LIFE AFTER DEATH: DATA PROTECTION RIGHTS OF DECEASED PERSONS
By Victoria Oloni
“The Dead have no rights and can suffer no wrongs”
Sir James Stephen 1887
The protection and management of personal data of deceased persons is an open discuss in the world of data protection. The issue of what happens to the personal data of the deceased and individuals` privacy post-mortem remains unclear and unsettled from a legal and regulatory perspective. Thus, various theories have been evolved to answer the question of whether personal data should be protected after the death of a data subject.
We might ask ourselves, why bother about personal data of the dead when we have not adequately covered the living? This discourse has been heating up because of the technological disruptions birthed by the digital revolution. The digital identity of data subjects persists long after their biological death. With the growth of these digital identities came the development of the concept of “digital natives” and “Netizens” or “Citizens of the internet”. The growth of Internet-enabled technologies has led to the growth of “digital natives,” along with the storing of enormous amount of digital assets and personal data online. The number of digital natives worldwide is significant, and a significant number of them die every day. Thus, the effect and importance and protection of their digital identities cannot be disregarded. A The current legal framework for the fundamental right to privacy and to personal data protection seems inadequate to cope with data of deceased digital native.
The General Data Protection Regulation of the EU and the Nigeria Data protection Regulation appear to apply to only living data subjects. While the NDPR is silent on the subject of the protection of the data of deceased persons, the GDPR specifically states that it doesn’t apply to that category of persons and states can legislate to protect the personal data of deceased. With the dearth in legislative protection of the data protection rights of deceased persons, in this article, we will attempt to examine the various regulatory frameworks for data protection and the bearings they have on the data protection rights of deceased persons in various jurisdictions and we will simplify the various theories formulated concerning these rights.
- Data Protection rights of and Post Mortem Privacy
“Many legal rules suggest that the dead do not have rights. Often, the dead cannot marry, divorce, or vote. The executor of an estate cannot sue for the libel or slander of a deceased person. And the right to medical privacy substantially erodes at death, giving family members the ability to obtain sensitive information about a decedent’s medical conditions. On the other hand, various legal institutions have spent considerable time trying to protect the rights of the dead. As a result, most testamentary distributions, burial requests, and organ donation designations are held to be valid even if they contradict the preferences of the living.”…
The above quotation to a large extent represents the current position as regards Post Mortem rights. This is however not always the case. The concept of post mortem privacy suggests that personal information protection should outlive the data subjects and subsist even after death. This theory is not without its issues. For example, some scholars are of the opinion that any injury to the privacy of the deceased has no effect on him which is basically a “no-effect injury” as the victim is not affected by the wrong. Furthermore, after death, the deceased person who exercises “narrator” rights ceases to be able to exercise such rights, such a person can no longer regulate the processing of his personal data or the management of his digital identity. Subsequently, we will be discussing the various theories of Post Mortem Privacy and Data Protection.
- Commodification of Personal Data vs Propertisation of personal data
This theory of Commodification of data advocates for the concept of “Data Freedom” and commodification of personal data of deceased persons. This means that the Data controllers retain access and the right to process the data of such persons. This can be described as a contractual approach to post mortem privacy. Another method of protecting the privacy rights of a deceased user is through contract law. When an individual opens an account with a service provider he or she must agree to the provider’s “Terms of Service” by affirmatively clicking “yes.” Many of these agreements are typically utilized when users sign up to use an online service, and such agreements are generally upheld in court.
“Facebook memorializes the profile pages of deceased users. In other words, Facebook will turn a deceased user’s Facebook page into an online memorial. Users agree to this policy when they sign up for an account. Although Facebook will not provide the user’s account login details, most of the content a deceased user had previously shared (e.g., photos, posts) will remain visible. And, while most Internet websites permit only family members to cancel the account of a deceased user, anyone—regardless of their relationship to the deceased individual—can request to memorialize a deceased person’s profile, ensuring that the profile will be preserved and remain visible for as long as Facebook exists (or, longer).”
This method has however proven inadequate as terms of service agreements ultimately put the privacy of a deceased person at the mercy of a service provider who may disregard the deceased’s wishes regarding how his privacy is treated after death and without the user—young or old—alive to contest his or her understanding of the contract, the immediate default is to interpret the contract on its face. Additionally, because these agreements are written so strongly in favour of the service provider, the privacy rights of the deceased user are left even more vulnerable. The deceased’s digital information governed by these service agreements is often very personal and sensitive,  which makes protecting the privacy rights of the deceased so important.
The above arguments and many more have raised a lot of concerns among privacy scholars. Some of these issues include potential moral harm to their memories, exploitation of the grief of living relatives for example “when details of the deceased person and his/her kind of relationship with the bereaved are transposed or reflected in personalised advertisements (videos, images, etc.)”, and the fact that personal data of deceased persons may also include personal data of their relatives e.g. health or genetic data. The conversation on whether Genetic and health data should be regarded as Group personal data is a conversation for another day.
It can however be argued that since death terminates a contact, the death of a data subject should bring an end to the processing of his/her data. Thus, upon death, the personal data of a data subject should be deleted or anonymised. This can also be spun conversely by stating that the data controller upon the death of a data subject has unlimited control of the personal data of the deceased as death terminated the rights of the deceased and also the contractual obligations of the of the Data Controller/Processor. However, the rule that death terminates contractual obligations is not absolute and has several exceptions.
The property rights model is based on a presumption that personal data in practice already are, or should be considered, as an asset or commodity. Scholars have argued that the EU with the GDPR is tilting towards the “propertisation” of personal data largely because of the GDPR’s introduction of the right to be forgotten which is resembles on of the essential features of property: the right to destroy. Furthermore, the right to data portability which is encapsulated in the GDPR also leans towards a proprietary rights regime for data protection in the EU as it empowers individual to exercise greater control over their data by being able to move it from one platform to another.
- The Quasi-propertisation approach
The Commodification of Personal Data and propertisation arguments are 2 extremes that pose their own unique problems. Thus, an intermediate scenario called the “quasi-propertisation” or “personal data inheritance” scenario was introduced. Quasi-property is a hybrid concept elaborated in common law legal systems for a heterogeneous group of “goods”. In particular, quasi-property is a form of “relational”, “contextual” and “liability like” proprietary protection elaborated by the U.S. jurisprudence to protect corpses, journalistic information, trade secrets, etc. In more specific terms, quasi-property is not an absolute right on goods, but a contextual protection against illegitimate misappropriations of special categories of goods (intangible goods or non-commercial goods). This theory clothes personal data as an asset, intangible property just like copyright which can be inherited as part of the estate of the deceased. According to Purtova, “In this case, propertisation is a form of protection of individual’s rights and not a form of commodification”. Protecting Data through Contract
- The EU and other National Data Protection Laws
Several member states of the EU (Bulgaria, Czech Republic, Denmark, Estonia, France, Italy, Latvia, Lithuania, Portugal, Slovakia, Slovenia and Spain) have provided a Regulation for post-mortem data protection in different forms, while few member states explicitly exclude this protection. Bulgaria, for instance, recognises that “in event of death of the natural person his/her rights shall be exercised by his/her heirs”, thus extending the right of access to personal data not only to the natural person, but also to his or her family.
In the next section the case of Italy, Estonia, France and Cataluña will be analysed as three emblematic models of three different frameworks. As regards the General Data Protection Regulation (GDPR), it does not explicitly regulate post mortem data protection. In particular, recital 27 of the GDPR states as follows: “this Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons”.
The Estonian Data Protection Act goes even further, by adopting an IP-like (or quasi-propertization) model and giving a considerable amount of freedom to an individual to decide on the use of personal data in the event of processing personal data with the consent of a data subject. In section 12 of the Act, it states: “The consent of a data subject shall be valid during the life of the data subject and thirty years after the death of the data subject, unless the data subject has decided otherwise.” Furthermore, in section 13 it entitles certain family members to permit processing of personal data after the death of the data subject, but limits this period to thirty years after death.
The Italian Data Protection Code also provides for data protection of the deceased. Article 9(3) of the code states that “where related to the personal data concerning a deceased, may be exercised by any entity that is interested therein or else acts to protect a data subject or for family-related reasons deserving protection”. The Italian approach is a very wide approach and has been defined as a “Kantian” Model
Under the new French Law “Loi Pour Une République Numérique” a GDPR-aware law, the protection of data of deceased data subjects is deeply regulated. The Law solves the narrator challenge identified previously under the Post mortem privacy theory by introducing “preventive narration” which gives the data subject rights to preventively make decisions on the processing of his/her personal data post mortem, such a person can also delegate these rights to another person to actively exercise them after the data subject’s death. It also provides for scenarios where the deceased did not give any directives or delegate to any person his data protection rights.
Conversely, the Swedish Data Protection Act explicitly refers to personal data of the living, defining personal data as “all kinds of information that directly or indirectly may be referable to a natural person who is alive.” Similarly, the UK Data Protection Act defines personal data as “data which relate to a living individual”. Other member states also predominantly use the term “natural person”; understood generally as a person having legal capacity, starting with the birth and ending with her death.
The GDPR, in Recital 27, maintains that information relating to dead individuals not subject to the rules of the Regulation. However, member states could extend the scope of the national legislation implementing the provisions of the GDPR, and include protection of some aspects of deceased persons’ personal data. This option, as demonstrated above, has been used by some member states.
- The Nigerian Context
The Nigerian Data Protection Regulation which is the extant law for Data protection in Nigeria does not specifically provide for the data protection rights of deceased persons. On the face of the Regulation, it appears to restrict its application to only living persons as the scope of the Regulation covers data processing in respect of natural persons. As mentioned earlier, the concept of “natural persons” connotes that such persons are still alive.
The Regulation however doesn’t restrict the definition of Data Subjects to just natural persons as it defines Data Subject as “an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;” The definition of data subjects can be interpreted to accommodate deceased persons as long as the data being processed is one that can be used to identify such persons. This remains an open discuss. There is however a dearth of Nigerian academic research in this area.
In the age of “e-mmortality”, it has become urgent and necessary to protected the rights to privacy and Data Protection of the deceased. This article only attempts to initiate the discussion about post-mortem privacy and personal data of the deceased within the Nigerian Legal parlance. It also points out some possible points of controversy within this space. This write up discussed the various theories as regards Post Mortem privacy.
While certain parts of this article could be viewed as favourable for propertisation of personal data, the discourse was purely theoretical. The paper does not suggest that the propertisation would be the best choice for the protection of post mortem privacy, especially since its already a long-standing tradition especially within states of the European Union. It is apparent that Neither the commoditisation nor propertisation regime have proven adequate in the protection of post mortem privacy.
This work asserts that a viable solution could be including the deceased’s data in the scope of the definition of personal data in data protection instruments and legislations. Furthermore, a time-limited protection, with appropriate safeguards in relation to the other relevant interests should be given. In this way, the regime would be adequately protected under the same framework as other data protection and privacy related concepts.
This work, nevertheless, does not aim to propose clearly formulated solutions. The crux of this work is to question the options and possibilities for post-mortem privacy and how post mortem privacy can be adequately protected.
 Gianclaudio Malgieri, “R.I.P.: Rest in Privacy or Rest in (Quasi-)Property? Personal data protection of deceased data subjects between theoretical scenarios and national solutions”, https://ssrn.com/abstract=3185249
 J Palfrey and U Gasser “Reclaiming an Awkward Term: What we Might Learn from “Digital Natives”” (2011) 7 A Journal of Law and Policy for the Information Society 33-56, at 37-38; Cheatham defines digital natives as a generation that has never known a world without digital technologies. C Cheatham “Public Relations: Dancing with Digital Natives: A Great Resource for Understanding Those Who Have Grown up with Digital Technology” (2011-2012) 16 AALL Spectrum 8-10.
 For example, the number of Facebook users has reached more than 2.4 billion worldwide, see Statista’s “Facebook users by Country 2019”, available at https://www.statista.com/statistics/268136/top-15-countries-based-on-number-of-facebook-users/ .
 For instance, research suggests that today, Facebook has over two billion users and an estimation of 8000 users die every day. Within the next 50 years, Facebook could feel more like a place for the dead than the living. According to academics from the University of Oxford, by 2069, the dead could outnumber the living on the social network. See https://thenextweb.com/socialmedia/2019/04/29/dead-facebook-users-could-outnumber-the-living-by-2069/
 Recital 27 to the GDPR
 Posthumous marriage is legal in France with governmental approval. Craig S. Smith, Paris Journal: A Love That Transcends Death Is Blessed by the State, N.Y. TIMES, Feb. 19, 2004, at A4 (noting that while the new spouse is not entitled to the decedent’s assets, posthumous weddings can legitimize children born after their father’s death, making them his heirs under French law
 K.R. Smolensky “Rights Of The Dead” HOFSTRA Law Review [Vol. 37:763] P. 763 https://law.hofstra.edu/pdf/academics/journals/lawreview/lrv_issues_v37n03_cc4_smolensky_final.pdf&ved=2ahUKEwjhw522_qXnAhXFnFwKHRUoDg8QFjALegQIAxAB&usg=AOvVaw1pQNW0o8rPKdm6MHkA9gV7&cshid=1580205562043
 S Winter, ‘Against posthumous rights’, Journal of Applied Philosophy, 27(2), 2010, 186–199.
 L Floridi, ‘The informational nature of personal identity’, 549–566.
 Log In, Sign Up or Learn More, FACEBOOK, https://www.facebook.com
 See, e.g., Contacting Twitter About a Deceased User, TWITTER, https://support.twitter.com/articles/87894-contacting-twitter-about-a-deceased-user
 N Chu, “Protecting Privacy after Death” Northwestern Journal of Technology and Intellectual Property, Volume 13, Number 2 (September 2015)
 S Vedantam, To Read All Those Web Privacy Policies, Just Take a Month Off Work, NPR (Apr. 19, 2012, 3:30 AM), http://www.npr.org/blogs/alltechconsidered/2012/04/19/150905465/to-read-all-thoseweb-privacy-policies-just-take-a-month-off-work
 N Chu, “Protecting Privacy after Death” Northwestern Journal of Technology and Intellectual Property, Volume 13, Number 2 (September 2015)
 Floridi, ‘An ethical framework for the digital afterlife industry’, Nature Human Behaviour, Vol 2, May 2018, 318–320. 3 L Edwards & E Harbinja, ‘Protecting post-mortem privacy: Reconsidering the privacy interests of the deceased in a digital world’, 110. H Buitelaar, ‘Post-mortem privacy’, (2017), 129
 Malgieri ibid at p. 4
 R Calo, ‘Digital Market and Manipulation’, 82 George Washington Law Review, 2014, 995, 1029 who refers to the risk to be micro-targeted as “bereaved” of a deceased person and receive personalised advertising that exploit the grief vulnerability.
 M Masnick, Techdir “Europeans Continue To Push For ‘Right To Be Forgotten’; Claim Americans ‘Fetishize’ Free Speech” 04 Feb 2011 available at http://www.techdirt.com/articles/20110204/00145312961/europeans-continue-to-push-right-to-beforgotten-claim-americans-fetishize-free-speech.shtml
see also B J Koops, “Forgetting Footprints, Shunning Shadows: A Critical Analysis of the ‘Right to Be Forgotten’ in Big Data Practice” (2011) 8(3) SCRIPTed 229-256
 G Malgieri, ‘User Provided Personal Content in the EU: Digital Currency Between Data Protection and Intellectual Property’, International Review of Law and Technology, Vol. 32, Issue 1, 2018, 118-140. 29
 SBalganesh, ‘Quasi-Property: Like, but not Quite Property’, 160 U. Penn. Law Rev. 2012, 1891.
 Ibid, G Malgieri, at p. 19
 N Purtova, ‘Illusion of Personal Data as No One’s Property’, Law, Innovation, and Technology, Volume 7, Issue 1, 2015
 Damian McCallig, ‘Data Protection and the Deceased in the EU’, Paper presented at the CPDP, Brussels, January 24 2004.
 It is the case of Cyprus, Ireland, Sweden and the United Kingdom. Damian McCallig, 2014, ‘Data Protection and the Deceased in the EU’.
 Article 28 (3) Bulgarian Personal Data Protection Act, State Gazette No. 1/4.01.2002, 70/10.08.2004, 93/19.10.2004, 43/20.05.2005, 103/23.12.2005, 30/11.04.2006, available in English at: http://legislationline.org/topics/country/39/topic/3 (accessed
 Ibid, Article 13(1).
 I Kant, Die Metaphysik der Sitten. Das Privatrecht, (Frankfurt am Main, 1977; Erstdruck: Königsberg (Nicolovius) 1797), S. 388-406, 3, available online at: http://www.zeno.org/Philosophie/M/Kant,+Immanuel/Die+Metaphysik+der+Sitten/Erster+Teil.+Metaphysische+Anfangsgründe+der+Rechtslehre/1.+Teil.+Das+Privatrecht+vom+äußeren+Mein+und+Dein+überhaupt
Immanuel Kant stated that everyone is entitled to adopt the defense of the bona fama defuncti of a deceased and that this should be regarded as part of the “Recht der Menschheit”.
 Ibid, Malgieri at p. 15
 Section 3, Sweden, Personal Data Protection Act (1998:204), available in English at: http://www.sweden.gov.se/content/1/c6/01/55/42/b451922d.pdf (accessed
 S 1 (1) (e) Data Protection Act 1998 c. 29
 Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data, 01248/07/EN WP 136, at 22.
 Recital 27 to the GDPR
 Regulation 1.3 (k) of the NDPR