PRIVACY AND DIGITAL HERITAGE: THE PREVAILING OF “FAMILY REASONS DESERVING PROTECTION” IN A RECENT JUDICIAL PRONUNCIATION
The protection and inheritance of the digital heritage is facing new challenges. Digital heritage is the large amount of data which represents the person in the virtual world and it is bound to survive after its death. [To download the Order]
About twenty years ago, the late lecturer Stefano Rodotà, distinguished constitutionalist, the first Italian Privacy Guarantor, talked for the first time about the "electronic body", questioning the transformation of human identity in relation to the use of technology. Today this question is not completely resolved yet, in the absence of adequate legislative discipline. Maybe, it can be partially answered here.
The story, which has greatly interested commentators and social networks, involves the parents of a young chef who died early following a fatal car accident. They took a legal action against Apple Italia S.r.l., a company belonging to the well-known multinational group that was led by the visionary Steve Jobs. The applicants wanted the Court to oblige the company, according to precautionary measure provide for by the art. 700 of the Italian Code of Civil Procedure, to give assistance in recovering personal data from the iCloud account of their son.
The death of a child is one of the hardest tests, if not the hardest, that a parent can face in life: the request for access to data, as well illustrated in the factual reconstruction inferred in the ordinance, was aimed precisely at the attempt to "fill the void", reviewing the recent videos and photos of the son and collecting the recipes that the boy used to write down on his smartphone, in order to collect them in "a project dedicated to his memory". For this reason, the family members had repeatedly contacted the company, which however refused to allow access to the data contained in the Apple-ID in the absence of a specific court order.
Apple claimed that the Court order expressly certifies: (a) that the dead person had been the actual owner of all the accounts associated with his Apple-ID; (b) that the applicant was an "administrator" or "legal representative" of the deceased's estate; (c) that, in such capacity, the applicant qualifies as an "agent" of the deceased and his authorization to act constitutes "legitimate consent", according to the definitions contained in the Electronic Communications Privacy Act; finally, (d) that the Court explicitly ordered to provide assistance in the recovery of personal data from the accounts of the deceased, noting that they could contain information or personal identification data of third parties.
Apple wanted to subordinate the access to the data to the rules provided for by the law of the United States of America, in the Electronic Communications Privacy Act 1986 (ECPA) with its various amendments (among which, those provided for by the well-known USA Patriot Act of 2001, issued in the field of counter-terrorism in the aftermath of the terrible attack on the Twin Towers of New York). It constitutes the reference standard for everything concerning the protection of confidentiality in the field of telephone conversations, digital communications and electronic tools.
Apple seemed to ignore, or probably it pretended to ignore, the privacy rules provided by European Union law and its member states law. First of all, the privacy rules are contained in the European General Data Protection Regulation n. 2016/679 (GDPR)
The art. 3 establishes that this Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor established in the Union (it is not important if the processing is made in the EU). It also establishes that this Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union where the processing activities are related to the offering of goods or services made in the Union or to the monitoring of their behavior as far as their behavior takes place within the Union.
So, Apple's claim appeared illegitimate. Furthermore, we have to say that Italian law doesn’t have the "administrator" or the "legal representative" of the deceased, nor the "agent" of the deceased, and not even the "legitimate consent". These cases are envisaged and regulated within the aforementioned legislation which belongs to a different US federal juridical system.
The Court of Milan also recalls the Whereas no. 27 of the GDPR according to “This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons”.
In this regard, the Italian Legislative Decree no. 101/2018 introduced a specific provision in our Code of protection of personal data (Legislative Decree 30 June 2003 n.196): the art. 2 terdecies, dedicated to the protection of the deceased’s personal data. It says "the rights provided for in the articles from 15 to 22 of the Regulation referring to personal data concerning deceased peoples can be exercised by those who have an interest of their own, or act to protect the interested party, as his agent, or for family reasons worthy of protection".
As noted by the Milan Court, the legislator has not clarified whether the acquisition of the rights of the deceased person is mortis causa or it represents a legitimacy iure proprio, providing what authoritative doctrine has qualified as "the persistence of rights after the death”, “persistence that assumes a preminent importance for judicially available remedies”.
The general rule from our legal system is the survival of the rights of the interested party, as provided for by the Privacy Code, even after death and, therefore, the recurrence of the possibility of an effective exercise also after the death "by certain subjects entitled to exercise the rights themselves". To about, the art. 2 terdecies also says that the exercise of these rights can be excluded only by express provision of the law or, but "limited to the direct offer of information society services", in the event that the interested party has expressly prohibited, with a written declaration to the data controller or in other way communicated.
Very important is the analogy, proposed by the Court of Milan, between the living will and the digital will. They both concern the rights of the person in its physical dimension and in its identity.
In the last part the art. 2 terdecies says "the will of the interested party to prohibit the exercise of the rights referred to in paragraph 1 must be unequivocal and must be specific, free and informed".
The Italian Legislator, therefore, "has expressly valued the autonomy of the individual, leaving him the choice whether to leave the heirs and legitimate survivors the right to access their personal data (and exercise all or part of the related rights) or remove access of third parties such information". In this regard, the third paragraph of the same art. 2 terdecies states that "the will of the interested party to prohibit the exercise of the rights referred to in paragraph 1 must be unequivocal and must be specific, free and informed".
It is interesting to highlight how, given the relevance of this kind of interests, a large part of the digital industry has now adopted a clear policy, taking care to provide procedures that allow users to draw up a sort of "digital will". Just think, for example, of the choice of Facebook that allows users of the platform to indicate an "heir contact", who can succeed him in managing the profile after the user's death. And it is certainly curious that, on the other hand, a giant of technological innovation as Apple has not yet done so!
At the end, the Milan Court examined the art. 6, par. 1, letter f, of the GDPR, to draw attention to the fact that it expressly authorizes the processing of personal data necessary for the “the legitimate interests pursued by the controller or by a third party”. So, according to Italian and European law, the parents had family reasons worthy of protection.
For these reasons and also why the Company has not proved the existence of a negative expression of will, the Court of Milan sentenced Apple to provide the applicants with all the necessary assistance for the complete recovery of the data from their son’s accounts. Apple was also ordered to pay the legal costs.
Today the information technologies play a crucial role in our society. The "network" and also the social networks have become structural elements of the modern community and have also irremediably changed the relationship between personal identity and death. And the regulation of “digital heritage” is already a truly crucial challenge for the legislator. The legitimacy of the interest is certainly evident, also due to the existence of those "family reasons worthy of protection" protected by art. 2 terdecies of the Italian Privacy Code, which in this case are found in the desire to carry out a project that keeps the memory of the deceased chef alive through the publication of his recipes.
If it is essential to protect the digital data of the person while he is alive, it is equally important to guarantee the recovery of those data by the family, before it is too late and that they go irremediably lost, in the oblivion of their dispersion due to inactivity of the accounts in which they are kept. We have to protect the right to care people we love and the right to the preservation of memories, which, in the end, is what really remains of a past life.