On 12 July 2018, the Bundesgerichtshof, Germany’s highest court (“BGH”) ruled that Facebook must grant grieving parents access to their late daughter’s Facebook profile and private messages. Facebook had refused access on the grounds of data protection.
In a landmark decision, the BGH ruled that parents can inherit their children’s social media contracts with social media platforms and should therefore be given complete access to their children’s accounts. The BGH stated that online data is inheritable and for the purposes of inheritance law, should be treated in the same way as physical documents, such as private diaries or letters.
The case involved a 15-year old girl who was killed by an underground train in Berlin in 2012. The girl’s parents requested access to her Facebook account to establish whether their daughter had died accidentally or had committed suicide and, based on that, whether the train driver was entitled to compensation.
In cases of death, Facebook’s policy is to allow relatives of the deceased partial access to the account, allowing them to change the page into an online memorial or to delete it entirely. Facebook refused full access to their daughter’s account, citing data protection laws and privacy concerns regarding the girl’s social media contacts. This case was considered within the parameters of the previous data protection regime as the relevant time was pre 25 May 2018.
Berlin’s highest state court ruled in favour of Facebook in May 2017 and found that any contract between the girl and the social media giant ended with her death and could not pass on to the parents.
The recent decision of the BGH, which overturned the 2017 ruling, made it clear that data protection laws in this case did not cover the deceased.
If a case like this were to arise in this jurisdiction, a similar approach to the BGH would certainly be adopted in terms of deciphering the data protection rights of deceased persons. This is demonstrable in Article 4 (1) of the General Data Protection Regulation (the “GDPR”) which defines personal data as any information relating to an identified or identifiable natural person. Recital 27 of the GDPR expands on this and confirms that the GDPR does not apply to the personal data of deceased persons. Accordingly data protection rights will not provide a mechanism for organisations to refuse requests for access to the records of deceased relatives.