Digital Afterlife: Who Can Access and Manage a Deceased Person’s Online Accounts?
Key takeaways
How should digital data be managed after death? This article explains the legal framework for handling online accounts under French and EU data protection law.
Most of us actively use multiple online accounts, whether for personal or professional purposes, not to mention email services. However, when the holder of these accounts dies, their digital footprint does not automatically disappear. Physical death does not automatically trigger digital death, and personal accounts, even if inactive, can remain online for extended periods.
The issue of managing the digital data of a deceased person is particularly relevant when we consider that an average of 8,000 Facebook users die each day worldwide. (1)
1. By Definition, Personal Digital Data Is Personal
Personal data is defined as any information relating to an identified or identifiable natural person, i.e. the data subject. Any other individual, including heirs, is therefore considered a third party. (2)
The rights of the data subject, such as the rights to access, rectify, or delete data, are inherently linked to that person and may only be exercised by them. This principle has been confirmed by France’s Conseil d’État (the highest administrative court) in two rulings issued in 2011 and 2017. (3)
Email accounts, for their part, are protected under the confidentiality of correspondence principle.
The GDPR applies to individuals during their lifetime, but not after death. (4) As a result, data subject rights are extinguished upon death. Third parties, including heirs or loved ones, do not automatically gain access to the deceased's accounts on platforms and social networks.
So what happens to their digital data, to accounts held on Facebook, Instagram, X, LinkedIn, YouTube, or to their email accounts?
Before the entry into force of the French Digital Republic Act (Loi pour une république numérique), (5) the heirs of a deceased person could only access their digital data in limited situations, usually for the purpose of exercising their legal rights as heirs (such as accessing online banking data).
Many websites, platforms, and social media services automatically close inactive accounts after a certain period (one or two years, or even longer). However, platform operators are not always made aware of a user’s death and therefore cannot act to delete the accounts. Some platforms also have no specific procedure for handling inactive accounts. As a result, a large number of online accounts remain accessible after the account holder’s death because physical death does not automatically lead to digital death.
2. Conditions for Managing Digital Data After the Death of a Loved One
Planning what will happen to your digital personal data after your death makes things easier for your heirs and prevents potential disagreements about how the data should be handled, whether that means deleting it or keeping it online.
The French Digital Republic Act introduced a relatively comprehensive framework for managing a deceased person’s digital presence, in accordance with their “digital will.” These provisions are now codified in Article 85 of the amended French Data Protection Act (Loi informatique et libertés).
Two options apply: either the individual has provided specific instructions regarding their personal data after death, or they have not.
a) The Individual Has Provided Instructions Regarding Their Personal Data After Death
Such instructions define how personal data should be accessed and processed following the individual’s death. Like a traditional will, these instructions may be modified or revoked at any time by the data subject.
These instructions may be either general or specific in scope.
General instructions apply to all of the individual’s personal data. They may designate a person responsible for their execution. In the absence of such a designation, and unless otherwise specified, these instructions may be accessed and carried out by the deceased’s heirs. General instructions can be recorded with a digital trusted third party certified by the French data protection authority (CNIL). The existence of such general instructions and the identity of the trusted third party are listed in a centralized registry.
The provisions relating to general guidelines, and more specifically concerning trusted third parties and the centralized registry, are still not applicable, as the corresponding implementing decrees have not been published. However, the data subject may include their guidelines regarding their digital data in their will.
Specific instructions relate to clearly identified data processing activities. These must be recorded directly with the relevant data controllers, namely online platforms and social networks. To facilitate this, the platform terms of service and/or privacy policies must include provisions allowing for the registration of such instructions. However, this requires specific and separate consent, distinct from general acceptance of the platform’s terms.
b) The Individual Has Not Provided Any Instructions Regarding Their Personal Data
In the absence of instructions, heirs may only exercise their rights for two purposes: to manage and settle the deceased's estate by accessing information necessary for estate liquidation and distribution, and to notify the data controller of the individual’s death and request appropriate actions (e.g., account closure or status update).
Major social networks have implemented features for deleting accounts following a user’s death (unless otherwise specified in their instructions), or for converting the account to “memorial” status (e.g. Facebook), allowing friends and family to leave messages in their memory. The CNIL provides on its website a list of platforms offering such features, along with links to the relevant pages for reporting a user’s death.
In case of disagreement among heirs, or if one of them believes that the use of the deceased’s personal data infringes on their memory, reputation or dignity, the matter can be brought before the competent civil court.
The CNIL plans to organize a round of discussions on the ethical issues of post-mortem data in 2025. The outcomes will be published in a CNIL Innovation and Prospective Report. (6)
(1) Source: CNIL, “Digital death: Can you request the deletion of a deceased person’s information?” (in French)
(2) See definitions in Article 4 of the General Data Protection Regulation (GDPR)
(3) Conseil d’État rulings: June 29, 2011, Case No. 339147; June 7, 2017, Case No. 399446
(4) Recital 27 of the GDPR
(5) French Law No. 2016-1321 of October 7, 2016, for a Digital Republic (Loi pour une République numérique)
(6) "Données post-mortem, y a-t-il une vie numérique après la mort” (“Post mortem data, is there a digital life after death”) , Régis Catellier, Laboratoire d'innovation numérique de la CNIL
Bénédicte DELEPORTE
Avocat
Deleporte Wentz Avocat
www.dwavocat.com
First published in November 2020 - updated in June 2025