Do the deceased have data rights?
When we think about the data privacy rights of people, there tends to be a natural assumption that those people are living. And that’s probably fair. After all, data privacy rights are still in their infancy in the grand scheme of things and there has been no real history of estates suing providers for privacy violations related to a deceased person. But it got me thinking, what data privacy rights, if any, apply to data pertaining to deceased people? Society has always afforded the dead some rights, which may not be immediately obvious. In the brave new world of data privacy, the answer is a little trickier, and it depends on which laws we’re talking about.
Most of the time, when a person dies, their account becomes inactive. (Although, there have been some interesting exceptions in recent years). Facebook has an estimated 10 million to 30 million deceased users which is likely around 1% of its accounts. (Meanwhile, most of us would be glad to have that many visitors in total). And that doesn’t include the various accounts made for George Washington and similar public figures that pre-deceased Facebook. In an article from Time, they estimate that eventually deceased Facebook users will outnumber living ones, sometime in the next 50 years. And the issue is beginning to gain some scholarly attention in terms of what to do about it.
Let’s start with the low hanging fruit. This is a rare instance where the GDPR is more illuminating than our domestic legislation. The GDPR Citiation (27) states;
"(27) This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons."
And also mentioned again it in GDPR Citation (158);
"(158) Where personal data are processed for archiving purposes, this Regulation should also apply to that processing, bearing in mind that this Regulation should not apply to deceased persons. Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest. Member States should also be authorised to provide for the further processing of personal data for archiving purposes, for example with a view to providing specific information related to the political behavior under former totalitarian state regimes, genocide, crimes against humanity, in particular the Holocaust, or war crimes."
So, that was simple enough, the GDPR does not protect deceased peoples’ data, but what about here in the U.S.?
The HIPAA Privacy rule protects medical information of a deceased person for 50 years after the person’s death. But HIPAA applies mainly to medical information, and does not protect much of the financial information that cybercriminals go looking for. And other U.S. privacy statutes generally are not as explicit.
For instance, under the CCPA, a protected “consumer” is defined as "a natural person who is a California resident." Further, the California Code of Regulations defines a resident as "(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.” Where does that leave us? While there is no known instance of a CCPA enforcement arising out of a deceased person’s data, is a deceased person a “resident” of California? If we are being really technical, does it matter whether the individual is buried or cremated? Arguably, if they are buried, they would continue to be an individual who is in the state, right? Are they still an individual if they are cremated? These questions are somewhat macabre, and they just beg further questions.
The privacy laws of other states are no more illuminating. In New York, the SHIELD Act protects “persons.” However, there is not widespread agreement of who (or what) qualifies as a person. See Matter of Nonhuman Rights Project, Inc. v. Lavery, 2018 NY Slip Op 03309, 31 N.Y.3d 1054 (2018).
Ultimately, if this issue ever comes up, it is likely to be a question for the courts. Especially in California, it seems inevitable that an estate may eventually sue for CCPA violations. Until then, we can only speculate.