Inheritance of data
A natural extension of the consideration of the legal status of data is the question of whether data can be inherited. This is no longer just a theoretical issue. Data are increasingly valuable, making it vital to answer the question of whether data constitute an asset of the decedent’s estate that can be taken over by the heirs.
According to the Polish Civil Code, the decedent’s property rights and obligations are the subject of succession. But the estate does not include the decedent’s rights and obligations closely linked to his person and rights which, upon death, are transferred to designated persons irrespective of whether they are heirs.
Is it possible to inherit data based on such a definition of inheritance?
First of all, to answer this question, it is necessary to recall the division into different categories of data which, like the issue of classifying certain types of data as property rights, has already been analysed in our data economy series. Indeed, depending on which category of data we are dealing with, the assessment of whether a right or obligation should be included in the estate changes.
While the possibility of inheriting data that may be subject to absolute property rights should not raise doubts, more reservations may arise in relation to uncategorised data.
In our series of articles, we regard as “uncategorised data” those data that are potentially subject to property rights but do not qualify as the subject of any absolute property rights currently recognised by the legal system. This is an increasingly important set of data, including in particular a large portion of machine data.
Currently, uncategorised data are not subject to absolute property rights. Instead, they may be subject to relative rights. For example, a contract may allow a specific entity access to machine data. Also, one can contractually transfer data to another entity so the recipient can commercially process the data. In such a case, for example, a claim may arise for payment for the use of data, to refrain from disclosing the data to third parties, or to return the data under certain circumstances.
Therefore, it is useful to distinguish two cases with respect to uncategorised data. The first case assumes that data are the subject of relative property rights (e.g. the aforementioned claims arising out of contractual relations, or amounts owed to the provider of the cloud solution where the data are stored). The second case is a situation where uncategorised data do exist (e.g. they are recorded on a specific carrier) but are not subject to either relative or absolute property rights (e.g. no contracts were concluded with regard to the data).
It seems that in the first case, data (or more precisely the relative property rights the subject of which is the data) could form part of the estate and be inherited under general rules. In the second case, at most the data carrier (or possibly the right to access the carrier), but not the data as such, could be inherited. In such a situation, data exist but are not the subject of any property right. The decedent’s heirs can actually access the data, but this will happen, as it were, when inheriting the physical data carrier. But the data as such will not be subject to inheritance.
The potential inheritance of personal data is a separate issue. In this case, the situation is further complicated by the fact that personal data are often treated as a personal right which is the subject of non-property rights (more on this subject in the article on the legal character of personal data). In practice, such a qualification of personal data could rule out their inheritance; as the subject of non-property rights, they would not be part of the estate. Additionally, as stated in para. 27 of the preamble, the EU’s General Data Protection Regulation does not apply to personal data of deceased persons. So what happens to personal data after the data subject’s death?
As with other data, in the case of personal data the death of the data subject does not cause the data to cease to exist. But it becomes crucial to determine the status of the data, who has rights to them, and the content of those rights. It is widely believed that data subjects’ rights under the GDPR are personal rights. They are an emanation of personal property, and as such are not heritable. One might potentially wonder whether the GDPR nevertheless establishes a set of property rights to data that could be subject to inheritance, e.g. with regard to the rights to data erasure (Art. 17 GDPR) and data portability (Art. 20 GDPR). The substance of those rights is very close to that of some known property rights, which could suggest that we should treat them as a special type of property right.
However, if we assume that the GDPR does not establish property rights, then in practice we must conclude that personal data of a deceased data subject (unless the subject of a defined absolute property right, such as copyright) end up in a peculiar legal vacuum after the data subject’s death. They become what we refer to in our series as “uncategorised data”: they are a certain asset (in practice, primarily digital), but nonetheless not the subject of any property right of an absolute nature. Access to such data can only be “inherited” if the data were the subject of some property right of a relative nature (such as a claim under a contract with a digital service provider).
These difficulties are not specific to Polish law. A high-profile case in Germany concerning heirs’ access to data stored on a deceased person’s Facebook account (Bundesgerichtshof, III ZR 183/17) and the ensuing discussions have shown that the problem is largely universal. In that case, the German Federal Court of Justice held that claims from the Facebook contract can be inherited. However, this ruling does not determine the status of the data collected on the Facebook account as such. A claim under a contract with a digital service provider is not the same as an absolute property right to data stored by that provider. From this perspective, the challenges identified above still remain unresolved. However, the discussion around the Facebook case has highlighted a number of more specific challenges related to data inheritance. Can data inheritance be contractually excluded? How are the rights under the service provider agreement to be exercised in the case of multiple heirs? Does each heir receive the right to use all of the inherited data or only part of the data? How should a situation be handled where inherited data include personal information about the decedent? Are heirs entitled to invoke their rights under the GDPR in such a situation? What if the inherited data also contain third parties’ personal information?
Difficulties regarding the inheritance of certain types of data should be considered an undesirable situation from a legal and practical point of view. It creates uncertainty as to the set of persons entitled to data and the conditions under which certain persons have access to data.
We can easily imagine a situation where only one of the heirs, or even a third person, gains actual access to data. Since some of the data may not have become part of the estate, the remaining heirs may have difficulty pursuing possible claims against the persons who actually came into possession of the decedent’s data.
As long as we treat the data we are talking about here as random and insignificant, the problem may seem marginal to us. We will start to look at it a little differently if we realise, for example, that data used to create algorithms with a certain market value may also be part of the estate. We can also look at this issue differently through the lens of the demands of the MyData movement. Data generated over many years of the decedent’s life may constitute a significant asset in the new economy, used by many entities, including on a commercial basis. The use of the data will not end with the death of the person who generated the data. The data can live on. Viewed from this perspective, it becomes vital to answer the question of who will be the economic beneficiary of the use of such data after the death of the data subject.
Krzysztof Wojdyło, adwokat, New Technologies practice, Wardyński & Partners
Anna Olejniczak-Michalska, attorney-at-law, Private Client practice, Reprivatisation practice, Wardyński & Partners