The grieving parents of a dead teenager in Germany were recently denied access to their daughter’s Facebook account. They wanted to read the profile page to see if she was being bullied, but the social network argued that doing so would compromise the privacy of her contacts – and a judge agreed. None of this, however, takes into account what the girl would have wanted.
As you share more of your personal information, communications and photographs online, there is a growing risk that one day your sentimental keepsakes could be locked up for ever. Or, on the other hand, that your family, friends or heirs may gain unwanted access to intimate records. It’s time for the law to offer the same protection to our online property as it does to our physical possessions.
In most countries’ legal systems, individuals have the right to decide what happens to their wealth and assets when they die. This is the long-established principle of testamentary freedom – that is, freedom to make a will and bequeath your assets to (arguably) whomever you wish. This principle is underpinned by Western ideas of autonomy and free will, established in works of philosophers such as John Stuart Mill, John Locke, Immanuel Kant or Jeremy Bentham.
In my research, I argue that this same autonomy and freedom should extend online and enable individuals to decide what happens to their online “wealth” (mainly their personal data) when they die. Only 38% of people surveyed in England and Wales in 2015 had a will, meaning most people hadn’t made legal provisions for their deaths. Yet we still think the law should offer this protection. So even if most people don’t care about protecting their online data after they die, in principle there should still be a way for someone to do so.
My colleague Prof Lilian Edwards and I believe there should be a mechanism to address this inconsistency that we would call post-mortem privacy. This refers to the right of a person to preserve and control what becomes of his or her reputation, dignity, integrity, secrets or memory after death.
At the moment, this kind of protection varies around the world and, in most jurisdictions’ succession laws, families have a default access to a deceased person’s memories and data. Service providers already permit some of this, too. For instance, this means that families can ask for Facebook accounts to be deleted or for access to some of the content (but not private chats). They can also request the profile be turned into a memorial.
But users might not want their families to have these powers and instead might want control over the very sensitive personal content found on some social media profiles and the digital identity that goes with it. The legal recognition of post-mortem privacy would enable users to decide what happens to their data after death. They could request full or partial deletion, transfer of some of their data to friends or family, or some other option.
This concept has so far received little attention in law – especially in common-law systems, such as in England, where legal decisions depend partly on previous judgments. Common-law system have historically been much less inclined to protect personalty and privacy rights than civil law systems. This is particularly true for the post-mortem protection of one’s personality. In fact, the UK law expressly excludes this protection. But there have also been some very exciting recent changes in the US and France.
The model law adopted by several states in the US suggests that the user should have a right to choose what happens to their data and assets on death. If people express this wish using technology, for example with something like Google’s Inactive Account Manager tool, then that should override even provisions of their will.
A similar solution has recently been adopted in France in the Digital Republic Act 2016. This would mean that, for the first time in Europe, the law could recognise the use of software tools for the post-mortem transmission of digital assets, such as Google Inactive Account Manager or Facebook Legacy Contact, similar to the American legislation mentioned above.
These tools within the services where we store our data allow users to choose whether they want their accounts entirely deleted after they die or to leave some of their data to chosen beneficiaries (typically their friends or family). Although these tools have been available for a few years with, anecdotally, relatively little uptake, the fact they have been adopted by some of the world’s biggest service providers suggests post-mortem privacy is not seen as obscure, creepy or impossible anymore. There are already some practical and legal mechanisms to recognise and enforce it.
But to further clarify this legally and ensure more people have access to this kind of service, post-mortem privacy should be recognised in other countries’ data protection laws where personal data isn’t currently protected after death, for instance in the EU. Without it, we can expect to see many more battles over our online heirlooms.