Author: Dorcas Tsebee
Introduction
What happens to a person’s digital footprint after death? In an era where personal data is stored indefinitely across online platforms, cloud services, and corporate databases, the question of post-mortem privacy is becoming increasingly relevant. While many assume that privacy rights cease upon death, some legal systems recognise that certain protections should extend beyond a person’s lifetime.
Of the 55 member states of the African Union, 13 have specific provisions recognising post-mortem privacy rights under their data protection laws. These include Algeria,[1] Burkina Faso,[2] Cameroon,[3] Cote d’Ivoire,[4] Congo,[5] Ethiopia,[6] Gabon,[7] Guinea,[8] Mauritania,[9] Niger[10] Rwanda,[11] Togo,[12] and Tunisia.[13] [2] [3] While most data protection laws globally and in Africa define personal data as information related to an identifiable natural person, excluding deceased individuals, some African laws make provisions for processing a deceased person’s data under certain conditions. Tunisia stands out with its broad approach, attributing data subject rights to individuals and their heirs or representatives.
Understanding Post-Mortem Privacy
Post-mortem privacy, for the purpose of this article, refers to the continuation of data protection rights beyond the death of a data subject. This concept challenges the conventional legal understanding that data protection applies only to living individuals. The core question is whether a person’s digital footprint, including emails, social media accounts, and personal records, should be protected or accessible after death. Post-mortem privacy rights remain largely unregulated under many laws. Most jurisdictions focus on the rights of the living, with personal data being defined in relation to a natural, identifiable person, except for South Africa, which classifies data relating to juristic persons (e.g businesses and corporations) as personal information.[14] However, African data protection laws have introduced nuanced approaches, acknowledging that a person’s data may still have legal, ethical, and social relevance after death. While some laws include broader provisions on post-mortem privacy, rectification appears to be a key concern in safeguarding the integrity of personal data after death.[15] This recognises its importance in preventing misinformation and ensuring data accuracy when the deceased can no longer correct their records.
Post-Mortem Privacy Under African Data Protection Laws
While many African countries do not explicitly provide for post-mortem privacy, a growing number recognise certain rights that extend beyond death. In Cameroon, processing a deceased person’s data must cease upon their death, except in limited circumstances. These include legal mandates, defense of a claim against the controller, or if the deceased provided post-mortem instructions.[16] Ethiopia takes a different approach by allowing privacy rights to survive for 10 years after a data subject’s death, during which their heir is entitled to exercise data protection rights on their behalf.[17] Cote d’Ivoire similarly provides heirs with the right to rectify the information of a deceased data subject.[18]
Several African laws allow individuals to designate an heir who will exercise their data protection rights after death. This right is recognised in countries such as Algeria, Burkina Faso, Congo, Gabon, Guinea, Mauritania, Niger, Rwanda, Togo, and Tunisia. Tunisia stands out in this regard, as it is the only African country where data subject rights are attributed equally to both the individual and their heirs or representatives.[19] Unlike in other countries where an heir may only exercise rights posthumously, in Tunisia, heirs can act concurrently with the data subject.[20]
Implications for Data Governance
Including post-mortem privacy rights in African data protection laws raises important governance and ethical considerations. The lack of harmonisation across African jurisdictions creates inconsistencies in how post-mortem privacy is treated, making it difficult for businesses and individuals to navigate their rights and responsibilities. Additionally, with increasing digitalisation, data protection authorities may need to develop clearer guidelines on how data controllers handle requests from heirs.
Data subject awareness is another key factor. Few individuals actively consider what happens to their data after death, yet provisions allowing for heir designation could encourage greater engagement with data protection and privacy planning.
On the international stage, Africa’s approach to post-mortem privacy is ahead of many global data protection regimes, where such rights are often absent or undeveloped.
Operationalising Post-Mortem Privacy Rights
Enforcing post-mortem privacy rights presents practical challenges, particularly in verifying claims and ensuring compliance with legal provisions. Data controllers must establish mechanisms for authenticating requests from heirs or designated representatives, including requiring official death certificates, authorisation, and proof of relationship. Additionally, clear policies must be developed to guide companies and public institutions on data deletion, transfer, or continued processing in line with the deceased’s instructions. Public awareness is also critical, as many individuals may not be aware of their ability to designate heirs for their data protection rights in the countries where this right is available.
[1] Article 35(b).
[2] Article 17(3)
[3] Article 45.
[4] Article 32.
[5] Article 53&61.
[6] Article 23.
[7] Article 10.
[8] Article 34.
[9] Article 56.
[10] Article 30.
[11] Article 25.
[12] Article 50.
[13] Several provisions such as Article 32.
[14] Section 1 of South Africa’s Protection of Personal Information Act (POPIA) . The definition of a person includes natural and juristic persons. The definition of personal information includes information relating to an existing juristic person.
[15] Algeria and Cote d’Ivoire for example, emphasises this by granting heirs the right to request the rectification of a deceased person’s data.
[16] Cameroon DPA Art. 45
[17] Ethiopia DPA, Art. 23
[18] Cote d’Ivoire DPA, Art. 32
[19] For example, Tunisia DPA Art 32
[20] Operationalising this provision may be problematic. This could mean that the data subject will identify their heir (maybe the next of kin) during their lifetime.