Szabolcs Németh : A legal case about the problematique of personal data after death

It’s been a while since I wrote my last post on the blog. It was becasue of technical issues about the site, but fortunately the problem has been solved. To continue the introduction of the topic of online data after death I publish one of my short studies from May 2018 about a specific legal case in Hungary which drew the attention of the Hungarian Data Protection Authority to this topic.

  1. Introduction

It is unquestionable that the Internet has gradually become a decisive part of our lives since its release, and in the last few years the related processes have accelerated so dramatically that it is difficult to keep up with them.

If we only look at the one but perhaps the most significant segment of the services available on the Internet: In 2017, it is estimated that 269 billion emails per day were sent by humanity. The numbers in connection to the most dynamically developing set of online content, the social networking sites: there are currently around 1.4 billion active Facebook users, so nearly 18.4% of the world’s population already use the most popular social site on a daily basis! This telling information is linked to the fact stated by an author of an article in the summer of 2017: 10,273 users of Facebook die a day. When discussing this topic, the first question is why is it important at all to settle the legal fate of such online data after death? Different types of online data can activate different motivations, whether it is a purely emotional or even real economical interest.In this text we are introducing a legal case from the praxis of the Hungarian Data Protection Authortiy[1] which highlights the basic legal contradiction which is lies in the topic of personal data after death.

  1. The legal case

A letter was sent to the Authority in the autumn of 2015 called for a terrible tragedy. A married woman with two children from a small town in Hungary got in connection with an Indian man on Facebook and a close emotional relationship formed between them in a short time. The man tried to get the woman to help him get to Hungary by sending a letter of invitation for the visa, because he wanted to marry her. She tried to meet the increasingly demanding needs of this man, but her husband became aware of the secret relationship. Then a few days later, the husband brutally murdered his family (his wife and two young children) one night, and then committed suicide.

The terrible tragedy, however, did not end here. The Indian man started to find the lady’s acquaintances and his mother by phone and on Facebook, still claiming for help to getting to Hungary. Since the relatives did not fulfilled his claims, he started to publish intimate photos of the woman on Facebook as well as recordings of their intimate conversations, trying to blackmail the grieving family. Later, he gave interviews for several tabloids and TV shows and kept harassing the family, for example, publicly shared the mourning mother’s phone number. A submission had been sent about this case to NAIH.  This terrible case raises several questions. There can be no doubt about the violation of the legally protected memory of the deceased. The threat of grandmother constitutes the crimes of the Hungarian Criminal Code Coercion and Harassment.

The Indian man is responsible for infringements of Criminal Law and International Civil Law.

Of course, his actions will have to be condemned on a moral basis, but in the point of view of our topic it demands a study carried out deliberately.

From the point of view of data protection law, the NAIH was unable to provide much help in submitting a response to the complainant. The territorial scope of the Hungarian data protection law does not apply to the data controller, since it is applicable to data management in Hungary.

Facebook’s European servers are located in Sweden and Ireland[2], so the only practical tool to remove offensive content is the so-called ” “Report” to alert the service provider to these content.

So, according to his previous practice, Facebook “shoots and then asks” in this respect, meaning that after the report, it removes the content that is suspected of the infringement. The right of protection of personal data provided by the Hungarian Data Protection Act necessarily belongs to the natural person affected by the data, so in this case the rights of the deceased woman could not be enforced because of her death. The disclosure of intimate photos clearly implies a serious violation of the deceased memory.
Section 2:50 of the Hungarian Civil Code states that a person who is a relative of the deceased or a person who has been appointed as a beneficiary in the testament is entitled to launch a lawsuit to the court for violating the memory of the deceased.

The biggest problem is that we can not find any legislation in force that protects the “privacy of the deceased”.

As it was highlighted in the previous section of this study, the death of a natural person means that he will not have his personal rights anymore, so there will not be any person who can take action to protect them. However, in the jurisprudence there is a so-called “progressive“ interpretation of the right to protect someone’s memory. According to this, the personal rights of the person continue to live after his death, and they may be exercised by the “holder” of the pardon law, that means that the violation of the deceased’s memory is primarily offensive for his relatives, offenses their right to remembrance, so after the death of the deceased, they have the legal tools for protection.

We contacted a few data protection authorities all around Europe with a questionnaire about the legal interpretation of similar legal cases. We have got  similar letters referring to obstacles to the enforcement of privacy law. This approach, in our view, follows a correct logic but we can not see its appearance in the effective legal environment. The American regulation, which in some cases designates a “representative” who is acting for the deceased and the legacy during the inheritance process, when settling the fate of tangible and non-tangible property, is also built on this logic.

In our opinion this is can result an erroneous legal interpretation because based on its logic these data get into a legal vacuum by the death of the person who they are connected to. Did they practically lose their legal relevance and drift only as an IT unit in the sea of web 2.0? Scarcely despite of the approaches of effective laws and law enforcement agencies (data protection authorities on the first place). In our point of view, it is still more important in terms of the legal nature of these data that they were connected to a natural person at the time of their creation and could have a lot of relevance even after the death of that person.

  • Summary

Following the case, a recommendation[3] was issued on the subject of online legal death, and the president of NAIH, later turned to the Ministry of Justice calling the attention of the ministry and the legislative backlogs on the subject. In September 2017 the draft of the new Hungarian data protection law – which performs the harmonization of the national law to the GDPR – has been published, and it contains specific regulations in the aspects of posthumous data management issues.[4]This is also the effect of The General Data Protection Regulation which directs the regulatory issues of online data of deceased persons into competence of the Member States. At the moment it is uncertain if GDPR will be the indicator of the legislation about this topic in Europe or it will provide the Member States the opportunity to ignore these questions for more time.[5]

[1] Nemzeti Adatvédelmi és Információszabadság Hatóság – NAIH

[2] As those data are planned to move to the USA to avoid the legal challanges of GDPR:

[3] As a recommendation it has no legal coercive force.

[4] The draft has not been enacted by the Parliament despite the real close date of when the GDPR will enter to force (25.05.2018.).

[5] Text closed: 02.05.2018.