Data protection and privacy in France

Data protection and privacy in France

Data protection and privacy in France

Click here to view original web page at Data protection and privacy in France

Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The legislative framework for the protection of PII in France is one of the oldest in Europe as it is based on the Law on Computer Technology and Freedom dated 6 January 1978 (Loi Informatique et Liberté, or LIL). This law has been amended several times since then, and especially by:

  • Law No. 2004-801 dated 6 August 2004 to implement the provisions of Directive 95/46/CE;
  • Law No. 2016-1321 dated 7 October 2016, which anticipates the implementation of certain provisions of the EU General Data Protection Regulation 2016/679 (GDPR);
  • Law No. 2018-493 of 20 June 2018 , which implements the GDPR in France and further amend the LIL;
  • Ordinance No. 2018-1125 of 12 December 2018 and Decree No. 2019-536 of 29 May 2019, which complete at the legislative level the compliance of the national law with the GDPR and redraft the LIL for a better readability and urderstanding of the law.

As a regulation, the GDPR has been directly effective in France since 25 May 2018.

Furthermore, the following international instruments on privacy and data protection also apply in France:

  • the Council of Europe Convention 108 on the Protection of Privacy and Trans-Border Flows of Personal Data;
  • the European Convention on Human Rights and Fundamental Freedoms (article 8 on the right to respect for private and family life); and
  • the Charter for Fundamental Rights of the European Union (article 7 on the right to respect for private and family life and article 8 on the right to the protection of personal data).

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The data protection authority in France is the National Commission for Data Protection and Liberties (CNIL). The CNIL is an independent public body entrusted with the following powers.

Powers of sanction

The maximum threshold of penalties that the CNIL can pronounce has been increased from €150,000 to €20 million or 4 per cent of world turnover for companies since the GDPR.

The CNIL can now compel sanctioned entities to inform each data subject individually of this sanction at their own expense.

It may also impose financial penalties without prior formal notification by the bodies where the failure to fulfil obligations cannot be brought into conformity.

It can also limit temporarily or definitively a specific processing.

Control and investigation powers

The CNIL is vested with investigation and control powers that allow its staff to have access to all professional premises and to request, on the spot, all necessary documents and to take a copy of any useful information. CNIL staff can also access any computer programs linked to the processing of PII and to recorded information. The CNIL can also conduct a documentary control where a letter accompanied by a questionnaire is sent to a PII controller and/or processor to assess the conformity of processing operations carried out by them or an online investigation, in particular by consulting data that are freely accessible or made directly accessible online, including under a fake identity.

In 2019, the CNIL will focus its supervisory action on three main themes, directly resulting from the entry into force of the GDPR:

  • respect of the rights of the data subjects;
  • the processing of minors’ data; and
  • the sharing of responsibilities between controllers and processors.

Regulatory powers

The powers of the CNIL have recently been extended, as it will have to be consulted for every bill or decree related to data protection and processing. Opinions will automatically be published.

The CNIL is also entrusted with the power to certify, approve and publish standards or general methodologies to certify the compliance of personal data anonymisation processes with the GDPR, notably for the reuse of public information available online.

Legal obligations of data protection authority

Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?

If the owner or processor of PII carries out cross-border processing either through multiple establishments in the EU or with only a single establishment, the supervisory authority for the main or single establishment acts as lead authority in respect of that cross-border processing.

As lead authority, the CNIL must cooperate with the data protection authorities in other member states where the owner or the processor is established, or where data subjects are substantially affected, or authorities to whom a complaint has been made. Specifically, the CNIL has to provide information to other data protection authorities and can seek mutual assistance from them and conduct joint investigations with them on their territories.

More generally, the CNIL is required to provide assistance to other data protection authorities in the form of information or carrying out ‘prior authorisations and consultations, inspections and investigations’. The European Commission can specify forms and procedures for mutual assistance. The CNIL could also participate in joint investigation and enforcement operations with other data protection authorities, particularly when a controller has an establishment on its territory or a significant number of its data subjects are likely to be substantially affected.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Failure to comply with data protection laws can result in complaints, data authority investigations and audits, administrative fines, penalties or sanctions, seizure of equipment or data, civil actions (including class actions that have been introduced by Law No. 2016-1547 dated 18 November 2016 for the Modernisation of the 21st Century Justice), criminal proceedings and private rights of action.


When the CNIL finds a PII owner to be in breach of its obligations under the LIL, as a preliminary step the CNIL chairman may issue a formal notice for the PII owner to remedy the breach within a limited period of time. In cases of extreme urgency, this period may be reduced to 24 hours.

When the breach cannot be remedied in the context of a formal notice, the CNIL may impose one of the following sanctions without prior formal notice of adversarial procedure:

  • a formal warning notification;
  • a financial penalty; or
  • the withdrawal of the authorisation to operate the data processing.

When the PII owner complies with the terms of the formal notice, the CNIL chairman shall declare the proceedings closed. Otherwise, the competent committee of CNIL may, after a contradictory procedure, pronounce one of the following penalties:

  • a warning notification;
  • a financial penalty, except when the PII owner is a public authority;
  • an injunction to cease treatment; or
  • the withdrawal of the authorisation granted by the CNIL for the data processing concerned.

In case of emergency and infringement to civil rights and freedoms, the CNIL may, after an adversarial procedure, take the following measures:

  • the suspension of the operation of data processing;
  • a formal warning;
  • the lockdown of PII for a maximum of three months (except for certain processing carried out on behalf of the French Administration); or
  • for certain sensitive files of the French Administration, the Prime Minister is given information in order for him to take the necessary measures to remedy the breaches.

In the event of a serious and immediate violation of rights and freedoms, the chairman of the CNIL may request, by summary application, the competent judge to order any necessary security measures.

The CNIL may also inform the public prosecutor that it has found infringements of data protection law that are criminally sanctionable.

Publicity of the penalties

The CNIL can make public the financial penalties that it pronounces. The inclusion of these sanctions in publications or newspapers is no longer subject to the condition of bad faith of the entity concerned.

Criminal sanctions

Infringements to data protection law may be punished by imprisonment for a maximum period of five years and a criminal fine up to €300,000 (articles 226-16 to 226-22-1 of the Criminal Code). However, criminal sanctions are hardly ever pronounced.


Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The LIL is generally applicable to all public bodies and all non-public entities that process PII and intends to cover all sectors. However, certain processing carried out by public authorities is subject to specific obligations that differ from the general obligations imposed upon private entities, for example:

  • processing of PII by public bodies for reasons of national security is subject to a specific regime supervised by the executive power; and
  • processing of PII managed by judicial authorities related to offences, convictions and security measures is subject to a specific regime supervised by the executive power.

The following categories of data processing fall outside the scope of the LIL:

  • processing of PII solely for journalistic or artistic purposes; and
  • processing of PII by a natural person in the course of a purely personal or household activity.

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

The LIL does not cover the interception of communications nor surveillance of individuals when implemented for public interest purposes.

This is subject to the authority of a dedicated public authority, the National Commission for Monitoring Intelligence Techniques. This field is regulated by several laws, mainly Law No. 91-646 of 10 July 1991 and Law No. 2015-912 of 24 July 2015.

Electronic marketing is subject to the Postal and Electronic Communication Code (article L. 34-5 et seq) and to the Consumer Code (article L. 121-20-5 et seq).

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

Processing of health PII is subject to the provisions of the Public Health Code as well as to the LIL.

The solicitation by automatic calling machines, email or fax, and the sale or transfer of PII for prospecting purposes using these, is subject to the provisions of the Postal and Electronic Communications Code.

PII formats

What forms of PII are covered by the law?

The LIL is aimed at covering all forms of PII, which means any information relating to an individual who is identified or who could be directly or indirectly identified, by reference to an identification number or to the combination of one or several elements.

In addition, the LIL applies to automatic processing and to non-automatic processing of PII that forms part of a filing system (or is intended to form part of a filing system), with the exception of processing carried out for personal purposes. Accordingly, even records of PII in paper form may be subject to the LIL.


Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

The LIL applies to processing of PII carried out by a PII owner:

  • who is established in France, whether or not the processing takes place in France. In this context, ‘establishment’ is broadly interpreted as it refers to all sorts of ‘installation’, regardless of its legal form; or
  • who is not established in France, but who uses a means of processing located in French territory, for instance, hosting data, internet service provider, cloud services, among others.

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

In principle, the LIL applies to all processing of PII, with the exception of that carried out for purely personal purposes. The controller determines the purposes for which and the means by which PII is processed, whereas the processor processes PII only on behalf of the controller. The duties of the processor towards the controller must be specified in a contract or another legal act.

In principle, the PII controller is the principal party for responsibilities such as collecting consent, enabling the right to access or managing consent-revoking. However, the GDPR introduces direct obligations for PII processors (including security, international transfers, record keeping, etc) and thus they can be held directly liable by data protection authorities for breaches of the GDPR and the LIL.

Controllers and processors are also jointly and severally liable where they are both responsible for damage caused by a breach.

Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

Every collection, processing or use of PII needs to be justified under French data protection law. In principle, the ground for legitimate processing must be the consent of the data subject, but the LIL introduced statutory legal exemptions to obtain the consent of the data subject for some processing when it is carried out for the following purposes:

  • the respect of a legal obligation of the data controller;
  • the protection of the data subject’s life (interpreted restrictively);
  • the performance of a public service mission entrusted to the data controller or the data recipient;
  • the performance of either a contract to which the data subject is a party or steps taken at the request of the data subject prior to entering a contract; or
  • the pursuit of the data controller’s or the data recipient’s legitimate interest provided such interest is not incompatible with the fundamental rights and interests of the data subject.

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

French law is more restrictive for the processing of specific types of PII, known as sensitive personal data. As a matter of principle, processing of sensitive data is prohibited.

The LIL provides a non-exhaustive list of sensitive PII by nature, which is PII that reveals, directly or indirectly, the racial and ethnic origins, the political, philosophical, religious opinions or trade union affiliation of individuals, or that concerns their health or sexual life. This category of sensitive data by nature can only be processed in the following cases, among others:

  • the data subject gave prior express consent;
  • the processing is necessary to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving his or her consent;
  • the processing is carried out by a foundation, association or any other non-profit organisation with political, philosophical, religious or trade union objectives, in the course of its legitimate activities;
  • the processing relates to PII that has been made public by the data subject; or
  • the processing is necessary for the establishment, exercise or defence of legal claims.

In relation to the use of PII in the employment context, the CNIL published several opinions on monitoring the activities of employees, video surveillance, discrimination, localisation data and collection of PII in the recruitment process. Moreover, in France, employers cannot rely on consent for processing involving PII of its employees, since the employees cannot freely consent as they are by nature subordinated to the employer.

Moreover, processing can be prohibited due to its context, such as the processing of PII relating to offences, convictions and security measures, which can only be carried out by a limited number of specific entities.

Furthermore, according to the law on the protection of personal data, a minor may consent to the processing of personal data alone with regard to the offer of information society services from the age of 15, which differs from the threshold of 16 years provided in the GDPR.

The law on the protection of personal data establishes a principle of prohibition of decisions producing legal effects on the sole basis of automated processing, including profiling intended to define the profile of the person concerned or to evaluate certain aspects of his or her personality. Such a provision maintains a certain gap with the GDPR, since the law is based on a prohibition in principle of such automated processing while the GDPR refers to an ‘individual right’ of the person concerned ‘not to be the subject of a decision based solely on automated processing, including profiling’.

Data handling responsibilities of owners of PII


Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

As a general rule, data subjects shall be provided with the following information when their PII is collected:

  • the identity of the data controller;
  • contact details for the data protection officer, where applicable;
  • the purposes and the legal basis of the processing;
  • the category of personal data;
  • when PII is collected via a questionnaire, whether replies to the question are compulsory or optional;
  • the consequences of an absence of reply;
  • the categories of recipients of the data;
  • information on the data subject’s rights and the method to be used to exercise them (ie, the right to access the collected PII and to rectify, complete, update, block or delete it if inaccurate, incomplete, equivocal or expired; and the right to direct the use of their PII after their death);
  • the intended transfer of PII outside the EEA;
  • the storage duration or the criteria that will be used to determine the duration;
  • the right to lodge a complaint with a supervisory authority; and
  • the existence of automated decision-making, including profiling and, if applicable, meaningful information about the logic used and the significance and envisaged consequences of such processing for the data subject.

Where the data was not obtained from the data subject, the information must be provided at the time of recording of the personal data or, if disclosure to a third party is planned, no later than at the time the data is disclosed for the first time.

Exemption from notification

When is notice not required?

Notice is not required if the data subject already received such information. Furthermore, in cases where the data subject did not provide his or her PII directly, the data controller is exempted from the notification obligation if:

  • informing the data subject proves impossible or would involve a disproportionate effort, in particular in the context of statistical, historical or scientific research, or for the purpose of medical examination of the population with a view to protecting and promoting public health;
  • the data subject already has the information;
  • the PII is recorded only to comply with statutory and legal obligations; or
  • the PII must remain confidential subject to an obligation of professional secrecy regulated by EU or member state law, including a statutory obligation of secrecy.

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

The LIL grants rights to data subjects allowing them to have some control over the use of their PII. The relevant rights in this field are notably the right to rectify inaccurate or out-of-date PII, and the right to be forgotten, in order to obtain the deletion of such PII (see question 38).

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

As a general rule, the PII controller shall ensure that the processed PII is adequate, relevant and not excessive in relation to the purposes for which it is collected and for onward processing. In addition, the PII owner shall also ensure that PII is accurate, complete and, if necessary, updated. In this respect, the law provides that the PII owner shall take appropriate measures to ensure that inaccurate or incomplete data for the purposes for which it is collected or processed is erased or rectified.

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

PII owners are required to limit the processing of PII to what is strictly necessary for the purpose of the processing. The amount of PII collected and processed must be proportionate to the purposes of the processing.

The LIL also provides that the PII must only be kept in a form enabling the data subject to be identified for a period that does not exceed the time necessary for the purposes for which the PII is collected and processed. Accordingly, if the legitimate ground of the processing has disappeared or expired, the controller should erase, anonymise or pseudonymise the PII.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

The finality principle is a core principle of data protection regulation in France. PII can only be collected for specified, explicit and legitimate purposes and must not be further processed in a way incompatible with those purposes.

Furthermore, the CNIL already encourages PII controllers to implement the ‘data minimisation’ principle (which is consecrated in the GDPR), as well as the systematic use, where applicable, of anonymisation and pseudonymisation techniques.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

PII can be processed for new purposes provided that such onward processing is not incompatible with the initial purposes for which the PII was collected and subject to the data subject’s rights and the principle of data minimisation.

Processing of PII for new purposes when such purposes are statistical, historical or medical research is generally considered as compatible with the initial purpose.

Processing of PII for new purposes even incompatible with the initial purpose is also possible with the prior consent of the data subject.


Security obligations

What security obligations are imposed on PII owners and service providers that process PII on their behalf?

Data controllers must protect PII against accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks.

Data controllers are required to take steps to:

  • ensure that PII in their possession and control is protected from unauthorised access and use;
  • implement appropriate physical, technical and organisational security safeguards to protect PII; and
  • ensure that the level of security is appropriate with the amount, nature and sensitivity of the PII.

The CNIL issued guidelines on 23 January 2018 on the security measures to be implemented by data controllers, in line with the requirement of the GDPR, to guarantee the security of personal data processing. These guidelines encourage data controllers to perform a privacy impact assessment, which shall be carried out in consideration of the two following pillars:

  • the principles and fundamental rights identified as ‘not negotiable’, which are set by law and must be respected. They shall not be subject to any modulation, irrespective of the nature, seriousness or likelihood of the risks incurred; and
  • the management of risks on data subjects that allows data controllers to determine which appropriate technical and organisational measures shall be taken to protect the PII.

Notification of data breach

Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?

With the GDPR, there is a general obligation for PII controllers to report PII data breaches to the CNIL without undue delay and, where feasible, not later than 72 hours after becoming aware of it. However, an exception to this notification exists when the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification is not made within 72 hours, reasons will have to be provided to the supervisory authority.

The notification shall at least:

  • describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
  • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • describe the likely consequences of the personal data breach; and
  • describe the measures taken or proposed to be taken by the owner to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Moreover, when the data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller shall notify the data breach to the data subject without undue delay. This notification can be waived if the CNIL considers that:

  • the controller has taken subsequent measures that ensure the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
  • appropriate technical and organisational protection was in place at the time of the incident (eg, encrypted data); or
  • the notification would trigger disproportionate efforts (instead a public information campaign or ‘similar measures’ should be relied on so that affected data subjects can be effectively informed).

The PII owner must keep an updated record of all PII breaches, which must contain the list of conditions, effects and measures taken as remedies. This record must be communicated to the CNIL on request.

Failure to meet the above requirements exposes the owners of PII to an administrative fine of up to €10,000,000 or, in case of an undertaking, up to 2 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Providers of electronic communication services are also subject to an obligation to notify the CNIL within 24 hours in the event of a PII breach. In this respect, when the PII breach may affect PII or the privacy of a data subject, the PII controller shall also notify the concerned data subject without delay.

Internal controls

Data protection officer

Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?

Controllers and processors may decide to appoint a data protection officer (DPO). However, this is mandatory for public sector bodies, those involved in certain listed sensitive processing or monitoring activities or where local law requires an appointment to be made.

The DPO assists the owner or the processor in all issues relating to the protection of the PII. In a nutshell, the DPO must:

  • monitor compliance of the organisation with all regulations regarding data protection, including audits, awareness-raising activities and training of staff involved in processing operations;
  • advise and inform the owner or processor, as well as their employees, of their obligations under data protection regulations;
  • act as a contact point for requests from individuals regarding the processing of their personal data and the exercise of their rights; and
  • cooperate with the data protection authorities (DPAs) and act as a contact point for DPAs on issues relating to processing.

Record keeping

Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?

PII controllers are required to maintain a record of processing activities under their responsibilities as referred to in article 30 of the GDPR. Processors of PII are also required to maintain such a record about personal data that controllers engage them to process.

While an exemption from the above obligations applies to organisations employing fewer than 250 people, this exemption will not apply where sensitive data is processed and where owners or processors of PII find themselves in the position of:

  • carrying out processing likely to result in a risk (not just a high risk) to the rights of the data subjects;
  • processing personal data on a non-occasional basis; or
  • processing sensitive data or data relating to criminal convictions.

New processing regulations

Are there any obligations in relation to new processing operations?

Since the GDPR is directly effective in France, controllers and processors of PII are required to apply a privacy-by-design approach by implementing technical and organisational measures to show that they have considered and integrated data compliance measures into their data-processing activities. These technical and organisational measures might include the use of pseudonymisation techniques, staff training programmes and specific policies and procedures.

In addition, when processing is likely to result in a high risk to the rights and freedoms of natural persons, owners and controllers are required to carry out a detailed privacy impact assessment (PIA). Where a PIA results in the conclusion that there is indeed a high, and unmitigated, risk for the data subjects, controllers must notify the supervisory authority and obtain its view on the adequacy of the measures proposed by the PIA to reduce the risks of processing.

Controllers and processors may decide to appoint a DPO (see question 22).

Registration and notification


Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?

PII controllers or processors are not required to register with the CNIL.

Since the entry into force of the GDPR, owners and processors no longer have the obligation to declare the PII processing they carry out to the CNIL.

However, the law on personal data maintains the requirement of a prior authorisation from the CNIL for the following processing:

  • of biometric or genetic data by the state;
  • for research, study or evaluation in the field of health.


What are the formalities for registration?

The formalities of registration for data processing requiring prior authorisation must be performed for each new PII processing operation.

The formalities are free of charge and can be realised on the CNIL’s website and are non-renewable since they remain valid for the whole duration of the processing. The following information must be provided:

  • the identity and the address of the data controller;
  • the purposes of the processing and the general description of its functions;
  • if necessary, the combinations, alignments or any other form of relation with other processing;
  • the PII processed, its origin and the categories of data subjects to which the processing relates;
  • the period of retention of the processed information;
  • the department responsible for carrying out the processing;
  • the authorised recipients to whom the data may be disclosed;
  • the function of the person where the right of access is exercised, as well as the measures relating to the exercise of this right;
  • the steps taken to ensure the security of the processing and data, the safeguarding of secrets protected by law and, if necessary, information on recourse to a sub-contractor; and
  • if applicable, any transfer of PII that is envisaged outside of the EEA.


What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?

Failure to comply with the registration obligation can be punished by imprisonment for a maximum period of five years and a criminal fine of up to €300,000 (article 226-16 and 226-16-1 A of the Criminal Code).

Refusal of registration

On what grounds may the supervisory authority refuse to allow an entry on the register?

The CNIL can refuse its registration if some of the information to be provided is missing or if the PII collected for the processing is too broad in relation to its purpose. In such cases, the PII owner cannot carry out the intended data processing. Failure to comply with a refusal of the CNIL to authorise processing is subject to criminal sanctions (see question 27).

Public access

Is the register publicly available? How can it be accessed?

On 30 August 2017, the CNIL published on its website a register that lists the formalities completed since 1979 by data controllers (public and private). This register can be consulted freely, with ease, via the CNIL website.

Effect of registration

Does an entry on the register have any specific legal effect?

The PII controller may only be allowed to start carrying out the processing upon registration and receipt of authorisation from the CNIL.

The registration as such does not exempt a data controller from any of its other obligations. After the registration, data controllers still need to ensure that the processing complies with the information disclosed in the notification and with data protection standards.

Other transparency duties

Are there any other public transparency duties?

Not to our knowledge.

Transfer and disclosure of PII

Transfer of PII

How does the law regulate the transfer of PII to entities that provide outsourced processing services?

Under the LIL regime, any person that processes PII on behalf of the data controller is regarded as a processor. The processor may only process PII under the data controller’s instructions.

When a data controller outsources some of its processing or transfers PII in relation with such processing to a sub-contractor (ie, a data processor), it must establish an agreement with that processor.

This agreement shall specify the obligations incumbent upon the processor as regards the obligation of protection of the security and confidentiality of the data and provide that the processor may act only upon the instruction of the data controller.

Restrictions on disclosure

Describe any specific restrictions on the disclosure of PII to other recipients.

Generally, there are no specific restrictions on the disclosure of PII other than the general data protection principles provided by the LIL.

Nevertheless, disclosure of sensitive PII such as health data is limited to certain institutions and professionals, unless the data controller has obtained a specific and express consent of the data subject for the disclosure of such PII.

Cross-border transfer

Is the transfer of PII outside the jurisdiction restricted?

PII can be transferred freely to other countries within the EEA, as well as to countries recognised by the European Commission as providing an ‘adequate level of data protection’.

Such transfers of PII from France are permitted to Canada (under certain conditions), Switzerland, Argentina, Guernsey, the Isle of Man, Jersey, the Faroe Islands, Andorra, Israel, Uruguay and New Zealand.

Furthermore, transfers of PII from France to recipients established in the US are permitted to the extent that they are registered under the Privacy Shield certification.

Moreover, a controller or processor may transfer PII to other countries, or to recipients in the United States who have not chosen to sign up to the Privacy Shield, only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

The appropriate safeguards may be provided for by:

  • a legally binding and enforceable instrument between public authorities or bodies;
  • binding corporate rules approved by the CNIL;
  • standard data protection clauses – model clauses designed by the European Commission to facilitate transfers of personal data from the EU to all third countries, while providing sufficient safeguards for the protection of individuals’ privacy; or
  • a code of conduct approved by the CNIL, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
  • a certification mechanism approved by the CNIL together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

Subject to the authorisation from the CNIL, the appropriate safeguards may also be provided for, in particular, by:

  • contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
  • provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

However, in the absence of an adequacy decision or of appropriate safeguards as descried above, a transfer of personal data to a third country or an international organisation shall take place if:

  • the data subject has explicitly consented to its transfer after having been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards; or
  • the transfer is necessary under one of the following conditions:
    • protection of the data subject’s life;
    • protection of the public interest;
    • to meet obligations ensuring the establishment, exercise or defence of legal claims;
    • consultation of a public register that is intended for public information and is open for public consultation or by any person demonstrating a legitimate interest;
    • performance of a contract between the data controller and the data subject, or of pre-contractual measures taken in response to the data subject’s request; or
    • conclusion or performance of a contract, either concluded or to be concluded in the interest of the data subject between the data controller and a third party.

Data controllers must inform data subjects of the data transfer and provide the following information:

  • the country where the recipient of the data is established;
  • the nature of the data transferred;
  • the purpose of the transfer;
  • categories of the recipients; and
  • the level of protection of the state concerned or adopted alternative measures.

Notification of cross-border transfer

Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?

The cross-border transfer must be approved by the CNIL when it is based on:

  • contractual clauses concluded between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
  • provisions inserted into administrative arrangements between public authorities or public bodies which include enforceable and effective data subject rights.

Further transfer

If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?

Restrictions on cross-border transfers apply to transfers from the PII owner based in France to a data processor outside of the EEA. Onward transfers are in principle subject to the restrictions in force in the recipient’s jurisdiction. By exception, SCCs contain specific requirements for onward transfers.

Rights of individuals


Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.

Data subjects have a right to ‘access’ the PII that a controller holds about them.

Data subjects can exercise their right of access by sending a signed and dated access request, together with proof of identity. Data subjects can request that the PII owner provides the following information:

  • confirmation as to whether the controller processes the data subject’s PII;
  • information related to the purposes for which the PII is processed, and the recipients or categories of recipients to whom the PII is or has been provided;
  • where applicable, information related to cross-border data transfers;
  • the logic involved in any automated decision making (if any);
  • the communication, in an accessible form, of personal data concerning the data subject as well as any information available as to the origin of the data; and
  • information allowing the data subject to know and to contest the logic underlying the automated processing in the event of a decision taken on the basis of it and producing legal effects with regard to the person concerned.

The controller may oppose manifestly abusive access requests, in particular with respect to their excessive number or repetitive or systematic nature. In the event of a claim from the data subject, the burden of proving the manifestly abusive nature of the requests lies with the PII owner to whom they are addressed.

The right of access may be denied when the personal data is kept in a form that excludes any risk of invasion of the privacy of the data subjects (ie, if PII is pseudonymised or anonymised) and for a period not exceeding what is necessary for the sole purpose of statistical, scientific or historical research.

Other rights

Do individuals have other substantive rights?

In addition to the right of access described above, data subjects are granted the rights described below. When PII has been collected by electronic means, the data subjects must be provided with a way to exercise their rights using electronic means.

Right to object

Data subjects have the right to object to the processing of their PII on legitimate grounds, unless the processing is necessary for compliance with a legal obligation or when the act authorising the processing expressly excludes the data subjects’ right to object.

Data subjects also have the right to object, at no fee and without justification, to the use of PII related to them for the purposes of direct marketing by the PII owner or by an onward data controller.

Right to correct

Upon proof of their identity, data subjects may require the PII owner to correct, supplement, update, lock or erase personal data related to them that is inaccurate, incomplete, equivocal or out of date, or whose collection, use, disclosure or storage is prohibited.

When the concerned PII has been transmitted to a third party, the data controller must carry out the necessary diligence to notify such third party of the modifications operated in accordance with the data subjects’ request.

Right to be forgotten

Data subjects have the right to request the PII controller to erase personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay, in particular where one of the following grounds applies:

  • the PII is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
  • the PII has been unlawfully processed;
  • the PII has to be erased for compliance with a legal obligation in EU or member state law to which the controller is subject; or
  • the PII has been collected in relation to the offer of information society services.

Right to be forgotten for children

Data subjects have the right to request the PII controller to erase without undue delay the personal data that has been collected in the context of the provision of information society services where the data subject was under age at the time of collection. When the PII controller has transmitted the concerned data to another PII owner, the data controller shall take reasonable measures, including technical measures, to inform the onward PII owner of the data subject’s request for the deletion of any link to the data, or any copy or reproduction thereof.

This is unless the data processing is necessary:

  • to exercise the right to freedom of expression and information;
  • to comply with a legal obligation requiring the processing of such data or to carry out a task in the public interest or in the exercise of the public authority entrusted to the controller;
  • to public health;
  • to archival purposes of public interest, for scientific or historical research or for statistical purposes; or
  • to establish or exercise legal rights.

Right of data portability

Data subjects have a right to:

  • receive a copy of their personal data in a structured, commonly used, machine-readable format that supports re-use;
  • transfer their personal data from one controller to another;
  • store their personal data for further personal use on a private device; and
  • have their personal data transmitted directly between controllers without hindrance.

‘Digital death’

Data subjects have the right to set guidelines for the retention, deletion and communication of their personal data after their death.


Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?

Individuals may claim for damages when they are affected by a breach of the LIL that qualifies as a criminal offence subject to the referral to criminal jurisdiction.

In this case, compensation may amount to the total amount of damage endured by the individual, which includes moral damages or injury to feelings.


Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?

Where the data controller does not answer or refuses to grant the right to the data subjects’ request, the latter can refer to the CNIL or a judge to obtain interim measures against the data controller.

Exemptions, derogations and restrictions

Further exemptions and restrictions

Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.

Not applicable.


Judicial review

Can PII owners appeal against orders of the supervisory authority to the courts?

PII owners can appeal against orders or sanctions pronounced by the CNIL in front of the Supreme Court for the administrative order (the Council of State).

Specific data processing

Internet use

Describe any rules on the use of ‘cookies’ or equivalent technology.

Data controllers may install cookies or equivalent devices subject to the data subject’s prior consent. Such consent may derive from the browser or other application settings. The following categories of cookies require the prior consent of the data subject:

  • cookies related to targeted advertising;
  • social networks’ cookies generated in particular by their buttons of sharing when collecting personal data without the consent of the persons concerned; and
  • analytics cookies.

As regards analytics, the CNIL considers that these cookies may be exempted from prior consent subject to the following:

  • information must be given to users who must be able to oppose processing (this opposition must be possible from any terminal);
  • the data collected must not be cross-checked with other processing (client files or statistics of attendance of other sites, for example);
  • the cookies must be used only for the purpose of anonymous statistics and should not allow the tracking of navigation on different sites;
  • raw attendance data associating an identifier must also not be retained for more than 13 months; and
  • the use of an IP address to geolocate the user should not allow the street to be determined: only the first two bytes of the IPv4 addresses can be preserved and possibly used for delocalisation (for IPv6 only the first six bytes can be retained).

Implied consent is now accepted and companies must implement a two-step approach for obtaining consent.

Data controllers must use a banner providing the following information to the website user:

  • purposes of the cookies;
  • the possibility to object to the use of cookies and to modify settings by clicking on a link (made available in the cookie banner). Such link must describe the operations to be carried out by the data subject to disable the cookies;
  • that further navigation on the website constitutes valid consent to the storage of cookies on their device; and
  • an explanation of how disabling cookies might affect the data subject’s use of the website or app.

The CNIL recommends that to ensure that the data subject’s consent is unambiguous, the banner shall not disappear until the individual continues to navigate on the website, for example, by clicking on an element of the website or navigating to another page of the website.

The CNIL considers that the consent given by the data subject is only valid for 13 months. After this period, the consent of data subjects shall be collected again with the same conditions. Accordingly, the cookies’ lifetime shall be limited to 13 months from the date of the first deposit on the user’s device. New visits of the user to the website shall not automatically extend the cookies’ lifespan.

In addition, data subjects shall be provided with an easy way to withdraw their consent to the deposit of cookies at any time.

Electronic communications marketing

Describe any rules on marketing by email, fax or telephone.

Sending unsolicited marketing messages is prohibited without the prior consent of the recipient. Such consent of the data subject cannot derive from:

  • a pre-ticked box; or
  • general acceptance of terms and conditions.

Under the following conditions, the prior consent of the data subject is not required to address unsolicited marketing messages:

  • when the information of the data subject has been collected on the occasion of a purchase in accordance with the applicable data protection rules;
  • the marketing messages concern products or services similar to those purchased by the data subject; and
  • the data subject is provided with an easy way to opt out of receiving marketing messages when the data is collected and with each marketing message.

In a B2B relationship, the prior consent of the recipient is not required provided that:

  • the recipient has been informed that his or her email address would be used to address marketing messages;
  • the recipient has the possibility to oppose the use of his or her email address for the purpose of direct marketing at the time of its collection and with each message; and
  • the marketing messages must be in relation to the recipient’s profession.

Direct marketing by regular mail or telephone is not subject to the prior consent of the recipient, but the recipient has the possibility to object to it by signing up to an opt-out list. In France, this list is called Bloctel, which is the governmental opt-out list for telephone marketing.

Cloud services

Describe any rules or regulator guidance on the use of cloud computing services.

There is no specific provision applicable to cloud computing in the LIL or the GDPR. The CNIL issued guidelines addressed to companies contemplating subscription to cloud computing services dated 25 June 2012. These guidelines contain seven recommendations by the CNIL that should be taken into account by data controllers when assessing the opportunity to migrate to cloud services, as well as a template clause to be inserted into agreements with cloud computing services providers.

The recommendations are to:

  • establish a precise mapping of the data and processing that will be migrating to the cloud and the related risks;
  • define technical and legal security requirements adapted to the categories of data and processing;
  • carry out a risk analysis to identify the security measures to be implemented to preserve the essential interests of the company;
  • identify the type of cloud services and data hosting appropriate with respect to all data processing;
  • select cloud service providers that provide adequate security and confidentiality guarantees;
  • review and adapt the internal security policies of the company; and
  • carry out regular assessments of the cloud services.

Update and trends

Key developments of the past year

Are there any emerging trends or hot topics in international data protection in your jurisdiction?

Key developments of the past year46 Are there any emerging trends or hot topics in international data protection in your jurisdiction?

Since the implementation of the GDPR one year ago, many national data protection authorities have reported a sharp increase in the number of complaints. In France, the CNIL recently observed a 32 per cent increase in the number of complaints received in 2018, largely attributable to the RGPD. Indeed, the CNIL has received more than 11,900 complaints since May 2018. During the first nine months of the RGPD, the EDPB reported 144,376 complaints.

In the first major example, on 25 and 28 May 2018, the CNIL received group complaints from the associations None Of Your Business (NOYB) and La Quadrature du Net (LQDN). LQDN was mandated by 10,000 people to refer the matter to the CNIL. In the two complaints, the associations reproach Google for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes.

As a result, Google has been fined €50 million by the CNIL for not properly informing to its users how data is collected across its services to present personalised advertisements. The CNIL noticed that the information on the data-processing activities provided to users was neither easily accessible to users nor always clear or comprehensive.

The CNIL also observed that Google doesn’t properly obtain users’ consent to target them with personalised ads. Essential information required to sufficiently inform data subjects of storage purposes, periods or categories of personal data used for ads personalisation is diluted in several documents and does not enable the user to be aware of their extent, with a several clicks required to access the full information. Therefore, the CNIL underlined that the user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalisation, speech recognition, etc). However, the GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose.

Finally, we can also underlines that the CNIL is more likely to make public the sanctions that it imposes on the PII controller or processor.

How to settle your loved one’s digital estate

Giving up the ghost online and what it means to you

A GHOST tour in Edinburgh was where I first discovered the morbid truth about why Victorian headstones often had bells attached.

Buried by mistake? Ring urgently for service.

We’ve come a long way since then, and thanks to modern medicine can be certain when someone’s been ‘called home’ before doing the needful.

If you’re squirming a bit in your seat at the thought, it’s natural. The D word is nobody’s favourite and talking about it is the biggest slap in the face to any healthy dose of self-denial about what’s at the ‘end of the line’.

Anyway, let’s say you are doing a bit of planning and you’ve sorted out what to wear, who to invite and all that, then as a child of the Digital Age you must also put on your ‘to do’ list who can access your social media accounts and other digital assets when you’re gone.

Apparently it’s a bit of a grey area in legal circles and they want to do something about it.

At the helm is the NSW Law Reform Commission which his reviewing laws affecting life beyond your digital death.

Initially they’ve called for submissions from the legal profession and later in the year the public can throw in their two cents worth (and for those born after 1992, when the two-cent coin was demonetised, it means your opinion).

When making the review public, Attorney General Mark Speakman said: “In today’s hyper-connected world, an unprecedented amount of work and socialising occurs online, yet few of us consider what happens to our digital assets once we’re gone or are no longer able to make decisions.

“This is leading to confusion and complexity as family, friends and lawyers are left to untangle digital asset ownership issues, applying laws that were developed long before the arrival of email, blogs, social media and cryptocurrency.”

What the LRC is more worried about is who can access your digital stuff, but although it’s inappropriate to laugh at a time like this, this quote from Speakman was just a little bit ironic.

He said: “When a loved one passes away, bureaucratic hurdles and legal uncertainty are the last thing families and friends feel like confronting, so we need clear and fair laws to deal with these 21st Century problems.”

Bureaucratic hurdles and legal uncertainty are what families and friends are confronted with when a loved one passes away.

I suppose we’ve really only got ourselves to blame, being the most connected of all countries in the world. So, the review will focus on NSW, Commonwealth and international laws, including those relating to intellectual property, privacy, contract, crime, estate administration, wills, succession and assisted-decision making.

The LRC will scrutinise (their words, sounds expensive) the policies and terms of service agreements of social media companies and other digital service providers.

Facebook is at a bit of an advantage here already, having had lots of experience in this area.

On a more serious note, social media companies do handle sites of the deceased differently, from memorialising them to simply shutting them down.

Having a say in what you’d like to happen, particularly given there can be a story of a whole life recorded there, is important.

If you haven’t made arrangements for anyone to take control of your sites or access private emails, the LRC is considering whether additional privacy protections are needed.

The issue of ownership of digital assets upon death cuts across many different areas of law which is why it’s not clear and fair but complicated.

Here I was thinking I’d just leave a list of my 70,000 passwords for someone else to troll through my social media, blogs and websites if they could actually be bothered.

But really, who could forgo the opportunity to plan ahead by scheduling posts and memes to appear long after I’m gone, saying things like ‘I can see what you’re doing’ or ‘There is no Planet-B’.

Visit to read more.

The importance of digital asset planning explained

Creating a Digital Inheritance for Online Assets and Personal Data

We are holding increasingly valuable items online, but the law as to how such items pass on our death is far from clear. However, Google has become the first of the large internet service providers to address this problem with the launch of a tool that will allow users to pass their Google-run accounts to loved ones after they die.

Digital assets can include software, downloaded content, and even online gaming and gambling accounts. In Britain alone, The Economist has estimated holdings of digital music may be worth over £9 billion. It is, however, important to distinguish between what is an online asset and what is personal data and who can access your online accounts after you die.

Google has addressed the issue by announcing on 11 April 2013 that users can now specify which of their “trusted contacts” can access their accounts after they die, or alternatively to direct that their accounts be deleted. The wishes will be implemented after a fixed period of inactivity (a minimum period of three months). The wishes are set up through the “settings” option for the relevant account and effectively allow users to create an online Will. The tool applies to Google-run accounts such as Gmail, YouTube and web album Picasa.

Prior to this, it was uncertain whether family members would be permitted to access a loved one’s online assets and personal data after death, and this remains the case in respect of accounts with other internet service providers. The problems this can lead to are highlighted in the case of Benjamin Stassen in the United States of America.

The Case of Benjamin Stassen

Benjamin Stassen committed suicide in late 2010 without leaving a note. As personal representatives of his estate, his parents sought access to his online records for an explanation as to why he committed suicide. They contacted Google and Facebook asking the companies to release their son’s passwords so that they could access his Gmail and Facebook accounts. Google complied but for months Facebook refused on the grounds of privacy. It was only after the Stassens threatened further legal action that Facebook allowed them access, and even then it was on the basis that the Stassens did not share the content with third parties. Facebook made clear that they were making a unique exception and their policy remains that a user’s account cannot be accessed by their heirs after death.

Most online service providers bind users by their terms of business. Personal representatives can close a Facebook account or turn it into a ”memorial page” but cannot access it. Google will supply executors with copies of e-mails from a Gmail account but again will not allow access to a deceased user’s account.

Benjamin Stassen’s parents obtained a Court Order forcing Google and Facebook to give them access to their son’s records. Google complied with the Court Order. However, whilst the Order released Facebook from their duty of client confidentiality, the company is standing by its policy of not allowing personal representatives access to accounts, and to date has not allowed the Stassens access to their son’s account.

Personal Data

You can see why Facebook did not want to grant Benjamin’s parents access to his personal data. The law in relation to privacy is a tricky one. The law in the US is, of course, different to the law in England and Wales. In England there is no specific law about privacy. Article 8 of the Human Rights Act 1998 is often cited by celebrities in relation to a breach of privacy, but this only applies to state bodies and not individuals and there is no specific case law about the release of personal data to executors or personal representatives.

Online Assets

The emergence of cloud computing has led to assets being stored on remote servers which may be located in jurisdictions outside the UK. For example, Apple’s i-Cloud which stores music, films, TV and any other downloads made by a user together with e-mails and personal data. Apple’s policy is to delete all e-mail and data from i-Cloud following the death of a user. However all content downloaded on its i-Tunes service is subject to a licence which can be revoked on a user’s death. It is not clear how Apple will treat downloaded content following a user’s death but it seems that they would have the right to revoke the user’s licence and delete potentially valuable content.

As digital assets are not tangible property it seems unlikely that a person could bequeath their online music collection to beneficiaries in their Will in the same way as they would could leave, for example, their C.D. collection. This is because the C.D. collection is a physical object which can be left in a Will whereas digital assets are not defined by law in the same way.

Clearly the law in this area has not yet caught up with technology. However, enterprising companies have exploited the gap in the market for bequeathing digital assets. For example, Legacy Locker allows people to store online passwords so that executors and personal representatives can access online accounts following their death.

Creating an inheritance for your digital assets and data

The best way to deal with online assets and personal data is to leave specific instructions in a Will stipulating that executors may have access to online accounts and whether these accounts should be deleted after death. As a Will becomes a public document after death, it may not be wise to include passwords in the Will itself, in case a third party gains access to dormant accounts which have the same passwords. However, a Letter of Wishes, which is a personal document to executors, could be written setting out usernames, passwords and specific wishes in relation to individual accounts. In addition, those who have Google-run accounts should also update their settings for the relevant account to mirror the same wishes in case there are any problems with beneficiaries accessing the accounts with details given in the Letter of Wishes.

If a user has especially important online assets or data, such as valuable emails or photos, it would also be wise to create a hardcopy of these or save them to a disk or memory stick. Hardcopies can pass under a Will as physical property and will pass to whoever inherits the user’s personal effects (or the user can name a specific person to inherit them).

However notwithstanding these steps, executors are at the mercy of service providers and problems may be encountered if service providers do not recognise the consents given in a Letter of Wishes. There may also be jurisdictional issues at stake. However, for the present (or at least until other service providers follow Google’s example or a test case is taken), setting out express instructions in a Letter if Wishes gives the user the best chance of enabling his loved ones to inherit his personal digital effects.

Learn How to Preserve Your Data with Take Control of Your Digital Legacy

Life beyond the timeline: creating and curating a digital legacy

by Craig Bellamy

Abstract: The internet has steadily become integrated with our everyday lives, and it is scarcely worth remarking that the quotidian footprint we leave is increasingly digital. This being the case, the question of what will happen to our digital legacy when we die is an increasing important one. Digital accounts containing emails, photos, videos, music collections, documents of all kinds, social media content, eBooks and the like, all trace the life we have led, and if they are to be conserved and bequeathed, if family and friends are to benefit from this often highly emotive and evocative desiderata, if history is to be recorded, we need to prepare these accounts and assets for the inevitability of death. A difficulty though, is that the demands of curating such a legacy are formidable, the importance of creating digital archives from personal data contained in online accounts is not well-established in the public arena, and the products and services available to facilitate this are largely inadequate. Future generations and future historians are the poorer for this. In this presentation we will point out some of the difficulties involved in curating and bequeathing a digital legacy, and suggest a partial remediation.


For the celebrities of the 20th century a life in the public spotlight was a matter of record, with key events, relationships and achievements recognised and documented for private and public purposes. For these individuals, a legacy of letters, sound recordings, videos, private papers, personal records, photos, and films, all stored in many places and in many forms, needed to be captured, managed and curated for the historical record; to perhaps be donated to an institutional archive or given to family members for use in family histories and memoirs. It is arguable that today this situation has been democratised, and in a sense, everyone with access to digital technologies is a multimedia celebrity. In a digital age, “Evidence of Me…” abounds and Ann-Clare’s carbon-paper is not required (McKemmish 1996). Ordinary people are now routinely creating a digital record of their everyday life. For some, this record is a self-conscious autobiography. Digital media and social network sites are mobilised in order to create a reflexive social and personal identity; images are carefully selected and annotated; “likes” are used strategically; publics of various kinds are assembled to witness, and boundary work is conducted to define these publics; stories are told to create and maintain links between that online identity and those publics. Our personally constructed digital legacy will commonly include the contents of email accounts, the contents of social network accounts on services such as Facebook and LinkedIn, music accounts on services such as iTunes and Spotify, images on services such as Flickr and Instagram, videos on services such as YouTube, and documents of many kinds on cloud storage services such as DropBox.

In parallel, a distributed and diverse record is assembled across hundreds of online sites by default, as our digital inputs and outputs are routinely captured, stored and mined for the personal-profiling data used to inform those with an interest in commodifying our identity as consumers. In both these ways, in the course of everyday life, we are assembling a media legacy of considerable volume, personal importance, and arguably historical importance. For those with a sense that the accumulation of personal media is a form of self­witnessing, and the aggregation of this media narrates a form of autobiography, it is important not only that it be authored appropriately, but that it be successfully bequeathed. Our digital legacy represents a narrative of a life lived, is of obvious personal, familial and communal value, and is also of wider historical and social value. Histories told through the exploits of the great, the good and the powerful will no doubt continue to abound, but history also has a profound interest in the lives of ordinary people leading ordinary lives, and to the extent that these lives are digitally mediated, so too is the historical dataset.

There have been a number of practical responses to this relatively new demand, such as changes in policy by Google and Facebook, and the establishment of commercial “legacy management” service providers and private “digital registers” to accompany a last will and testament. However, online service providers could offer much more leadership in this respect, as there are few established mechanisms for re-purposing the digital artefacts of the deceased, or to ensure their long-term preservation. Similarly, professional archivists have paid scant attention to personal records, as compared to institutional and commercial records (Cunningham 1999; Hobbs 2001), and even less attention to the DIY archiving needs of ordinary people.

If capture and preservation is important, it is equally critical that some elements of a digital heritage are destroyed upon death, or at the very least, remain inaccessible. As many have found to their mortification, once moved online, files are reproducible, searchable, are often re-contextualised, and can be extraordinarily difficult to delete (e.g. Mayer­Schönberger, 2009); yet the sensibilities of loved ones, the management of reputation, and a defence against identity theft may well depend upon the ability to remove these records from penetrable digital spaces.

In either case, the question of the curation and bequeathing of a digital legacy must be addressed. The history of ordinary people, as told through their correspondence and their material possessions, has long been a precious resource for families and for historians alike. Businesses, institutions and other organisations have responded to the challenges of the storage and re-use of digital assets by building digital repositories at an institutional level, and at a national and international level. However, personal data – the quotidian data relating to an individual’s life – has until very recently been neglected in the debates and practices about digital archives and access to archives. In this context the problem of what happens to a digital legacy and how it may be passed from one generation to the next have become important questions.

The literature on questions related to death and the Internet is broad, covering many fields and approaches to study. There has been growing interest within the archival, library studies and digital humanities communities about the issues surround the preservation of personal data and the creation of ‘personal digital archives’, but few studies, with one notable exception (Bellamy et al 2013; Gibbs et al 2013b) focus specifically on death and bequeathment of data. The larger body of work on online memorialising has largely been positioned within a research approach that considers the psychology and sociology of grief and support, and this connects with a wider literature in the social sciences that examines death, grieving and memorialisation (e.g. Aries 1983; Hockey, Komaromy and Woodthorpe 2010; Kellehear 2007; Metcalf and Huntington 1991; Robben 2004).

Studies of online memorialisation have examined the extent to which the sites facilitate the sharing of grieving, remembering, commemorating and providing social support (e.g. Jones 2004; Gibson 2007; Roberts and Vidal 2000; Sofka 1997; Veale, 2003, de Veries and Rutherford, 2004; Walther and Boyd 2002). More recently, following the popularisation of social software, attention has turned to social networks with particular focus on the practices of teenagers (Carroll and Landry, 2010; Williams & Merten, 2009). Others have considered memorials and commemoration in other online place such as video games (Gibbs et al, 2012; 2013a; 2013b). More recently, so called RIP Trolling of memorial sites and attendant issues of responsibility have been considered (Phillips 2011, Kohn et al. 2012). Interaction designers have also become increasingly interested in addressing the many design challenges presented by the development of online memorial practices (Brubaker and Hayes 2011; Mori et al 2011; Odom et al. 2010) and have contrasted the way various online platforms shape commemorative practices (Mori et al 2012). Whilst there is a growing literature attending to practices and forms of online memorialisation, studies of the management of digital legacies have been limited (see, for example, Carroll and Romano, 2011).


To examine these issues the authors undertook a project funded by the Australian Communications Consumer Action Network – a peak-body consumer advocacy, research and education group whose work is focused on the Internet and telecommunications services. The project involved empirical research on consumer issues in planning and managing death online, and involved developing accessible educational materials for Australian consumers that summarised the social, legal and economic issues, and offered guidance for action (for the report see: Bellamy et al 2013). The advice offered was informed by primary sources such as the Terms of Use Agreements of popular internet sites and services, many secondary sources from the legal literature and elsewhere, and key-informant interviews with managers and policy makers drawn from relevant industries and professions. These industries and professions comprised telecommunications companies, social network software managers, intellectual property lawyers, professional archivists, online memorial companies, the Victorian State Trustees, and members of the clergy within Australia. The report provided an account of the legal situation as it pertains to a digital legacy, and provided what we were given to understand to be “best practice” in curating and archiving that legacy. In this paper we revisit this advice, and it will be seen in the account that follows, that though the suggestions may make sense in certain legal and archiving discourses and practices, there are significant problems in adhering to it on any sort of popular scale. We conclude that the steps suggested are not likely to produce the desired result.

We turn now to identify some of the issues associated with constructing a personal digital archive, to summarise the advice received on addressing these issues, and point to the problems associated with acting on this advice. We then conclude with a brief gesture towards a potential (if partial) remedy.

Problem: are these files mine, and who can access them?

The issue of who owns what in the digital realm is complex, is an important consideration in determining what may be archived and bequeathed to others, and is a major obstacle to curating a digital legacy. Ownership of emails, photos, blogs, web-sites and URLs, electronic documents, music files, the content uploaded to social media accounts and so on, usually depends in a legal sense upon the particularities of the Terms of Use Agreement that were entered into when the deceased signed-up for the online service. These terms of use set out the conditions of posthumous access to digital assets and their use Overarching contractual rights, intellectual property rights, and various forms of copyright law, all of which vary from jurisdiction to jurisdiction, further complicate the situation. Should the files in question (or copies of the files) be stored locally on a hard-disc, a USB stick or the like, the letter of the law may not make any practical difference to bequeathing the files, however, the recent stampede towards the use of cloud services makes it increasingly likely that one’s legacy is held remotely on a server, very often in another country and in another legal jurisdiction, and is only under one’s control with the grace of the service provider.

So while there are well-established procedures for locating, valuing and transferring ownership of material property such as real-estate or cars or books, the task of locating, accessing and disbursing digital assets after death is made more difficult by the ambiguity of ownership and terms of use that prevent third-party access. For example, online services such as Yahoo! have Terms of Use Agreements that disallow the transferring of an individual account to another individual, indeed “some [commentators] believe Yahoo!’s policies regarding customer information stored on its e-mail server are stricter than hospital policies regarding medical records” (Tarney 2012 p. 780) . Companies such as Yahoo! have agreed to provide a service to a named individual and the agreement and the service provided terminates upon that individual’s death, generally operationalised through a formal process, or after a minimum period of inactivity. Many years of photos, videos, text files and other digital files and documents uploaded to an online service may be lost forever if posthumous access to them is not arranged, or local copies are unavailable.

A common-sense solution to the problem of ambiguous ownership and granting third­party access is for the individual to provide a list of services (Flickr, PayPal, Facebook, Dropbox, etc.), and, for each service, to provide the relevant username and password, along with instructions for friends, relatives and the executor of the will to execute upon one’s death in a so-called “digital register” – further detail on this is provided later in the paper (Bellamy et al. 2013; Gibbs et al. 2013c). Common-sense though this may be, it is against the terms of agreement of many service providers who prohibit the provision of one’s username and password to a third party, and forbid any individual from accessing another person’s account, deceased or not. Many US based service providers are in this category. Other online service providers (such as Australia’s iiNet and Telstra) do allow this use of a digital register and consider an individual who has been given the username and password to be an authorised agent of the account’s owner. Of course, for all practical purposes, the identification of the person using the username and password is difficult to verify.

Another common sense solution is to maintain local copies of assets stored on the internet. Local copies are under direct rather than indirect control, and the problem of access is alleviated. In many cases local files pre-exist remote copies, as internet files are in fact copies of local files, but as the use of remote file-servers overtakes the use of local storage devices, and as applications increasingly save direct to these file-servers, this situation is unlikely to remain the standard. The local storage of files in addition to “Cloud” storage also generates its own problems – in particular problems of versioning, and of course does nothing to alleviate the problem of archival management, addressed next in the paper.

Problem: curating and bequeathing a local digital archive

Local copies of your files should be in a format that can be used at a later date and are of the best possible quality. There are a number of considerations here, in a situation where hardware, application software, file formats and operating systems all rapidly become redundant, but generally it is important that the files saved are in popular open-source formats that are in general use, such as JPEG or TIFF for images, or MP4 for video, and are transferred from old hardware to new as the new becomes mainstream. If a MS Word document can be saved as a plain text file or an RTF without losing too much of its structure, then it should be saved as a plain text file to obviate future dependence on proprietary software which may or may not exist for the next generation. Some organisations have published tips sheets on creating and maintaining digital archives (e.g. the National Archives of Australia), and the National Archives of the UK have some good guidance on selecting file types (see, for example,­formats.pdf).

Trained archivists recommend that personal archivists periodically download and archive all digital files (photos, tweets, videos, documents etc.), and store them locally on a removable storage device, such as a thumb-drive or portable hard-disk, in order to have personal control over that archive. Using this method it is possible to curate the storage disks in such a way that only the files that you wish to include are available to friends and relatives, or to future historians; it is possible to use a bespoke organisational structure that suits the files and their content, rather than relying on the default structure of the online service; and your archive is not dependent upon the good grace and continuing viability of a commercial entity.

Once all the relevant files are gathered locally in one place, they should be provided with the context that gives the file meaning and purpose for others. Following Haraway (1991) and others who have explored emergent and situated knowledges (Bhavnani, 1993; Feinberg, 2008; Ihde, 2012; Law, 2009; Sassower, 1994), the epistemological foundation of knowing is relational, and if making meaning and knowing is at all relational, it is relational in the case of legacy objects. For example, a photograph of the London Bridge not anchored by context invokes quite a different meaning when situated as holiday snap taken three weeks before the death of spouse. A way to begin to provide context is with a simple folder structure. There are no strict rules here, but generally the simpler and more straight-forward the better (such as ‘family photos’, ‘Europe trip 2010’, ‘Pam’s music’, ‘emails to Gavin’ and so on). ‘Metadata’ or contextual information about the items should also be placed in the folder so others know of its context and potential significance. This may be in the form of a simple text file that describes what is in the folder, where it was created and why, dates, and any other important information considered relevant for use in a family archive, but it can work down to fine-grain detail related to each file. Also consider using face-recognition software such as Google’s Picasa to automatically name-tag all the individuals in your photos for the benefit of future generations.

With all the data arranged in folders and in one-place, it may be then placed on a removable storage disk. Storage devices such as DVDs, CD ROMS, and Flash discs should not be used because they are fast-changing formats and may not be accessible in the future. It is recommended to use two removable hard-disks, one to be kept in a safe location and one to be given to a trusted friend. The discs must be updated regularly to make sure they contain relevant information, and also the actual discs should be replaced every 2-5 years, and should be replaced with new storage technologies as they become standard.

Digital preservation is an active and ongoing process and it is important to intervene in the process and manage digital legacies over time. Another tried and trusted method is to print out important documents and images and store them in a filing cabinet as paper remains one of the most enduring preservation formats.

In very recent times, online companies have provided facilities to download and archive personal data. For instance:

  • Facebook allows individuals to download all the information they have shared on their timeline including photos, status updates, and comments. There are also expanded options that allow individuals to view cookies, logins, logouts and almost any other way of interacting with the site (See:
  • Twitter also now allows individuals to download their entire twitter archive from
    the beginning (See:
  • YouTube allows users to download and archive all YouTube uploads in the original uploaded format (See:­archive-your-entire-youtube-library).
  • Also, Google’s take-out service allows users to download and archive data from many of their Google services (See:
  • Downloading and archiving an online Gmail or Hotmail account is a little more difficult as it requires the installation of a local software application such as Thunderbird to download all the emails so that they can be read and stored locally. Once emails have been downloaded, it is possible to export them in different formats and in complete folders. The emails can be associated with a particular project or a particular family member or friend. Other emails that are either personal or irrelevant can be deleted.

These downloading facilities are welcome, as is the advice of archivists, but the task of local archiving remains onerous in the extreme. Can we really expect people to engage in the time consuming and non-trivial task of categorising tens of thousands, or in many cases, hundreds of thousands of files, determining which are to be archived and bequeathed and which are to destroyed, then providing the metadata for future generations to make sense of the files, then writing them to synchronised hard-disks and ensuring the security and working order of those disks, and of course, doing this time after time, year after year, to ensure currency and completeness? This is not being done on any sort of scale, and there is clearly a lot of work to be done to make this a practicable and commonly performed task.

We move now to consider the particular media that may be included in an archive.

Problems curating and bequeathing digital music and eBooks

We all know that we can learn a lot about a person by flicking through their music collection or by examining their book shelves. We also know that music and literature is precious, and collections spanning decades make for a very valuable legacy for loved ones. Books and music speak of one’s sensibilities – intellectual and emotional – and speak of one’s shaping by a culture, and are integral to a personal legacy. Passing on physical vinyl records, CDs and books is easy; passing on digital music and eBooks is more problematic.

Digital music is usually licenced for individual use and thus cannot be legally bequeathed to another. Companies such as Apple have complex consumer software licences that once agreed are binding, and certain legal rights are established (as when a document is signed). In effect, when using a service such as iTunes the individual is licenced to listen to the music file, but does not own the music file. The licenses are in place to protect the producers of the music, who pass it to Apple under the provision that Apple will protect their interests over the interests of the consumers.

A few of the important considerations of Apple’s Terms of Agreement is that Apple will not replace digital files, files can only be downloaded once, and the unauthorised transfer of files is illegal under copyright law. If a file is lost, Apple will not replace it, and hence personal backups are important.

Other companies have different consumer software licences that set out what can and cannot be done with a digital file (such as Creative Commons licenses), and some digital audio files are in the public domain and have few or no intellectual property rights.

As with digital music, eBook files are usually licensed for individual use and cannot be bequeathed. The terms of service give buyers the right to use the file, that is, read the book, but they do not own the file, their right to read may expire on a certain date, and the file can often only be read with proprietary combinations of hardware and software. On occasions, your license may be extended to friends or family, but the ownership of the file still remains with the publisher. An important exception to this are books that are out of copyright and have been digitised and made available under a Creative Commons licence by organisations such as Project Gutenberg and Google Books.

There are many advantages to eBooks, but bequeathment is not one of them. If an individual is concerned about the inter-generational longevity of their library, it is best to buy physical copies of the book in the first instance, and not the eBook version. The physical copy can then be straightforwardly bequeathed.

Like music, books are an important component of many people’s biography, and again, form an important component of family history. As things stand at time of writing, eBooks are lost to legacy, and the seminal books that have contributed to a biography, and should be passed to others, need to be in physical form.

Problems curating and bequeathing images

Passing on digital images is less problematic than digital music or books in so much as the copyright of a photograph is owned by the individual who took the photograph, unless the rights are specifically passed to another. Uploading a photo to the web doesn’t change this and copyright is retained by the photographer. Thus photos can be bequeathed to another person in a will and many professional photographers, who earn a living from their photos, do this as a matter of course.

In the case of popular services such as Flikr, users may choose an All Rights Reserved licence for their uploaded photos, or a Creative Commons License. A Creative Commons License is a series of licenses that limits what users may and may not do with photos, such as reusing them for commercial purposes or using them without attribution (For further information see, and Although online systems are convenient places to share photos, they are often published in a compressed and low-quality format. Again, it is best practice to retain local copies, in the best quality possible, along with


the important information about where they were taken, dates, and people in the photo. Many digital cameras allow ‘metadata’, to be written into the file (such as time and date, GPS, and camera settings for the photo), but this will not provide future generations with social context, which will need to be added once the file is transferred to a computer.

In the case of other popular systems for publishing photos, such as Facebook, the copyright is still owned by the photographer. The terms of service grant Facebook the right to reuse personal photographs in certain features of the system, but this is primarily determined by the user’s privacy settings. Other systems may have differing copyright provisions and it is always prudent to check the Terms of Service before uploading images to a particular service.

In many different cultural contexts, photos reveal a significant component of family history over several generations and considering how they will be maintained and bequeathed is important. In other cultural contexts it is important that photographs not be viewed at all. For example, many indigenous Australian communities do not approve of the display of photographs of deceased people. Use of the names of deceased people is problematic in many of these communities. Other images should only be seen by those in community, and when in community, some should be viewed only with the permission of particular custodians and in particular circumstances.

Even where these cultural sensitivities do not apply, and the personal archivist’s objective is to make as much information known to as many people as possible, the problem of curating and managing an archive of what may be tens of thousands of images remains formidable. These problems may not be new, as anyone who has leafed through an old photo-album will attest (who are these people? where was this taken?). However, the sheer quantity of images generated in digital formats not only exacerbates these problems, it makes them virtually impossible to overcome with traditional manual methods of curating and archiving.

Problems curating and bequeathing video

As with photos, the copyright of videos uploaded to popular systems such as YouTube is usually owned by the person who recorded the video, so videos may be legally bequeathed. However, once uploaded many of the exclusive rights that the individual has over the video are granted to YouTube in the terms of service. YouTube may, for example, republish your videos in other parts of the YouTube system, and use your videos to raise revenue through banner advertisements. However the license that grants YouTube the rights to use uploaded videos is terminated once the videos are deleted from the service (See YouTube’s Community Guidelines and Terms of Service for further guidance:

Along with photos, videos now form an important part of family history so again, it is important to consider their long term maintenance and bequeathment. As with photos, it is best practice to keep the best possible copies of the digital files in a local folder using popular formats such as Mp4, ensuring that additional contextual information accompanies the videos to enable future generations to appreciate their content. Of course, the previously mentioned curatorial and management problems remain.

Problems curating and bequeathing email

Email is one of the more important communications mechanisms in the digital age; indeed, email is commonly regarded as the internet’s “killer application” and has replaced paper letters, memos and notes in many social contexts. Access to correspondence is a very important issue for family history, community history, and history more generally. Correspondence has long been a primary evidence for the construction of these histories, and the move from paper to email has in some contexts severely compromised this important source of evidence. The archiving and bequeathing of emails poses some of the same problems encountered with paper, but also some new ones.

Like paper letters, emails are usually context-specific, personal in nature, and not meant
for broader public consumption. Email services such as Gmail and Hotmail are conscious of this and have strict rules that forbid access to the email associated with a deceased person’s account. Thus emails in general will be inaccessible and destroyed if provision for access has not been made for them before the death of the account holder.

Generally speaking, access to another person’s email account is not available except under a court order, even to next of kin (and from a privacy perspective, especially not to next of kin). Also be mindful that although one generally stores one’s email on the email server, email service providers will only store emails for a defined period of time, after which expired emails are deleted. This being the case, if one wishes to bequeath one’s emails, one must take steps to archive and store them locally, rather than relying upon the service provider to make them posthumously available.

Even though some employers permit the use of their email system for private purposes, many people consider it good practice to use a separate system for private correspondence, perhaps Gmail or Hotmail, rather than using an employer’s system. Work-related email systems usually have their own privacy and ‘terms of use’ policies, and employees using this system for private purposes may have little or no control over these terms and the way they impact email correspondence.

If personal emails are to be archived, they should be appropriately filed and stored offline. A separate email account, or several accounts each with a different purpose, makes this process clearer – though it must be said, this may be more inconvenient than a single account for day to day use. Organising personal and professional correspondence in a thoughtful way is necessary if it is to be effectively archived and bequeathed. Most email clients enable emails and their attached documents to be stored in nested folders, and the structure of these folders should clearly separate out different categories of email, represent the context in which the emails were produced, lay out a coherent history of correspondence, and should be comprehensible in the future not just to the original sender, but to their beneficiaries. This is not a difficult task in itself, but it is time consuming, and requires forethought and motivation.

Problems curating and bequeathing mobile accounts and texts

The procedure for dealing with mobile phones and the SMS texts and data that they contain differs between services providers, but in general, most of the larger service providers have established policies to deal with the death of a client. Procedures usually require the next of kin to contact the service provider on their customer support line and notifying them of the death. The next of kin or authorised representative must provide the appropriate evidence of death, such as a funeral notice, a death certificate, or a statutory declaration confirming authority to act on behalf of the deceased. The next of kin or authorised representative is then required to download, complete, and submit a form outlining what is to happen to the particular accounts.

There are usually two options for dealing with a deceased person’s account; the account may be closed, final bills paid and all data (text messages, favourites, contacts, recent calls etc.) is then deleted. However, accounts may also be transferrable to the next of kin by the authorised representative so that the service is continued. This means that the same mobile phone number is retained and call records, text messages and so on may also be available.

Telcos do not provide for a person to request that their phone account be deleted upon their death, which does raise some privacy concerns. However even if this was the case, there is still the possibility that the next of kin and authorised representative will have access to the phone-handset itself, and if unlocked, will be able to access texts, recent calls, contacts and so on, regardless of the telecommunication companies policies.

Problems curating and bequeathing websites and domain names

Web sites and domain names may be bequeathed to another person with instructions given in a Will and accompanying digital register (see the following section for details). In Australia for example, the regulator of domain names (.auDA) has a policy for transferring ownership of domain names to a deceased person’s estate that applies to the particular domain registrar

that the domain is housed (such as Melbourne IT or Netregistry). In the event of an individual’s death, the domain registrar should be contacted and appropriate evidence of death supplied. It is then a matter of transferring the domain name and the account associated with it to another person (a fee may be charged for this service).

Another important consideration here is that the domain registrar and the web host may be two different companies. If this is the case, the web host will also need to be contacted and again, appropriate evidence supplied. Access to the website files can be granted to next of kin or nominated person and the accounts name and files transferred to the nominated person.

Creating a digital register

A suggested solution to some of the problems mentioned above is to create a digital register (Bellamy et al 2013; Gibbs et al 2013c). A digital register contains the online locations and passwords of online accounts so that the files they hold may be destroyed or bequeathed to friends and relatives as appropriate. This register can be prepared by an individual, or can be arranged with the assistance of a legal specialist in Wills and Deceased Estates and is usually attached as an appendix to the Will. However, in Australia at least, the need to include a digital register as an appendix to a Will is not well-promoted by Wills and Deceased Estate specialists, nor other institutions tasked with managing the affairs of deceased persons, and much more educational work needs to be done in this regard.

Recommended steps needed to create a digital register to accompany a Will are as follows:

  • An audit needs to be done of all digital assets. All services should be considered – iTunes, Flikr, videos, Facebook, LinkedIn, domain names, blogs, websites, email accounts, application software, eBay, PayPal, online gaming accounts, YouTube, eBay, phone apps, data held on the cloud, Amazon, Google Docs, Dropbox, and other data storing facilities that may be associated with work, hobby, or personal business. Also there needs to be consideration of offline digital assets stored locally on CDs, DVDs, hard-drives, USB storage, or even on floppy disks.
  • A decision needs to be made about who is going to manage the digital assets upon the death of the individual concerned. This is usually the Executor of the Will, if they are technically adept enough to locate and access accounts, to identify the files associated with these accounts, and to carry out instructions in respect of these files. Alternatively, a friend or family member may be nominated to assist in this regard. The digital register and associated instructions may be an appendix to the Will, and like the Will, should be kept in a safe place known to the executor. Commercial service providers (e.g. Security Safe or Legacy Locker) offer specialist services that will store important data and passwords that allow nominated individuals access accounts and files in the event of death or disability.
  • Details need to be provided on where to find the ‘digital assets’, and clear instructions need to be given on how to access files and groups of files, and on exactly what to do with them upon death. It is important that information about locations, usernames and passwords are up-to-date as finding and gaining access to accounts after death can be extraordinary difficult, if not impossible, without this information. Enabling the digital legacy to be disbursed or deleted as appropriate, also reduces the possibility of identity theft and the possibility of reputational damage and distress brought to friends and relatives should privacy be violated upon death.
  • All of the above presupposes that a digital legacy is organised, labelled and described in such a way that enables instructions to be executed. There may well be many thousands of files in these accounts, and providing individual instructions for each is impractical. Thoughtful categorisation of files in archives is a useful thing to do for everyday purposes and will also make the job of deletion or disbursement of a digital estate much easier and more effective.
  • If accounts are to be closed immediately upon death, most companies require a formal process in which proof of death is provided (usually a death certificate or published obituary notice) by a person authorised to act on the deceased behalf (usually the Executor of the Will). Alternatively, many accounts will be closed at the expiry of a minimum period of inactivity – which may be as long as 9 – 12 months. If an online repository is to be closed and its contents destroyed or made inaccessible, this minimum period may be too long.

Other things to consider when preparing instructions:

  • If one opts to establish an online memorial site, should this be a Facebook memorial site or perhaps a separate website built specifically as a memorial for friends and relatives to view and interact with? What kinds of material are to appear on the site? Should one record a final video or write a final note to convey to family and friends posthumously or to post on a memorial site? Who will take responsibility for establishing and maintaining the site?
  • Should social-network accounts be closed, or remain open as a place for friends and relatives to converse and reminisce?
  • It is always good practice to create local archives of online personal files periodically. This is increasingly easy to do and most of the larger social software companies (e.g. Facebook, Google and its subsidiaries) now offer account downloading facilities.

Conclusions and future implications

Given the size of the digital economy, and the plethora of services and products now available to the public, it is difficult to ascribe a simple fix to the legacy problems that follow when users of these services die. However this is not to say that developers of software products and services could not do much more to consider the issues that will only become much more acute in the future. Some of the issues are as follows:

  1. There is no single, established mechanism for archiving and re-repurposing the digital artefacts of the deceased, nor to insure their long-term preservation with appropriate descriptive metadata to designate digital items in context. Best practices are still evolving, and must be assembled from multiple sources.
  2. There is no single, established mechanism for establishing and maintaining online memorials. Best practices are still evolving and must be assembled from multiple sources.
  3. Many online systems and service providers do not have procedures in place to cater for the death of a user. The ability to designate an inheritor of one’s data in the user’s preferences or indeed to request the deletion of ones data upon death is missing in almost all systems. This creates unnecessary complications for the next of kin.
  4. There are significant internal inconsistencies and recourse to ad-hoc arrangements in how major companies deal with the death of a client. Even where companies have established policies, the transfer of digital assets to another user is often difficult in practice as these policies are hard to find, are expressed in obscure legalese, are difficult to interpret, and they may have no-one in particular whose role it is to manage the situation.
  5. Currently, individuals need to take responsibility for their digital assets. Most importantly, this includes creating and maintaining a local archive of one’s most important digital assets, making decisions in regard to the disbursement of that archive, and leaving clear and accessible instructions to enable online digital assets to be accessed and then deleted or disbursed as appropriate. This responsibility remains almost entirely unfulfilled.
  6. The importance of creating personal digital archives is not well-established in the popular imagination. The products and services available to facilitate this are inadequate, and digital service providers could offer much more leadership in this respect.
  7. Protocols and practices associated with bequeathment of digital assets alongside material and financial assets in the context a legal Will needs to be further developed by relevant agencies.
  8. Introducing personal archival practices early in one’s life is now an important consideration, given that data is acquired from a very young age, is stored remotely in an ephemeral way, and is easily forgotten.
  9. Institutional archives and libraries could provide a lead in terms of educational material and services in regard to best-practice archiving. Personal digital archives often overlap with local or even national histories so it is in the interests of archives to innovate in this area.

Online service providers that store our assets clearly have a role to play in remediating this situation, but institutional archives and libraries could also provide a greater lead. Protocols and practices about the bequeathment of digital assets need to be further developed to take their place alongside those that pertain to material and financial assets. Individuals and families are in need of educational materials and services for the construction of personal digital archives, and communities are in need of these materials and services for the construction of community and national archives, built in part from an aggregation of family archives. The ability to construct an archive, to designate an inheritor of one’s digital legacy or indeed to request the deletion of all or some of this legacy, is missing in many systems.

The answer is clearly not to be found in devising manual systems, or encouraging people to use manual systems, and we look to a time when the work required to curate an ever increasing digital legacy held by many millions of people may be addressed by automated or semi-automated systems.

One way forward is to repurpose the automated and semi-automated systems used by intelligence services such as Echelon and Prism; by data-mining companies such as Axciom and Neilson Claritas; and by the data gathering and analytics systems used by Google, Facebook and the like to process and store personal information. Our legacy is out there. It just needs to be selectively culled, organised and brought together. The algorithms used by these surveillance systems can search out, identify, tag, categorise and cross reference the plethora of images, emails, and other digital files we produce in a lifetime, using heuristics based on rules we determine, and behaviours we exhibit, to curate and store these files. Such an “intelligent agent”, or “digital curator”, might sit in the cloud, watching traffic across our desktop, pad, and smart-phone, tagging and categorising in real time, learning from our filing practices and generalising from our explicit instructions, requesting advice and permission as needed, thus bringing our legacy together in an organised and comprehensible package. Of course, a fundamental shift in the openness and control of online processes in favour of citizens and consumers is required, and the task of repurposing surveillance systems to create such an agent is clearly a formidable one. But so is the problem. Without a “digital curator”, our history is dispersed to the digital wind – not gone, and even proliferating, but not in relation, and not to hand.


Digital death is still a problem. A widow’s battle to access her husband’s Apple account

Kerry B. Collison Asia News: What happens to your

Experts are urging us all to think about what will happen to our ‘digital footprint’ after we die

Many of us turn to the virtual world to mark major life events – graduating from school, scoring a promotion, getting married or having a baby.

But what happens to your “digital legacy” after you die?

Grieving family members and friends would no doubt be aghast to come across a nasty comment about a departed loved one on their Facebook page or see a troll attacking their Twitter account.

So as morbid as it may sound, lawyers and web experts are urging people to include specific instructions in their will about what happens to the digital footprint they leave.

“In an age where digital data has increasing economic and sentimental value, it is sensible to leave clear instructions in your will about what should happen to, for example, social media content after death,” said Robert Rhoda, a dispute resolution lawyer with law firm Smyth & Co in association with RPC.

Our digital afterlife is not something most people think of and tech companies are still grappling with policies to adequately deal with the issue.

It’s a relatively new area of the law, Rhoda said, adding that people should consider leaving a “digital legacy” to avoid difficulties for those left behind to deal with the issue.

“Administering digital assets and social media content is a novel legal issue,” he said.

“Leaving a ‘digital legacy’ enables your personal representatives to liaise with service providers in line with your wishes. This is preferable to leaving passwords with relatives, which can cause them, often unwittingly, to breach laws related to the misuse of computers and data privacy.”

In Britain, the Law Society of England and Wales has started advising people to leave instructions on what should happen to their social media and other online accounts when they die in order to make it easier for family members to piece together their digital estate.

But Rhoda warned that the virtual world was not afforded the legal status of tangible assets.

“Social media accounts don’t have the same legal status as fixed assets, which form part of an estate, and it is not always clear who ‘owns’ them or, rather, who has the right to access them, once the user has died,” Rhoda said.

In recent years, several cases have emerged to test the law.

In 2005, the mother of a US soldier who died in Iraq went through a long legal battle with Yahoo to gain access to his email account.

In 2011, the family of a 15-year-old boy who committed suicide spent years in and out of court to gain access to his Facebook account, arguing that they wanted to see if there were any hints on his page that would explain his decision to take his own life.

In Australia, a recent study by a government body that specialises in wills and guardianship found that while nine out of 10 people have social media accounts, just one in five have spoken to their loved ones about what should happen to their online profiles when they die.

Lokman Tsui, assistant professor of communications at Chinese University, says there needs to be more awareness of the issue.

“This is something that is really critical but that not a lot of people have given much thought to,” said Tsui, whose research areas include new media and how policies should deal with emerging technologies.

“Some of our most private thoughts and conversations are in our emails and social networks but very few people have thought about what happens to that stuff when they die. This is a new area and there are no ‘norms’ that have crystallised about it.”

The topic raises a raft of issues involving data privacy, ownership and the security of a dead person’s account.

Tsui, who used to work at Google as head of free expression for the Asia-Pacific region, said the search engine introduced an “inactive account manager” last year. The feature allows the account holder to give other people access to their Google profile after they die.

Facebook, which has 1.3 billion users, offers two options: the account can be deleted permanently upon the family’s request or it can be converted into a memorial profile.

When an account is memorialised, sensitive information such as contact details and status updates are removed. No one can log into the account but friends and family can leave posts on the wall in remembrance.

Jed Brubaker, an academic at the University of California, Irvine who is researching death, identity and social networks, said this Facebook option was a double-edged sword.

“Memorialised profiles can be powerful places where the deceased’s social network can gather and memorialise the life of their friend,” he said.

“But in my research, unexpected encounters with deceased profiles has been the most troubling aspect of post-mortem profiles continuing to exist on Facebook.

“People can stumble across posts made to post-mortem profiles in their ‘newsfeed’, mixed in with other casual social media content. These encounters can be alarming, especially when a person is not expecting to see this kind of content.”

In its policy, Facebook says it tries to prevent memorialised accounts from appearing in ways “that may be upsetting to the person’s friends and family”.

A spokesman for Facebook, which declined to reveal how many profiles have been memorialised, said they “give people a platform to remember and celebrate the life of their loved ones after their passing”.

Instagram, which is owned by Facebook, has a similar policy to its mother company.

LinkedIn has an online form that allows a profile of a dead person to be removed and Twitter’s policy says an account can be deactivated by an immediate family member or someone who has been authorised to act on behalf of the estate.

Yahoo, which is popular in Hong Kong, will deactivate an account once staff can verify documents such as a death certificate. Access to the account for third parties is not allowed.

A spokesman for the Office of the Privacy Commissioner for Personal Data said that under the city’s laws, personal data was defined only as information which related to a living person.

“When the records relate to a deceased person and no living individual, they do not contain personal data” and were not subject to data protection laws, he said.

Two years ago, Hong Kong lawyer Ryanne Lai Hiu-yeung co-founded an internet start-up called Perpetu to tackle the issue.

Services offered include sending farewell messages on Twitter when you die, the deletion of your emails or their transfer to an authorised person, and deletion of your Facebook account.

The business is still operating but Lai says she is no longer actively promoting it. About 2,000 people signed up and about half were from Hong Kong.

“Most of them are in the ‘internet generation’ so I won’t say they are too young to think about death,” Lai said. “To me, this is more about life than death – it’s about how much you treasure your online presence and content that you create on a day-to-day basis.”

Richard Norridge, of law firm Herbert Smith Freehills, says the intrinsic value of our digital assets is still unexplored territory and someone’s digital legacy can come in many forms.

“It may be music or films held online, virtual currency or perhaps online accounts,” he said.”For many, it still does not form part of their thinking when they prepare their will, perhaps because those engaged in estate planning concentrate on the assets of greatest value.”

Norridge said Facebook’s memorialisation option was a fraught one. “The account is preserved in that it can still be viewed, but no one can log into that account and accounts cannot be modified. Thus if unwelcome comments are posted, they are memorialised, too,” Norridge said.