In the recent case of Sabados v Facebook Ireland , the English High Court ordered Facebook to disclose the identity of a mystery individual who requested that the platform delete the profile of a deceased user of the platform.
Around six months after the death of Mr Mirza Krupalija, Facebook received a request from an individual to delete Mr Krupalija’s personal profile, as well as the page of his band. Facebook duly complied with this request, leaving his long-term partner, Ms Azra Sabados, “devastated by the loss of so much material”.
Ms Sabados made a subject access request to Facebook on the basis that some of that deleted information, (which included photographs, poems and messages between the couple) would have included her own personal data. In response to a subject access request, Facebook confirmed that the data from Mr Krupalija’s profile was no longer available and that it was not able to tell Ms Sabados who requested that her partner’s profile be deleted.
For a year Facebook remained steadfast in its refusal to identify the individual who requested that Mr Krupalija’s profiles be deleted, maintaining all along that its internal processes had been duly followed. After crowdfunding her court action, Ms Sabados made an application to the High Court to compel Facebook to reveal the identity of the mystery individual.
The court considered there to be a good arguable case that a “person unknown posing as a family member contacted Facebook to seek the deletion of Mr Krupalija’s Facebook profile … which meant the irretrievable destruction of posts and messages …”. As some of that information was likely to contain Ms Sabados’s personal data, it was concluded that procuring its destruction could give rise to a claim for breach of the Data Protection Act 1998, as well as a breach of confidence and/or misuse of private information.
Without the identification of the mystery requestor, Ms Sabados would clearly not be able to formulate any claim against them. Because of this, and given that Facebook was considered to be unequivocally mixed up in the mystery requestor’s actions, the order (requiring Facebook to disclose the identity of the individual to Ms Sabados) was granted.
This decision goes to show that just because the General Data Protection Regulation (GDPR) does not apply to the personal data of deceased persons, this does not mean that companies that hold personal data relating to such persons can consider themselves absolved of all responsibility in respect of their handling of such data once those individuals have passed away. The risk that some personal data relating to the deceased may be intertwined with that of another individual, and the complications that presents, is emphasised by the case.
It should also be noted that GDPR does permit Member States to provide specific rules regarding the processing of the personal data of deceased persons, something that some Member States (such as Denmark) have already taken on board.
Companies should take the time to consider their approach to the handling of personal data relating to deceased individuals. They should ensure that their policy is not only communicated effectively to users at the time their personal data is collected, but that it is also communicated internally to those who have the power to effect individual rights requests. It would also be advisable to implement appropriate technical and administrative safeguards to avoid a similar situation to the one the court considered, and to always keep records of the process followed when responding to individual rights requests.