Online life after death faces legal uncertainty

Different jurisdictions set different rules for what should happen to online personal data after death

When people die in the real world, their online alter egos may live on, creating an unusual situation for those who only knew them through their online presence. The law is only beginning to address this limbo state, and fragmented privacy legislation provides no conclusive answer to the question of who should be allowed to access or delete someone's social networking profile or email correspondence after they die, a panel discussion at the Amsterdam Privacy Conference concluded.

When a Facebook user dies and Facebook is informed of the death, the company "memorializes" the profile, hiding features such as status updates, and allowing only confirmed friends to view the timeline and post on the profile.

Maintaining access to such a profile helps in the mourning process, said psychologist Elaine Kasket, who presented a paper on life after death on Facebook at the conference on Monday.

"Visible conversation with a person who died and about person who died is important in the grief process," she said.

But while that may be important to Facebook friends, the family might think otherwise. If a friend for instance posts a picture on the deceased's profile showing them drunk and passed out on the floor during a party this might give solace to the poster, but family members could want to remember them in another way, said Kasket.

A wall post like this could prompt the family to ask Facebook to remove the whole profile, and in that way re-traumatize close Facebook dealing with the death, who then have to go through a second shock when they realize that the profile too is gone, said Kasket.

This raises questions about how online personal data should be handled after someone dies, but there is no conclusive answer to that in current legislation, said Edina Harbinja, a PhD student at the Law School of the University of Strathclyde.

There are laws that concern online life after death, but they are fragmented and differ by country, said Harbinja, who studied different European laws on the subject.

In Bulgaria for instance, the heirs of the deceased can exercise the rights of their family member, she said. In Estonia, meanwhile, if someone gives their consent to the processing of their personal data by an online service, that consent is presumed valid for 30 years after their death, unless they indicate otherwise during their lifetime. "Conversely, in Sweden and the U.K., personal data is defined as something that belongs to the living, said Harbinja.

There is no pan-European legislation dealing with this problem yet. The draft of the European Data Protection Directive does not mention deceased's data in any context, she said. Since the legislation is so fragmented in the E.U., it would be a real improvement if post-mortem privacy protection were to be introduced in the proposed regulation to enable the same level of protection for Europeans' digital data, she said.

Data protection laws aren't the only ones that can be used to protect personal data after death: copyright law can also play a role, said Damien McCallig, a PhD candidate in the School of Law at the National University of Ireland, Galway.

"Copyright offers post mortem protection," he said, but that protection eventually expires.

Current copyright laws actually promotes publication and reuse, according to McCallig. Eventually the deceased's emails, private journals or blogs, and private and direct messages on social media will be copyright free and in the possession of service providers such as Google, Yahoo, Twitter and Facebook if they still exist in the future, he said.

"Maybe you should have a time limit that automatically deletes data after a certain time," he said, adding that at the moment there is no comprehensive legal solution to regulate what should happen to someone's online data after he dies.

While copyright might offer some protection and can function as a surrogate regulation of digital remains, further research is needed to come up with a regulatory regime for online life after death, said McCallig.

Loek covers all things tech for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place