What happens to our online data when we die?

Here, Dr Elaine Kasket, psychologist, speaker, and writer, explores our digital afterlives and what happens to our online data when we die

Fifteen years ago – when I began studying death and the digital –the online data of the deceased was a niche area of technology ethics. It’s not niche anymore, and not just because the citizens of the digital age are ageing.

During the COVID-19 pandemic, even people with previously scant digital footprints have fled online to maintain work and social lives. We’re even dying online, on sickbed and deathbed video calls. Virtual funerals and memorials are the new normal. Now that we’re routinely living, dying and remembering the dead in the online space, we’re starting to be more aware that the data we produce in these interactions don’t just disappear when we’re gone.

If digital ‘selves’ live on, what should happen to them?

Historically, the dead didn’t have the right to privacy. Most contracts dissolve upon death. Data protection regulations like GDPR don’t consider the dead to be data subjects, leaving data controllers at liberty to shape our digital afterlives. For various reasons, our information environment tends to hang onto deceased people’s information, by default or by design.

Retention by default

Retention by default occurs when data controllers don’t know someone’s dead, and when executors or next of kin don’t know how to locate, access, or close down someone’s accounts. As you can imagine, this situation is common, and any live account can be hacked, profile cloned, and otherwise utilised for impersonation and fraud. Impersonation gets interesting when technology is sophisticated enough to resurrect the late James Dean for a new film. Just imagine the deep fake that could be created if someone could access all the audio/visual data from every Zoom meeting you’ve had since coronavirus lockdown. Finally, because our information is so interconnected online, it’s not easy to take action or decisions about the data of the deceased without also making decisions about the data and the privacy of still-living persons. The dead stay intertwined within their erstwhile social networks.

Retention by design

Retention by design happens when a platform – like an SNS – enables ‘memorialisation’ of accounts, which some assume should happen by fault. In November 2019, Twitter announced an imminent cull of inactive accounts but backtracked after an outcry from the bereaved. With so much superfluous data heating up the world’s data centres, though, why should companies that never set out to be legacy sites assume this role?

The pandemic has cast two things into sharp relief: our reliance on the digital environment, and the reality of our mortality. It’s time to take smarter, bolder, more decisive actions in deciding what to do about the data of the deceased. What kind of ethical minefield will we enter when an AI is trained on the data of a once-living user? What will ‘life’ and ‘death’ mean then, and what rights should such an entity have? With deep fake technology, how will we distinguish the genuinely alive from the impersonated dead? It’s no longer sci-fi – we need to discuss this today, not tomorrow.

Data Ethics Commission

In their October 2019 report, the Data Ethics Commission in Germany stated that ‘records [being] handed over to a deceased’s heirs adds a whole new dimension of privacy risk.’ They recommended new obligations for service providers, quality assurance for digital estate planning, and regulations for ‘post-mortem data protection.’ Let’s hope the next GDPR tackles the issue of deceased people’s data.

Without regulation, for-profit companies will continue to write rulebooks variously and self-serving. Law and regulation around wills and probate tends to be highly localised – nominating a Legacy Contact on Facebook holds legal weight if you live in California, but not if you live in England. Our digital lives are lived on a global stage, and we should arrive at a worldwide regulatory framework, to which all data controllers and processors must conform.

Collaboration

To accomplish this, we must collaborate better across this fundamentally interdisciplinary area. In law alone, we need specialists in probate, intellectual property, data protection, human rights, and contract law working together. Having observed that applying digital assumptions, laws, and concepts to the digital context often acts like a square peg in a round hole, we need to think outside the box, or build a new one.

Our current, heavily centralised web makes it more challenging. Data portability – aided by blockchain technology – would enable us to retain more power and control over our data within our lifetimes, and to plan for that information’s disposition after our deaths. When law and regulation supports us in the disposition of our personal digital information, without compromising the privacy of others, we’ll be on the right track.