Go back to menu

The Survival of Digital Data

Preserving digital identity

04 June 2020

A few years ago, news was reported about Bruce Willis having complained about Apple's company policy, which prevented him from "bequeathing his digital music collection, held on his 'many, many iPods', to his children when he dies." So, what about his social media accounts, chat conversations or email accounts? 2020 may be the right time to answer. Or not?

In the digital world, death is not such a simple and intuitive concept; indeed, one could provocatively say that, perhaps, it represents nothing more than a mere utopia.

When an individual walks through the online world, he/she leaves behind countless traces, such as: documents, images, videos and conversations. This myriad information, often contained in password-protected accounts, shapes his/her so-called 'digital identity.'

Digital identities do not merely dissolve following the death of the natural person to whom they belong, but potentially remains on the net forever. Therefore, from the very beginning we see the importance of acquiring greater awareness, taking care of our digital heritage and clearly establishing its fate for when we will no longer be in this 'offline' world.

If one thinks for a minute, the fact is, he/she would realise that our digital heritage, in addition to physical devices such as hard drives and USB keys, involves a considerable amount of heterogeneous personal data, including social network profiles, online banking, email accounts, cloud storage spaces, chats, multimedia files, software licences and cryptocurrencies (this is certainly not exhaustive).

The management of all this personal data involves not only the legal issues of inheritance law but also ethical issues, which become even more complicated when the deceased person formerly earned money via the Internet. A clear example of such a case is provided by YouTubers, Switch gamers, Instagram's Influencers or, more generally, by all those who generate online content.

Regulatory scenario of deceased persons' data

In Italy, as in many other countries, there is no specific legislation on succession in digital heritage.

The personal data of deceased persons are excluded (in recital 27) from the scope of the GDPR, which acknowledges the possibility for Member States to regulate the matter autonomously, with clear implications for the harmonisation of the single digital market; even in cases of processing for the purpose of archiving (recital 158) or historical research (recital 160), the applicability of the GDPR to deceased persons is excluded.

The Italian Privacy Code (Legislative Decree 196/2003, hereinafter, the "Code") in its pre-GDPR version, article 9 (now repealed), provided that, in the event of the death of the person concerned, his/her rights could be exercised "by those who have a personal interest or act to protect the person concerned or for family reasons worthy of protection."

Legislative Decree 101/2018, which amended the Code to ensure its consistency with GDPR, came into force on 19 September 2018 and introduced article 2-terdecies of the Code. This new provision takes over the diktats of the repealed article 9, providing that "the rights referred to in Articles 15 to 22 of the Regulation referring to personal data concerning deceased persons may be exercised by those who have an interest of their own, or act to protect the data subject, as his representative, or for family reasons worthy of protection."

In the new normative formulation, therefore, the rights that can be exercised after the death of the data subject have explicitly been identified in those "referred to in Articles 15 to 22 of the Regulation," i.e. the so-called data subject's rights (right of access, right to rectification, right to be forgotten etc.), while in the previous version the formulation was broader.

The main innovation of the new piece of legislation, however, is to be found in paragraph 2 of article 2-terdecies of the Code, where, in relation to the "information society services", the interested party now has the right to prevent third parties, by means of an express declaration of will (presented to the data controller or communicated to the same), from exercising the data subject's rights on behalf of the deceased data subject.

The new Code, therefore, recognises the possibility for the data subject to dispose in relation to his or her digital inheritance, i.e. the rights of his or her digital identities, specifying, however, that the possible prohibition cannot cause prejudice "to the exercise by third parties of the patrimonial rights deriving from the death of the data subject as well as the right to defend their interests in court" (see paragraph 5, article 2 terdecies).

Rather than a digital will, this seems to be more of a right of veto, whereby the data subject may arrange the post mortem disposal of his or her digital data during his or her lifetime, provided that "the will of the data subject to prohibit the exercise of the rights referred to in paragraph 1 must be unambiguous and must be specific, free and informed" (paragraph 3).

Information is unclear on the limitation to the right of the data subject contained in the second part of the paragraph 3, whereby "the prohibition may concern the exercise of only some of the rights referred to in that paragraph." Reference is made to the rights of the data subject referred to in paragraph 1 (Articles 15 to 22 of the GDPR), although it is not clear why the prohibition may concern only 'some' of those rights, or which it applies to.

This is an unfortunate legislative formulation, which will undoubtedly lead to serious interpretative doubts in the foreseeable future, when the exercise of the rights inherent in one's digital heritage will become increasingly widespread.

The digital will document and other precautions

Odd as it may seem, the best solution to protect one's digital assets may seem to remain an old-school, offline will, whereby one expressly outlines how he/she wants the digital heritage to be managed.

The National Council of Notaries has been dealing with this issue since 2007 and has also adopted a catalogue of warnings (such as: "entrusting someone with the password of an online bank account does not mean leaving them the resource") and suggestions (such as: "social networks, email, remote disks, in short, all the online services that you use are based in Italy? If the answer is no, remember that if you do not do it on time, recovering your data could lead to expensive disputes with international elements")[1].

The National Council of Notaries has reconstructed the issue through the general categories of law and have found a solution to regulate their digital inheritance through the so-called post-mortem mandate. This kind of mandate is allowed in our legal system and can be used to give a trusted person credentials for access and specific instructions on what to do in case of death. The fact that the activity, which is the subject of the mandate, does not have a patrimonial character, prevents the mandate being considered contrary to the prohibition of agreements as to succession. The National Council of Notaries also specifies in its study that "Passwords, credentials and mortis causa succession", "this seems to be exactly the case since, as has already been observed, allowing access to a physical or online resource is not equivalent to intervening on the legal relations, dominical or otherwise, of which the materials that the resource itself holds are the object."

On the contrary, a traditional will document is not considered, at the moment, a viable method for the transmission of access keys to one's own digital heritage. In addition, because of the peculiar characteristics that it has in our system (think, above all, of advertising) that makes it unsuitable for the transfer of data that by their nature should remain confidential (access credentials, usernames and passwords).

It would be desirable for each of us to "clean up" our online presence and remove unnecessary accounts and profiles and finally, when choosing a service, for example, a mailbox, to read the conditions of the service so as to avoid, where possible, entering into contracts with complex cancellation conditions.

A few practical examples: the Google and Facebook policies

It is not always easy for heirs to be able to interact with providers when trying to secure the deceased person's oblivious account details.

Email service providers have very different policies. For instance, Yahoo requires the non-transferability of the account whose content is completely deleted upon notification of the death of the account holder. Google, on the other hand, offers its users the possibility to predetermine who will have access to their account and whether it should be deleted through the 'Inactive Account Management' function.

However, if the user has not availed of this option, Google's policy requires the account holder to co-operate with close relatives, considering the possibility of closing the account or obtaining some of its content, but without ever providing access data, which shall remain subject to protection in accordance with the confidentiality of the user, even after his or her death.

Some social networks, such as Facebook and Instagram, offer the possibility to convert the profiles of deceased people into commemorative pages. Leaving aside the ethical issues related to mourning (and the good taste of such a choice), it should be noted that the policy of Facebook has changed following a ruling of the German Federal Court of Justice (in Karlsruhe on 12 July 2018). That obliged Facebook to provide parents with access to the profile of their daughter as a result of her death having occurred in uncertain circumstances. The court's reasoning was to assimilate Facebook as a ‘paper’ diary that can undoubtedly be "inherited", especially when there are particular and significant interests as in the present case.

Facebook, therefore, today allows users to identify an ‘heir contact’ who will be allowed to access and manage the account of the deceased, with some limitations.

If that ‘heir contact’ does not opt to delete the profile, the account will then be transformed into a commemorative account, whereby the heir(s) may write posts and edit the profile image, but has no power of interaction with respect to chats, posts and activities undertaken in the past by the de cuius, for which it considered the prevailing interest to be that of protecting the confidentiality of the original user.

Conclusion no. 1: As of today, the matter of post mortem digital heritage, in fact, continues to be governed by the terms and condition of Internet service providers

In light of the abovementioned arguments, the issues related to digital identity and digital heritage are topical but still lack coherent and efficient (EU or state) regulation, resulting in a situation where, once again, it is the service providers (and their users), who have address these issues by creating a 'best' practice.

In this situation, we can only that the popular adage "prevention is better than cure" be followed. Therefore, initially, ensure that people are aware of their digital identities and everything that comprises those (a search of their accounts, elimination of unused or superfluous profiles, and choosing services with more flexible cancellation conditions). Secondly, to ask them what fate they want for their digital heritage, providing a detailed guide to their heirs (the writers and/or custodians of the so-called digital will document, drawing up a list of passwords and access data).

Remember, digital personal data does not die with the person concerned; indeed, it is potentially eternal.

Conclusion no. 2: What should drive digital heritage regulation?

From a de jure condendo perspective, legislators' attention must be drawn to such vital issues, given the importance (including economic) of the underlying interests, where there is a risk of frustrating digital assets of great value, without any possibility of transmitting them to their heirs.

From a subjective point of view, discussions regarding a subject's digital inheritance requires: (i) identifying the user and the jurisdiction where he/she constructs his/her digital identity; then (ii) tracing him/her back to a unique heritage; from an objective viewpoint. On the other hand, it is possible to distinguish between: (i) online digital heritage; and (ii) offline digital heritage, which can and must be the subject matters of different regulations.

Another interesting prompt concerns the notion of 'digital asset.' Italian jurists tend to consider digital assets as any other " tangible or intangible entity, legally relevant" contemplated under article 810 of the Italian Civil Code, and to be "suitable to satisfy interests worthy of protection". If one agrees with this thesis, it follows that digital data are part of an individual's assets.

If one looks in general at the system of succession law in Europe, it can be seen that it differs considerably in each Member State, so much so that it to attempt a comparison between different legal systems would be complex.

It is precisely for this reason that it is considered that regulatory intervention in the succession of digital assets should not come from the national legislator but rather from the European legislator, in order to avoid other legal conflicts. Thus, rather than waiting for each Member State to issue its own law regulating the digital inheritance, and then intervening with a uniform approach, the European legislator could use the form of a Regulation (as already in place for the protection of personal data) in an area of law where most Member States yet to adopt any regulation. This could be a potent tool both when attempting to avoid further fragmentation in the field of inheritance and to complete the standardisation work started with Regulation (EU) 650/2012.

Pending regulatory intervention, it is up to legal practitioners, in particular notaries and lawyers, to create a good enforcement practice.

In the interim, these practitioners may advise their clients that it is best to: (i) reconstruct a digital identity (by deleting unused or superfluous profiles and giving preference to online platforms with more flexible cancellation conditions); and to (ii) ask them what fate they want for their digital assets, providing detailed guidance to their heirs (drafting of the so-called "digital will document", drafting the list of passwords and access data &c.).

The practicable way at the moment is to draw up a post-mortem warrant. Clearly, this instrument remains valid and usable as long as, following the death of the principal, it does not lead to a mandate being given to the agent undertake acts which would require the attribution of inheritance rights in contempt of the prohibition of agreements as to succession.

On the other hand, as far as property rights are concerned, and pending legislative reform, it may be useful to use the provisions of the traditional will, although possible contradictions with the limitations laid down in the contract with the provider may be expected.

Currently, most service providers have partially modified their general terms and conditions by providing that, where the user is resident in one of the Member Countries/States, the applicable law and the competent court will be those of his/her habitual place of residence.

In the case of an Italian deceased person who has also drawn up a digital will document, the platform may not refuse to communicate to the heirs or legatees the credentials to access the user's profiles and take possession of data or content of patrimonial value (given the invalidity in our legal system of any clause limiting the succession in the assets, including digital). Therefore, contractual access restrictions would not be valid, where there is a valid testamentary provision that the provider cannot fail to comply with.

However, it will be necessary for users to make a survey of their digital identities i.e. of their presence on the web and, consequently, of the existing contracts with the various service providers. Even the acceptance of the conditions of use of a social network that provides for the deletion of one's data after death could be considered a valid clause, which also takes the form of a post-mortem mandate having as its object the destruction of digital content or correspondence and in which the mandated representative is itself the provider. Although the average user may be unaware of the general terms and conditions of the contracts he or she enters into with the various services available to the digital society, it is advisable for legal practitioners to ensure that the user is aware of the consequences of his or her actions, which without the necessary precautions could lead to such definitive consequences as the irreversible loss of his or her digital data.

Key Take-Away Points
  • In the online world, people generally leave behind countless traces, such as purchasing preferences, images, passwords; this myriad of information gives shape to the digital identity;
  • the Recital 27 of GDPR expressly excludes from its scope the data regulation of deceased persons while acknowledging the possibility for Member States to regulate the matter autonomously;
  • the Italian Privacy Code recognises the possibility for the data subject to dispose in relation to his or her digital inheritance, specifying, however, that the possible prohibition cannot cause prejudice "to the exercise by third parties of the patrimonial rights deriving from the death of the data subject as well as the right to defend their interests in court";
  • some social networks, such as Facebook and Instagram, offer the possibility to convert the profiles of deceased people into commemorative pages;
  • the National Council of Notaries has reconstructed the issue and seems to have found a solution to regulate the digital inheritance through the so-called post-mortem mandate.

Filippo Maria Volpini , Legal Intern, contributed to the writing of this article