Data privacy for the departed
Do those who have passed on to the next life still get to enjoy privacy? It’s a question that has surfaced a couple of times this past year, not necessarily due to the COVID-19 pandemic but because of events that have transpired in the midst of it.
One of the more notable occasions took place in March 2020, back when the health crisis was still in its early stages here in the Philippines. An aircraft being used as an air ambulance burst into flames and exploded while taking off, killing all passengers on it. Word about the incident spread so quickly that in about an hour, the names of those who perished were already all over social media.
No less than a copy of the General Declaration (and Air Cargo Manifest) for the flight—which did not only identify the victims, but also gave away other details like their sex, birthdate, and passport number—was being shared across a number of social media platforms. Some media organizations were in on it too, as they used the same image to complement their respective news reports.
There were people who questioned the propriety of having all that information leaked to the public. It was possible that relatives of the victims had not yet even been officially notified by authorities of the tragedy. They must have been so distraught to learn about it from acquaintances and even complete strangers.
Others had more pointed questions: was the disclosure legal? Wasn’t it a violation of the country’s Data Privacy Act (DPA)? Even if those people had already died, weren’t they still protected by the law?
If one looks at the DPA, the answer that one gets would be in the affirmative.
According to the law, the heirs of a man may invoke his rights as a data subject at any time after his death. Thus, in the same way that that man could challenge the lawfulness of the disclosure of his personal data (and even file a related complaint) while he’s still alive, so too could his relatives after his death.
Now, it is true that the idea that a lifeless body could somehow still assert some rights—even if it’s to be channeled via living individuals—is rather special or at least uncommon. However, that is not to say it’s unique or unprecedented.
Under Philippine law, an individual’s juridical personality is generally extinguished once he or she dies. That’s supposed to mean he or she will retain no legal rights. Exceptions do exist, though, such that some rights (and even obligations) may be transmitted by a person to his or her heirs via different means (e.g., law, contract, will, etc.). For example, by law, people get to distribute their properties among their heirs after they’re gone. Similarly, according to the country’s libel law, it is possible to prosecute someone who “blackens the memory of one who is dead”.
In other words, it’s accurate to say that people retain some rights, even after death. What the DPA does is simply add a few more to those rights.
But how about other countries and their laws? Are they as generous when affording people rights post mortem?
As one might expect, there is no uniform answer to that query.
Take the case of the European Union’s General Data Protection Regulation(GDPR). Widely considered to be the benchmark of all data protection laws today, this piece of legislation is categorical when it says it does not apply to the personal data of deceased persons. Despite this, though, we should note that it has not shut the door completely to the idea. This is because it also says member States can provide for rules regarding the processing of personal data of deceased persons.
One should not be surprised then that some European countries that are part of the Union do, in fact, recognize data protection rights favoring the deceased.
In France, since 2016, individuals can regulate the processing of their personal data after their death. Under the French Data Protection Act, a person can give data controllers either generic or specific instructions as regards the retention, erasure, and communication of their personal data once he or she dies. Designating a person who will make sure his or her instructions are followed is also allowed.
Meanwhile, a 2018 amendment to Italy’s Data Protection Code declares that the rights of a deceased data subject may be exercised by any person who: (1) has a personal interest; (2) is acting in the interest of the data subject as an authorized representative; or (3) is acting for family reasons “worthy of protection”.
This trend is not limited to legislation. In July 2018, for instance, the German Federal Court of Justice held that the heirs of the deceased have the right to access the Facebook account of their dead relatives, premised on the idea that a social media profile is inheritable just like physical goods.
Whether or not our own Supreme Court will follow suit is something to watch for. It seems the high court has yet to come across a case that would allow it to discuss its views on the matter.
There are those who might argue that the Zarate v. Aquino III (2015) case would have been a good opportunity. Unfortunately, just like Vivares v. St. Theresa’s College (2014), which the Court took on first, it involved a habeas data petition wherein the petitioners did not make any effort to cite or invoke the provisions of the DPA. In Zarate, the Supreme Court ruled that heirs of a deceased cannot join a habeas data petition because the Rules on Habeas Data contemplate a petitioner or aggrieved party who is still alive. Accordingly, heirs have no legal standing to sue on behalf of their deceased relative.
As far as the National Privacy Commission is concerned, it has in the past confronted specific questions concerning the personal data of deceased individuals, but its answers either steered clear of any substantial discussion or did not have to resort to one in order to address the query. Through its AdOp 2018-035, it simply declared that the submission of personal data of deceased persons is allowed when required by law, while in AdOp 2020-004, it held that the processing of personal data of barangay officials, including any related claimed death benefits, fall outside the scope of the DPA.
With that, we come full circle and are brought back to the main thesis of this piece, which is that even in death, a person still retains his or her rights as a data subject. The protection afforded by the DPA persists. It is a concept that any prudent organization that has custody of his or her personal data ought to keep in mind. After all, the heirs may yet opt to exercise those rights, especially in relation to any data breach or violation of the DPA the entity could figure in.
That the application of the law won’t be simple and will probably be subjected to legal challenges is almost certainly a given. Its language definitely doesn’t make it easy for anyone (including the courts) to interpret its full meaning and facilitate its implementation. But that is a concern that is sure to be resolved in due time.
To the more discerning controllers, what’s important is to avoid any transgression of the law that is inadvertent or brought to bear by sheer ignorance. For the individual data subject, there’s no denying that there is greater comfort in knowing one’s departure from this plane of existence doesn’t deprive one completely of rights and the protection of the law.
This article first appeared on GMA News Online on Mar. 23, 2021 10:00 am.