This post has been authored by Purbasha Panda and Lokesh Mewara, fourth and fifth years from NLU Ranchi. It discusses the data protection laws for deceased individuals, and the legal justifications for post-mortem privacy.
Post-mortem privacy is defined as the right of a person to preserve and control what formulates his/her reputation after death. It is inherently linked with the idea of dignity after death. The first type of opinion with respect to post-mortem privacy raises the question of how there can be a threat to the reputation of a person if he no longer exists. However, there is another school of thought which argues that when a person’s public persona or reputation is harmed after death, he might not be defamed but the ante-mortem person could. Another question that comes up, is that when a person dies, does the interest of the dead person that survives become the interest of others or is it actually his interests alone that are protected or is it both the possible scenarios?
Private law justification of post-mortem privacy
There is an English principle called “Action personalis moritur cum persona”which means that a personal cause of action dies with the person implying a negative attitude towards death. However certain EU states following the civilian tradition have allowed protection of data of the deceased. Article 40(1) of the French Data Protection Act regulates the processing of data after an individual’s death. As per the article, individuals can give instructions to data controllers providing general or specific indications about retention, erasure and communication of personal data after their death.
In the US case of In Re Ellsworth[1], yahoo as a webmail provider refused access to the surviving family of a US marine killed in action. Yahoo argued that the privacy policy of the company aims to protect the privacy of third parties who have interacted with the deceased individual’s account. The family on the other hand, argued that they should be able to see the emails he sent to them, as well as the emails he sent to others since Yahoo follows a policy of deleting the account once the account user dies. The family argued that pursuant to this policy, there would be an imminent danger that emails would be lost forever. The court allowed Yahoo to stick to their privacy policy and it did not allow login and password access of the deceased individuals account but instead gave an alternate option of providing the family with a CD containing copies of emails in the account of the dead person. The ratio, in this case, raises certain questions with respect to where proprietary rights with respect to the content of a mail are placed. Is it transfer of property rights or is there any other mode to transfer content of the email to the legal heirs? One could view that since the deceased is the author of those emails, copyright could be vested with him. Subsequently, this could be transferred to his legal heirs, giving them a right to approach the court to access the emails. Another view could be that Yahoo was vested with proprietary rights in the email which could be made available to the family members on court order. There are certain practical problems with granting rights on the content of an email.
Justice Edward Stuart in the case of Fairstar Heavy Transport N.V v. Adkins[2] attempted to hypothesize a possible right to property over the contents of an email. This case dealt with a request of an employer to access content of emails on personal computer of his ex-employee relating to business affairs of his company. The question that came before the Queen’s bench was “Whether the claimant had any proprietary rights over content of the emails?”. This case held that the contents of an email cannot be subjected to proprietary rights and therefore the employer does not have an enforceable proprietary claim over the content of the e-mails. The court while trying to decide existence of a possible proprietary right over the contents came up with five possible methods of construing such proprietary rights. The first method would be that the title over the content of the email remains throughout with the creator or his principal. The second method would be that upon an email being sent title of the content would pass to the recipient (drawing from the analogy of vesting of title in passing of a letter according to the principles of transfer of property). The third method would be that the recipient of an email has a license to use the content of an email for any legitimate purpose consistent with the circumstance in which it was sent. The fourth method would be that the sender of the email has a license to retain the content and use it for any legitimate purposes and finally the last method would be that the title over the content of the email is shared between the sender and all the recipients in the chain. The court analysed the veracity of existence of each of these methods in construing a possible right to property over information.
The court held that the implication of adopting the first method would be that the creator of an email would be able to assert his title against the content of the world. The court opined that implication of this option would be strange and would have far-reaching impractical consequences. The court opined that if a possible title over the content of an email remains with the creator, then such vesting of title must allow the creator to use the very same title in all possible forms, which means it should also allow the creator to exercise the title by asking recipients down the chain to delete the content of the email. However, such exercise of the title is not feasible or practical, making this very option quite redundant. The court also rejected the second method. It rejected this method on the ground that if at any given point of time an email is forwarded to multiple recipients, the question of who had the title over its content at any given point of time would be extremely confusing. The third and fourth method mix the existence of proprietary right over the content of an email with nature of use of such information that is whether it’s use is for legitimate purposes or illegitimate purposes. The court held that the nature of use of information should not be an important consideration for exercising a proprietary right of control. The fifth option was also rejected on the ground of compelling impracticality.
The advent of digital will in India: future of data protection of deceased individuals?
If we look at the “Information Technology Act, 2000” then Section 1(4) of the IT Act,2000 read with the First Schedule of the IT Act provides that the IT Act is not applicable to a will defined under clause (h) of section 2 Indian Succession Act, 1925 including any other testamentary dispositions. If we look at digital wills in foreign jurisdictions, then the most talked about legislation would be the “Fiduciary Access to digital assets and Digital Accounts Act”. This piece of legislation is enacted by Delaware, which became the first state in the United States allowing executors of a digital will the same authority to take control of a digital asset. If we look at the 2016 Delaware Code, it basically revolves around the concept of ‘digital assets’ and the idea of ‘fiduciary’, as someone who could be trusted with the digital asset. The legislation defines “digital asset” as data, text, emails, audio, video, images, sounds, social media content, health care records , health insurance records, computer resource codes, computer programs and software, user names, passwords created, generated, sent, communicated, shared, received or stored by electronic means on a digital device.The legislation also defines a “fiduciary’ as a personal representative appointed by a registrar of wills or an agent under durable personal power of attorney. It provides that a fiduciary may exercise control over any and all rights in digital assets and digital accounts of an account holder to the extent permitted under state law or federal law.
Data Protection Bill
The Data Protection Bill, 2018 provides for the “right to be forgotten” under Section 27. It refers to the ability of individuals to limit, de-link, delete, or correct the disclosure of personal information on the internet that is misleading, embarrassing, irrelevant, or anachronistic. Now, upon an individual passing away, his sensitive personal data is up on line and if there is no regulation, his rights will be infringed as many times as the data fiduciary wants and the person does not have any remedy as the bill does not take into consideration the case of deceased individuals. The dynamic nature of data is such that it cannot be deleted on its own once the person is dead. The other provisions which are there for living individuals can be applied in cases of deceased individuals as well. UnderSection 10of the Personal Data Protection Bill, 2018, the data fiduciary can store data only for a limited period of time and can use the information only for the purpose it was taken for. If the data principle wants to amend any information or remove any information, he has the right to do so and the data fiduciary without any law cannot prohibit the person to do so. The current data protection regime fails to recognize and fulfil the needs for protection of digital rights. It is pertinent to consider whether the concept of a “digital asset” and “fiduciary” as present in Delaware legislation can be emulated in India. Protection of data post death involves questions of digital succession as well as intellectual property rights which is inheritable and this has to be taken into consideration while framing a legislation pertaining to post-mortem privacy. The number of internet users is estimated to be 566 million as of December 2018, registering an annual growth of 18%.Considering the growth of internet use in India, it is pertinent to have a proper legal framework for protection of data of deceased individuals.
[1]In re Estate of Ellsworth, No. 2005-296, 651- DE (Mich. Prob. Ct. May 11, 2005).
[2]Fairstar Heavy Transport NV v. Adkins. [2012] EWHC 2952 (TCC).