In today’s age and time, digital data permeates every aspect of our lives. We leave a digital trail that captures not only the details of our lives but also the essence of who we are. But for all the ease and connectedness that technology offers, a serious question remains. What happens to our data when we leave this world? Individuals may take security measures while they are alive, but the fate of their data after their death is still a not-so-explored territory. The ownership, access, and management of digital assets remain uncertain as there are no comprehensive regulations. This gap in the law is glaring, given the profound impact of data on today’s economy and the human significance of digital legacies.

Data has become essential to our modern-day identity and heritage. It fuels economic activity, promotes innovation, and preserves cultural heritage. However, most existing legal systems only protect data during human life. Rapid technological innovations make it necessary to protect people’s digital legacies from potential misuse, unlawful access, and exploitation.

The Indian Digital Landscape

The amount of data generated in a country as populous as India is humongous. While we are yet to adopt technology in ways many developed nations have done, we have a considerable internet population of more than 70 crore internet users. Since death is unforeseeable, it is crucial to plan data inheritance beforehand. Presently, Indian laws do not cover the inheritance of digital data.

The recently passed Digital Personal Data Protection Act has made progress in protecting the personal data of living individuals. However, it falls short of addressing privacy concerns after an individual’s death. Perpetrators or unauthorised individuals can misuse the personal data of deceased individuals, a phenomenon often referred to as “digital zombies.”

This situation exposes a serious gap in existing data protection frameworks. The digital footprints people leave behind can become highly vulnerable and be exploited for identity theft and financial fraud, among other cyber crimes.

Navigating Social Platforms

According to a Forbes article, 67.5% of Indian internet users use at least one social media platform as of January 2023. However, not every social media platform has clear guidelines on handling accounts of deceased users.

Facebook offers a deletion or reminder function for dealing with accounts of deceased users. The platform also provides a memorialisation feature that adds the word “Remembering” in front of the person’s name. Other users can visit this account, but no posts can be made from it. However, depending on the account settings, friends can add memories to the memorialised account.

Similarly, Google offers an inactive account management service where you can specify a list of ten contacts who can access your account if you have not logged in for a specified period. These ten individuals can access your data and eventually delete it themselves. Once a Google account is deleted, all the Google products related to that account are affected.

Apple also provides a Legacy Contact feature that allows individuals to choose who will have access to their data after their death. A user can add multiple legacy contacts to their Apple ID. Moreover, legacy contacts do not need to have an Apple ID or an Apple device. While legacy contacts will be able to access a user’s account after their death, certain information will be off-limits. This includes purchases associated with Apple ID, payment information, passwords, and passkeys.

Different Regulatory Models

The General Data Protection Regulation explicitly states that it does not apply to deceased persons. However, member states may adopt rules on processing deceased persons’ personal data. For example, several EU member states have implemented regulations to protect deceased persons’ personal data.

In Bulgaria, legal heirs can access the data of a deceased person upon requesting it from the data controller. In France, the Digital Republic Act of 2016 introduced the “preventive narrative” concept. This concept allows a data subject to make preventive decisions about processing their personal data after their death. The French legislation addresses the problem of narrative previously identified in the context of post-mortem privacy theory. A data subject can also transfer these rights to another person to actively exercise them after their death. It also covers situations where a deceased person has not given instructions or assigned their rights to anyone.

In Italy, Article 9(3) of the Italian Personal Data Protection Code 2003 allowed any entity acting to protect the interests of a data subject, or for family-related reasons to access a deceased person’s personal data. This approach of Italian law is very broad and has been referred to as the Kantian model.

In Estonia, the Data Protection Act has adopted an IP-like model called the quasi-propertisation model. Section 12 of the Act states that a data subject’s consent shall remain valid during their lifetime and thirty years after their death unless they decide otherwise. Section 13 allows a specific set of family members to permit the processing of personal data after a deceased’s death; however, this period is limited to thirty years after death.

Navigating the Path Ahead

The digital age has brought unprecedented connectivity and convenience but has also created new challenges. While some countries have taken a few steps to regulate the handling of a deceased person’s personal data, much work still needs to be done. For instance, a potential legal framework can provide for the inheritance of digital data, similar to the inheritance of movable and immovable properties. This digital will can specify who can access their data and to what extent. Considering that the Internet is practically boundaryless, we need international cooperation to create uniform data inheritance laws that apply uniformly across national borders.

Bhumika Grover, an undergraduate student at the Rajiv Gandhi National University of Law, Punjab, contributed this article to our blog.