What is digital identity?

The digital identity is considered to be the virtual identity that each individual creates for himself/herself on the network and indicates "the set of information and resources provided by a computer system to a user of that system"; consequently, the digital identity is formed by the set of two factors: the existence of a physical individual; and the attribution to that physical individual of a "set of electronic codes such that, once introduced in one or more computers, single or networked, the person can be identified, linking the codes to his identity".

The informative elements, called attributes, are elements that make recognizable and identifiable a subject in the net, for which, attributes will correspond "parts" of an equal identity, that make the same digital identity fragmentary and therefore not unitary; this has as consequence a logical impossibility by the individual to exercise an effective control over all the information about himself/herself that circulates on the Internet.

The identity of the individual through the network can be easily damaged due to the fact that the information are placed on the network without filters and controls thus leading to the presence of data not necessarily corresponding to the truth, or, even if true, however distorting the perception that you may have of an individual, especially when the information is far from representing the real identity of the person.  Through the net we have the possibility to diffuse multiple information being able to take advantage of a system of collection and filing of high capacity, permitting to fix in the time the digital information. Every inserted data is destined to wander indefinitely in the immaterial universe of the Internet, being always able to be resumed even if formally deleted.

 

Right to be forgotten

The permanence of data on the internet has made necessary to better protect the individual and his/her digital identity; for this reason, it is foreseen that, after a considerable lapse of time, every individual is entitled to request the cancellation of the information concerning him/her and circulating on the net, and this also following the loss of social utility about the disclosure of the information itself. In this context, the right to be forgotten and the right to personal identity tend to assimilate because, the re-emergence of events dating back to a person must take place with regards to the identity of the individual that often is damaged by the diffusion of untruthful or misleading information, contributing to the creation of an identity not corresponding to the reality.

The right to be forgotten is defined as the right of a person to obtain the withdrawal of personal information concerning him/her, if the public relevance to the disclosure of the information has ceased due to the passing of time or for other reasons. In fact, the EU Regulation 2016/679 in art. 17 (headed right to erasure “right to be forgotten”) establishes a twofold right, providing on one hand, the right to be forgotten, and on the other hand, the right to obtain the removal of personal information. 

The right to be forgotten is realized, thus, in the claim of an individual to be able to control once again his/her own personal history, ensuring the compliance with the right to self-determination and identity, granting the elimination of what "no longer belongs to the identity of the person concerned", but, at the same time, saving what appears to be highly interesting for society.

It can be sustained that the right to be forgotten concerns the ability of a person to control the data and information that concern him/her, not dealing with a mere protection of confidentiality, but with the desire to exercise control over the use of one's own data and the duration of their permanence on the web. In fact, it is stated that the right to be forgotten guarantees "a dynamic protection of personal data, in the sense that the protection cannot be only the traditional and static one related to confidentiality, but must become an essential component of digital citizenship, and of the free construction of identity".

 

Post Mortem Personal Data Protection

In the context of the relationship between digital identity and the right to be forgotten, there is a further problem concerning digital inheritance, which consists in the transmission to third parties of the "digital heritage" of a person after his/her death, a heritage made up of the set of attributes that make up the digital identity of an individual.  

The digital heritage is represented by a series of assets, juridical relationships and information, being able to deal with assets with economic or affective value, managed digitally and also protected by password since, for example, they are placed inside a physical resource such as pc/tablet or cell phone, but also because they are stored in cloud with access through private credentials. This leads to the delicate question about the provision of a right to be forgotten for the deceased, in the sense of the right to protection of personal data even post mortem.

The European Regulation on the protection of personal data (GDPR), at Preamble 27, excludes the application of the legislation to the data of deceased people, providing, consequently, the possibility for the Member States themselves to provide for internal regulations to protect the processing of the data of deceased people.

In fact, Italy, with art. 2-terdecies of Legislative Decree 101/2018 (Decree of Harmonization of the Privacy Code) has provided the extension of the rules set out in the GDPR also to the treatment of personal data of deceased people, stating that "the rights relating to the personal data of deceased people may be exercised by those who have their own interest, or act to protect the deceased as an agent or for family reasons deserving of protection".

The second paragraph of the aforementioned article provides that the rights to protect the personal data of the deceased may not be exercised by the heirs or agents of the deceased in the cases provided by law or when, in relation to information services, the deceased has expressly forbidden this by means of a written declaration submitted to the data controller.

Consequently, it is up to the judge to protect the rights of the deceased also in relation to the protection of personal data. As a matter of fact, problems have often arisen regarding the right of the heirs to request the erasure of data and information placed on the Internet and related to the deceased.

Recently, the Privacy Authority has ruled on the legitimacy of the request of the son of the deceased to delete an article that the latter published online and that was defamatory to family members. The Authority, in this case, stated that in order to remove from the web an article of a deceased it is necessary that there is a real interest to be protected and there are no relevant reasons that conflict with the removal of the writing. The Authority considered unfounded the request for erasure submitted by the son to the website where the article was hosted, as there was no evidence of the actual will of the de cuius to delete or modify the content of the writing and considering instead necessary to safeguard the article, as historical evidence of the life of the deceased and expression of his free thought; moreover, the deceased in life had never expressed the need to take advantage of the right to be forgotten while going, conversely, to reiterate several times his own thought collected in the article.

However, the Authority has decided that, given that sixteen years have passed since the publication of the article and six years have passed since the death of the author, the manager of the web site should not make the article available through external search engines, in order to balance the need to preserve the writing with the interest of the relatives mentioned in it.

Even more recently, the Court of Milan had to deal with a question concerning the right to the protection of the personal data of the deceased. The issue concerned the request by the parents of a minor, who died following a car accident, to access their son's data stored on the Apple cloud, since the smartphone had been destroyed following the fatal crash, in order to try to fill the pain due to the loss.

Apple refused access, invoking its duty to protect the identity of third parties in contact with the boy, as well as the safety of its customers, predicting that, in order to provide the data, the parents would have to become "agents" of the deceased and formal bearers of a "legitimate consent", according to the American Electronic Communications Privacy Act. 

The parents of the deceased lodged an appeal to the Court of Milan under articles 669 bis and 700 of the Italian Code of Civil Procedure, requesting, as a precautionary measure, that Apple be ordered "to provide assistance in recovering personal data from the accounts of the deceased". The company, although duly sued, remained in contumacious.

The Court accepted the request of the applicants considering to be present the characteristics of urgency typical of the precautionary protection, since, in the case in question, there was a risk of deletion of the data placed within the cloud as a widespread practice of Apple. 

In relation to the right of parents to access the personal data of the deceased, the Court recalled the importance of Legislative Decree no. 101/2018 in the post mortem protection of personal data, reaffirming that the rights concerning the personal data of deceased people can be exercised "by those who have their own interest, or act to protect the person in question, as their agent, or for family reasons worthy of protection". Since it was not verified the presence of a prohibition by the young man about the exercise of rights related to his post-mortem personal data, the Court found the existence of "family reasons worthy of protection" required by art. 2-terdecies both by virtue of the "existing bond between parents and children" and the desire of the applicants "to recover part of the images relating to the last period of life" of their young son and "to carry out a project that, also through the collection of his recipes, can keep alive the memory".

Important, in the case in question, was also the observation made by the Court regarding the requirements provided by Apple for access to the deceased's data, stating that the same requirements are far different from those provided for by our legal system and therefore the company's claim to "subordinate a right provided for by our system to conditions that are completely extraneous to the rules governing the case is illegitimate".

It has been noted that, in relation with Apple's requests, only the company can know if "the deceased is the owner of all the accounts associated to the Apple ID", recalling that the Italian law doesn’t contemplate the role of "administrator or legal representative of the heritage of the deceased  nor, even less, that of "agent" of the deceased, as mentioned by Apple in the reasons for the refusal of access to the cloud of the deceased.

This turns out to be an important pronouncement because it opens the possibility that Apple takes into account, to make its own determinations, the Italian/European legislation, about access and protection of personal data, modifying its own policy, as already done, for example, by Facebook.

 

Conclusions

The link between the right to be forgotten, digital identity and personal data protection lies in the consideration of the right to be forgotten among the rights of the personality, therefore, it is considered a personal right, aimed at affirming and guaranteeing needs of an existential nature. It is a right that belongs to man/woman as such and that, therefore, it does not disappear in the moment of the death of the holder of the right itself.