News

From digital to health

By 30 September 2022 October 25th, 2022 No Comments

From digital to health

Article

From digital to health: how does France ensure the protection of personal data of deceased persons?

30 September 2022

What happens to an individual’s personal data after her/his death? Overview of the solutions proposed by the French legislator to regulate this situation in field of digital and health.

1. “Digital death”: a French specificity

The rise of the Internet and new technologies has led to the development of social networks and the use of digital technology in everyday life and economy. The French legislator has sought to know how to accompany this movement while reconciling it with the defence of the interests and the privacy rights of individuals. Thus, the French legislator has adopted the law of October 7, 2016, translating its desire to build the Digital Republic. With this Law, it wants to facilitate access for French citizens to an open digital environment allowing the circulation of data while respecting their privacy.
The law of October 7, 2016 has introduced the principle of “digital death” into Article 85 of the French data protection (law of January 6, 1978, and updated on June 20, 2018 (also known as “Technologies and Civil Liberties Law”). This principle enables each natural person to provide “directives relating to the retention, deletion and communication of personal data after his/her death”. This measure comes in response to the strong expansion of social network platforms. Indeed, this evolution of society has pushed the French legislator to think about the supervision of personal data of deceased persons holding accounts on these platforms. By introducing this measure two years before the GDPR came into force, France demonstrated its avant-gardism by being the only European Union Member State to apply the principle of “digital death” within the European Union. The Commission on Information Technologies and Freedom (CNIL), the French data protection supervisory authority, is contributing to the proper implementation of this principle by editing a practical sheet on the subject on its website. Through links, this sheet refers to the procedures proposed by the various social networking platforms to ensure the protection of the personal data of deceased.

2. Alternatives modalities from Article 85

No contractual clause can limit in any way the rights on personal data granted by Article 85 to a deceased person even after her/his death. Two cases are introduced by this article: either the person concerned has left general/specific instruction to this effect before his/her death, or he or she has not left any instruction, in which case the heirs take over.
On the one hand, general instructions can be registered with a trusted and digital third-party certified by the CNIL. On the other hand, specific instructions are given to a specific data controller who has previously received the consent of person formulating them. This consent must be specific and can’t be deduced from a global acceptance of general terms & conditions.
In the absence of instructions left by the deceased, his or her heirs take over the exercise of the rights granted to him or her under Article 85 with respect to his or her personal data. After duly informing the data controllers of the individual’s death, the heirs may close the deceased’s user accounts, object to the processing of the deceased’s personal data or have them updated. They may also access the processing of personal data concerning the deceased in order to identify and obtain communication of information useful for the liquidation and sharing of the estate.

3. The protection provided in the field of health

The mechanism from Article 85 shows that the death of a person does not entail the loss of protection and the exercise of his or her rights with regard to his/her personal data. This logic of conservation also guides the protection of medical records of deceased persons;the French Public Health Code restricts the access of heirs to the medical information in the name of medical secrecy and the right to privacy of the deceased. Article L1110-4 makes this access subject to the following conditions:

  •  the deceased person must not have previously objected before his death
  •  the applicant must be a beneficiary of the deceased person;
  •  the request for access must be based on the following grounds: to know the causes of death; to defend the memory of the deceased; to enable the applicant to assert his or her rights.

Any form of dispute relating to a request for access to a medical file made by someone other than the holder may also be submitted to the Commission for Access to Administrative Documents (CADA) for an opinion. This independent administrative authority is responsible for ensuring freedom of access to administrative documents in compliance with the regulations in force. This mission may therefore lead it to act in favour of the preservation of the personal data of a deceased.

4. The expression of the individual’s right to privacy

Data protection of deceased encounters some limitations concerning the prerogatives granted to this one and his/her heirs.
The French legislator grants the deceased a certain number of rights even though he or she no longer has legal capacity due to his or her death. This ambiguity raises the question of whether the digital identity resulting from the Internet can offer an individual rights similar to those of his or her physical identity, which also defines his or her legal capacity.
In 2016 and 2017, the French Council of State recalls in two rulings that heirs are not authorised to take the place of a deceased in the exercise of his or her rights relating to personal data. The Council of State does not consider them to be concerned by the exercise of these rights. In both rulings, it has confirmed decisions made by the CNIL limiting the access of heirs to the personal data of a deceased person. In the first case, the CNIL had been seized by heirs following the refusal of the employer of a deceased to transmit the record of telephone calls made by the latter. In the second case, the CNIL ruled on the refusal of a mutual insurance company to grant the son of a person who died in a car accident access to the latter’s file containing his/her personal data.
Beyond these limits, the protection of personal data of a deceased persons can be seen as an expression of his/her right to privacy as an individual. This right is guaranteed at the highest level in the French legal system. In a 1995 decision, the Constitutional Council confirmed the supreme value of this right, which is enshrined in Article 66 of the French Constitution but also in Article 12 of the United Nations Universal Declaration of Human Rights. This legal basis therefore fully justifies the implementation of this protection in the interest of the deceased.

If you have any question regarding Data Protection & Privacy in Life Sciences, contact us

Benoit Morel

Benoit Morel

Data Protection Manager

If you want to contact us

Contact us