droit, le juge et l’historien”, Le débat, nov. 1984. 97, spéc. n°8.

With the omnipresence of social networks, user accounts are constantly multiplying. For example, in 2020, TikTok had 732 million monthly active accounts worldwide, and 1 billion in 2021. Similarly, in 2021, Instagram had 1.386 billion monthly active users worldwide and 500 million daily active accounts. Also, in 2021 Twitter had 206 million monetizable daily active users

In addition to these accounts, there are many inactive accounts. According to Twitter an inactive account is an account on which the user has not logged in for more than 6 months. In 2019, Twitter had announced the deletion of inactive accounts, after informing the user by mail. This number of inactive users can be counted in millions, as highlighted by the fact that in 2015 30% of Instagram accounts were inactive.

This problem of inactive accounts is not only found on social networks. Indeed, for example in France, this topic is found in the context of inactive bank accounts.The French Eckert law states that an inactive account is; in the case that it is a current account, and not a savings account; an account on which there has been no movement in the last 12 consecutive months and no manifestation of the account holder to the bank. In this context, the service « Ciclade » makes it possible to search for unclaimed or forgotten sums of money, known as escheat.

This question of escheatment implies the fact that the holder of the bank account is deceased. More generally, it raises the question of the future of personal data, whether it is data contained on social networks or on registers, as it is often the case in the medical field.

This problem reveals an important issue because according to the CNIL “In practice, it is very difficult for a site manager to distinguish between a profile that is inactive because its owner no longer uses it and a profile that is inactive because its owner is deceased”^[]. For example, “Every day, nearly 8,000 registered people on Facebook die worldwide”^[]. Similarly in 2017 it was stated that, worldwide, three registered people on Facebook die every minute.

On the Internet an individual leaves many “traces”^[]which finally constitutes to the digital identity of the person and the identity is not restricted to the civil life. As such, it becomes digital. Other types of identities on the Internet, such as access management, are used by companies to increase access security and facilitate the organization and management of identities. Digital identity has therefore become a key issue, as it involves the personal data of individuals.
But what about the future of this data ? Especially when the person concerned dies ? This raises the question of digital death.

Focus on Europe : France and Spain

The European texts expressly state that they do not apply to personal data of deceased people. This is the case, for example, of Convention 108+, which states this principle in its Article 3. It is also the case of the RGPD, which mentions this point in its Recital 27. However, it is stated that « Member States may provide for rules on the processing of personal data of deceased persons. » Each European country has to set up legislation related to digital death.
For this reason, an analysis of the different European legislative frameworks will be carried out, with a particular focus on France and Spain

Why conduct this comparative study between Spain and France?

These two legislations, although different, have some similarities. For example, in 2017 in Catalonia, it had been decided to make a legislation on digital death that imported part of the French digital law of 2016. However, this law was suspended because it was decided that some of the rules of the law concerned the field of inheritance law while it is a state competence.

Legislative framework and jurisprudential construction around digital death

In France, on June 8, 2016^[Conseil d’Etat, 8 juin 2016, n° 386525, and], in a case, access to the telephone records of the deceased was denied to the beneficiaries, because their sole capacity as beneficiaries of a deceased person did not allow the person to be considered as person concerned. Then by the law of October 7, 2016 the concept of digital death was established. Within the framework of the elaboration of the law, the citizens were consulted. Thus, the law on data processing and liberties of 1978 evokes how to manage the digital data of the deceased, in its articles 84 to 86. This decree of application of 2019 of this law repeals the previous decree.^[Décr. n° 2019-536 du 29 mai 2019].

In 2017, the French State Council held that « the mere fact that a person to whom the data refer is a beneficiary does not confer the status of person concerned by the processing within the meaning of Articles 2 and 39 of the Act of January 6, 1978″ but « (…) when the victim of a damage dies, his right to compensation for this damage, which has become part of his estate, is passed on to his heirs […] » ^[]

Similarly, in Spain, although the 2018 Data Protection Act, does not apply to deceased persons, Article 3 of this law, refers to the rights of persons related to the deceased authorized to exercise rights over the data of the deceased and to manage them.

But in practice, how can a relative manage the deceased’s data?

The rights of persons related to the deceased for data management

According to French law, article 85 of the 1978 law, offers the possibility for the person concerned to make advance directives, which he or she can modify or revoke. These directives can be general in the case they concern all personal data « and can be registered with a trusted digital third party certified by the CNIL. »

The particular directives concern only the data mentioned by the person concerned. In practice, Article 85 of the law, sets out the modalities: « They are registered with the relevant data processors. They are subject to the specific consent of the person concerned and cannot result from the mere approval by the latter of the general conditions of use« .
In concrete terms, they serve to organize the future of personal data and, more specifically, they serve to enable the person to decide who will be able to exercise the rights over his or her data. When the person concerned has not designated anyone, the heirs will have the right to exercise these directives, unless the person concerned states otherwise.

What rights can be exercised?
Article 84 states that deceased persons are deprived of their rights upon their death, and that these rights may be maintained on a temporary basis, depending on the person’s instructions.
The law mentions that the rights that can be exercised by the persons concerned
are those mentioned in title II of the law. That is to say : the right to information, the right of access, the right of rectification, the right to erasure, the right to limitation of processing, the right to portability and the right of opposition.

What happens if there is no directive from the person concerned?
According to article 85 of the said law, in the absence of a directive, the heirs of the person will be able to exercise the rights to the necessary extent : on the one hand, « to organize and settle the estate of the deceased » and, on the other hand « to take into account, by those responsible for processing, his death« .

These directives echoes to Spanish law. Indeed, Article 96 of the 2018 law refers to the right to a digital will. First of all the article refers to those who can access the contents managed by the service providers of the information society of the deceased: those are people related to the deceased for family or factual reasons, as well as their heirs. In concrete terms, these people can access the deceased’s content, request its modification or deletion, unless the deceased has prohibited it, or if the law provides for this prohibition. The law specifies that if the deceased is a minor these rights will be exercised by the legal representatives.

The article also refers to the case of people with disabilities, and states that « by those who have been designated for the exercise of support functions if such powers are understood to be included in the support measures provided by the designated person. »

Articulation of rights and the right to be forgotten

At the level of the articulation of rights, it is also interesting to consider the question of the right to be forgotten provided for by Article 17 of the RGPD, which echoes the decision rendered on May 13, 2014.
However, this right does not seem to be able to be used in the context of the application of post-mortem data, notably because of its territorial limits.

How to manage the deceased’s social networks and other accounts?

Some sites, such as the CNIL website, provide links that allow the persons concerned to indicate to the data controller that the user of the account is deceased.
The fact that these networks redirect to this type of link can be linked to the Spanish law, as Article 79 of the 2018 law, states that « information society service providers and Internet service providers contribute to guarantee the rights of people« . In this way, some platforms facilitate these rights. For example, for an Instagram account, it is possible to report the account of a deceased person, the account can be deleted or can be turned into a memorial account. Facebook also offers these two possibilities and this applies to everyone who has an account, not only to France and Spain.

Focus on Europe : Legislative framework in other countries

Some countries do not have specific legislation in place for the deceased

This is the case for Austria, Belgium, Croatia, Cyprus, Finland, Germany, Greece, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland and Romania.

There are also countries in which the general legislation on data protection is silent on the subject, and it is advised to obtain information from more specific legislation, such as that on health data. This is for example the case in the UK. The UK Data Protection Act 2018, explicitly states that personal data is « information relating to an identified or identifiable living individual. » However, and according to a survey carried out in 2019, 1 British out of 4 wishes for a digital death.
But, in the health field, there needs to be an access to medical records. The right to medical secrecy does not end with the death of the patient. But in some cases, it may be necessary for the relatives of the deceased to have access to the medical records, which may be possible in certain cases : if the claimant is “a personal representative (the executor or administrator of the deceased person’s estate), or someone who has a claim resulting from the death (this could be a relative or another person)”^[].

Some countries have specific provisions in their legislation that are limited in time

For example, in Slovakia, The Slovak data protection legislation^[English version : Slovak version
] states in its section 78 (7) that  » If the data subject dies, the consent requested under this Act or under special regulation may be given by a close person to him or her. The consent shall not be valid if at least one close person gave a written disapproval« .

In Denmark, the Article 2(5): Data Protection Act states that: « This Act and the General Data Protection Regulation shall apply to the data of deceased persons for a period of 10 years following the death of the deceased« .

This is also the case for Hungary because “The rights of a deceased person may be exercised within five years following their death by a person designated by the relevant data subject, by means of an administrative disposition, or by a statement executed before the controller, with the last statement prevailing if the data subject made more than one such statement before a single controller”^[]

Focus on North America : US

The vision and history of post-mortem data in the US^[One of the important jurisprudence cases was the In Re Ellsworth case. Yahoo had refused to give access to the emails to the family of the deceased.]

In the case of the United States, the vision around data protection is different from that of some European countries.
For example, the USA’s vision is « a digital asset approach to post-mortem data« ^[Castex, L., Harbinja, E. & Rossi, J. (2018). Défendre les vivants ou les morts : Controverses sous-jacentes au droit des données post mortem à travers une perspective comparée franco-américaine. Réseaux, 210, 117-148.]. Indeed, « From a doctrinal perspective, research shows that U.S. law does not legally enshrine the notion of postmortem privacy. Instead, the phenomenon is framed by scattered borrowings from various other legal instruments. Most of these legal instruments focus on the proprietary aspects of postmortem data and digital assets”^[Ibid.].
At the legal level, there are two phases^[Ibid.]. The first was the creation of federal laws, although scattered^[Ibid.]. The second phase was the harmonization of these different legislations and in this sense, a draft law, whose legal force is not binding, named, Uniform Fiduciary Access to Digital Assets Acts, however this version was revised. It is currently named the The Revised Uniform Fiduciary Access to Digital Assets Act and 46 states have adopted it. “Thus, the RUFADAA provides for trustee access only to the catalog of the deceased’s data, not to its contents, which can only be accessed with the express consent of the deceased or with the order of a judge”^[Ibid.].

The future of health data

As with the UK, it seems relevant to focus on the future of health data. The HIPAA (Health Insurance Portability and Accountability Act), is a federal law in the United States concerning the protection of health data and information. Regarding the management of data of deceased persons, HIPAA protects identifiable information 50 years after the date of death. Thus, during this period, the personal representative of the deceased will be able to exercise rights: « such as authorizing certain uses and disclosures of, and gaining access to, the information » ^[].


As a conclusion, some countries have taken specific measures so that the rights of the deceased are transmitted to the heirs, or that the heirs have rights on these data as for example in Spain. In other cases, the deceased can anticipate the future of this data himself, as in France with the directives. In other countries, there are provisions, although limited in time. And finally, other countries have not made any provisions on this subject. Finally, it appears that the European legislations in this matter are disparate.

What is notable about the US, and different from Europe, is the vision and approach to post-mortem data protection.

In addition to legal issues, new problems arise. This is the case, for example, in the environmental field with regard to data storage. Ethical questions also arise: For example, it had been reported that some people were receiving requests for lives on candy crush by dead people.
In 2017 it was announced that « There will soon be more dead than alive on Facebook« ^[]. It is for these reasons that digital death is an important and relevant topic.

Stéphanie Exposito-Rosso

Stéphanie Exposito-Rosso

December 10, 2022

Never miss GDPR compliance news and best practices anymore

Subscribe to our newsletter

Receive our newsletter about data protection