Digital Ghosts: Legal Gaps in the Protection of Personal Data After Death in Nigerian and Comparative Jurisdictions.

Abstract

Digital technology has changed the way people live and die. E-mails, social media profiles, cloud storage, biometric records, and other digital footprints often outlive their creators. These digital ghosts raise complex questions of ownership, dignity, privacy and succession. Both the European Union’s General Data Protection Regulation (GDPR) and Nigeria’s new Data Protection Act 2023 (NDPA) provide robust frameworks for protecting the personal data of the living. Yet, neither instrument explicitly governs the handling of personal data after death. This article critically analyses the posthumous data protection vacuum under Nigerian law and contrasts it with selected comparative jurisdictions. It examines statutory provisions and recent cases in Nigeria, Germany, France, the United Kingdom and the United States, highlighting the lack of clarity regarding digital remains. The paper proposes legislative reforms, judicial interpretation and policy measures to safeguard the dignity and privacy of the dead while balancing the rights of surviving relatives and data controllers.

 Keywords: Data protection, posthumous privacy, digital estate, NDPA 2023, data governance, digital legacy, Nigeria.

 Introduction

The expansion of digital technology has given rise to a phenomenon in which a person’s electronic presence outlives their physical existence. Social media accounts, email archives, digital wallets, cloud‑stored documents and biometric records remain on servers long after the individual has died. These residual traces are often referred to as digital ghosts, the ongoing existence of a deceased person’s personal data in the digital sphere. Such data may reveal sensitive information about the deceased or living relatives and may carry economic, sentimental or reputational value.

Traditionally, the law presumed that privacy rights extinguish at death. However, in a world where data persists indefinitely, this presumption is increasingly untenable. Persistent digital profiles can be exploited for commercial gain, identity theft or misuse of a person’s image. Artificial intelligence systems may train on historical personal data, including the voices or likenesses of deceased individuals. Without clear legal rules, platform providers decide how long data is retained and who may access it. In the European Union, the GDPR excludes the data of deceased persons from its scope, leaving national laws to fill the gap. Nigeria’s NDPA likewise offers no explicit guidance on posthumous data, leaving families and courts uncertain about their rights and responsibilities.

 This article interrogates the legal lacuna concerning the protection of personal data after death. It begins by clarifying the concepts of digital ghosts and posthumous data, then analyses the GDPR’s framework and its limitations. This paper examines the NDPA and relevant Nigerian jurisprudence, compares approaches in other jurisdictions and highlights recent court decisions. Ethical and policy implications are considered before proposing reforms to bridge the gap between technological realities and legal protections.

 Conceptual Clarification: Digital Ghosts and Posthumous Data

Digital ghosts

Digital ghosts denote the persistent digital presence of individuals after death, social media profiles, emails, biometric templates, geolocation histories and other personal data that remain stored on servers. They arise because many online service providers preserve user data unless the account holder or their representative takes steps to delete it. Platforms such as Facebook and Google have introduced legacy contact or inactive account manager tools, allowing users to designate a person to manage or delete the account upon death. These tools, however, operate as contractual policies and depend on users’ proactive action during life; they do not impose legal duties on controllers to delete or transfer data after death.

Posthumous data

Posthumous data refers to personal information identifiable to a deceased individual that continues to be processed after their death, including sensitive personal data, biometric identifiers and communications metadata. The European Data Protection Supervisor notes that posthumous data may still affect reputations and reveal information about living relatives. Under the GDPR, personal data is defined broadly, but Recital 27 clarifies that the regulation does not apply to deceased persons; member states may adopt their own rules. Nigeria’s NDPA adopts a similar definition of personal data by focusing on any information relating to an identified or identifiable natural person[1]. This definition implicitly excludes data about the dead, creating uncertainty about whether and how such information should be governed.

The absence of explicit regulation leaves families and heirs uncertain about whether they can access the deceased’s digital assets. It also exposes the data of the dead to potential misuse for example, unauthorised access, impersonation, or training of AI models without consent. Scholars have argued that posthumous data implicates the dignity of the deceased, affects the privacy of surviving relatives and may have economic value. Recognising these values is essential to developing coherent legal responses.

The GDPR Framework and Its Limitations on Post‑Mortem Data

The GDPR is lauded as the world’s most comprehensive privacy regime. It defines personal data as “any information relating to an identified or identifiable natural person” (Article 4(1))[2] and grants data subjects rights such as access, rectification and erasure. However, Recital 27 expressly states that the GDPR does not apply to the personal data of deceased persons, leaving it to member states to regulate such data. This exclusion is rooted in the traditional view that privacy rights do not survive death, but it creates a regulatory vacuum in a digital context.

Divergent National Approaches Within the EU

Because the GDPR defers posthumous data regulation to national legislatures, member states have adopted divergent rules. France’s Loi Informatique et Libertés (as amended by the Loi n° 2016‑1321 for a digital republic) allows individuals to give instructions regarding the use of their personal data after death and permits heirs to exercise certain data‑subject rights[3]. Germany’s Federal Court of Justice (Bundesgerichtshof) ruled in 2018 that access to a deceased minor’s Facebook account forms part of the estate. The court held that the social‑network contract is inherited by heirs and they are entitled to access communications data, likening digital accounts to letters or diaries[4]. This decision recognised that digital assets are transferable and set a precedent for viewing social‑media contracts as part of inheritance law.

Other EU states, such as Spain and Italy, have yet to enact specific legislation on posthumous data, relying instead on general succession laws and platform policies. The lack of harmonisation creates uncertainty for cross‑border data controllers, especially when cloud‑hosted data may reside in multiple jurisdictions.

Gaps in the GDPR

The GDPR’s exclusion of the deceased poses several problems:

1. Identity and dignity: Even after death, personal data can be misused in ways that tarnish a person’s reputation or invade the privacy of their surviving relatives. Biometric identifiers or communications may be exploited for identity fraud or deepfakes; yet, there is no EU-wide duty to delete or anonymise such data.

2. Inheritance and access: Data‑subject rights under the GDPR lapse on death, leaving heirs without statutory authority to access crucial digital assets unless national laws provide otherwise. Families often encounter obstacles in accessing email or cloud accounts, as illustrated by the U.S. cases discussed below.

3. Controller obligations: Data controllers may continue processing or retaining the data of deceased users indefinitely. Without clear obligations to delete or anonymise posthumous data, platforms can profit from or repurpose the information without accountability.

 Legal scholars have urged the EU to revisit this exclusion. They argue that certain personality rights, such as dignity and informational self‑determination, should survive death and be exercisable by heirs or representatives. The European Data Protection Supervisor has called for a harmonised framework on digital legacy, recognising that technological developments challenge the assumption that privacy ends at death.

The Nigeria Data Protection Act 2023: Progress and Vacuums

Nigeria’s NDPA 2023 is modelled on the GDPR and replaced the Nigeria Data Protection Regulation 2019 (NDPR). It defines personal data as any information relating to an identified or identifiable natural person and enumerates sensitive personal data such as biometric and genetic information. The Act applies to data controllers and processors operating in Nigeria or processing personal data of data subjects located in Nigeria. Section 24 of the Act sets out the principles governing the processing of personal data. These include lawfulness, fairness and transparency, data minimisation, accuracy, purpose limitation, storage limitation, integrity and confidentiality, and they impose a duty of care on data controllers and processors to demonstrate accountability[5]. The NDPA also introduces legitimate interest as a lawful basis for processing, a concept absent from the NDPR[6].

GAID 2025 And Proposed Amendments

In April 2025, the Nigerian Data Protection Commission issued a General Application and Implementation Directive (GAID) to clarify how the NDPA should be applied. The GAID expands the obligations of data controllers and processors, particularly those of “major importance,” and introduces formal legitimate interest assessments for determining when legitimate interest can serve as a lawful basis for processing[7]. It also provides that where there is no specific time‑bound obligation for retaining data, personal data must be deleted within six months of fulfilling its original purpose, although data may be retained longer for legal defence or due diligence. While these provisions strengthen compliance and underscore the principle of storage limitation, they do not address the treatment of personal data after death. The directive leaves the question of whether death should be considered an end to the purpose of processing unanswered.

Around the same time, a bill to amend the NDPA was introduced in the Nigerian Senate. Sponsored by Senator Ned Munir Nwoko, the bill sought to require social‑media platforms and other data controllers to establish physical offices within Nigeria, with non‑compliance punishable by prohibition from operating in the country. Legal analysts observed that the NDPA is a privacy and data‑protection statute, not a platform‑regulation law, and criticised the proposal for conflating data‑protection compliance with corporate localisation[8]. The amendment effort illustrates Nigeria’s growing focus on digital‑platform accountability, but like the GAID, it offers no solution for posthumous data protection.

Silence on Post‑Mortem Data

Despite its comprehensive scope, the NDPA does not address the status of personal data after death. Section 2 of the Act limits its subject matter to living natural persons[9]. Unlike France, which allows individuals to set post‑mortem instructions for their data, the NDPA contains no provision for digital wills or legacy contacts. Consequently, Nigerian families seeking access to a deceased relative’s emails, social‑media accounts or digital assets have no statutory right to do so. Data controllers are not expressly required to delete or anonymise the data of dead users, nor to grant access to heirs. The omission becomes more problematic as Nigerians increasingly adopt digital platforms. Without guidance, platform policies govern the fate of the deceased’s data. For example, some social‑media providers may memorialise or delete accounts, but others may simply retain data indefinitely. The lack of clear legal obligations may expose the data of deceased Nigerians to misuse or exploitation.

Relevant Nigerian Case Law

Although no Nigerian case directly addresses posthumous data, recent decisions illustrate the courts’ evolving approach to data protection. In Incorporated Trustees of Digital Rights Lawyers Initiative & Others v National Identity Management Commission (2021), the Court of Appeal resolved conflicting high‑court decisions by holding that the constitutional right to privacy under section 37 of the Nigerian Constitution includes data protection rights[10]. The court emphasised that the NDPR (and by extension the NDPA) serves as a legal instrument safeguarding privacy. While the case concerned a living individual challenging a fee imposed to correct his date of birth on a national identification record, it affirmed the judicial recognition of data‑protection rights as part of constitutional privacy. However, the decision did not discuss data rights after death.

In another case, Incorporated Trustees of Digital Rights Lawyers Initiative v Unity Bank Plc (2020), the Federal High Court held that a data subject must first approach the Administrative Redress Panel established under the NDPR before instituting an action for enforcement. The court concluded that Article 4.2 of the NDPR created a condition precedent to filing a data‑protection suit, and failure to comply deprived the court of jurisdiction[11]. The ruling reflects procedural hurdles for data subjects, but again it did not address the rights of deceased persons. These cases indicate that Nigerian courts are beginning to recognise data protection as a fundamental right. However, they also reveal procedural gaps and the absence of jurisprudence on digital remains.

Comparative Jurisdictions

United Kingdom

Post‑Brexit, the United Kingdom retained the GDPR under the UK Data Protection Act 2018 (often called the UK GDPR). Like the EU GDPR, it excludes deceased persons. Notable UK case law on data protection includes Lloyd v Google LLC (2021), where the Supreme Court held that representative actions for damages under the Data Protection Act require proof of material damage or distress, limiting class‑action style claims. Although the case did not involve posthumous data, it underscores the courts’ cautious approach to novel privacy claims and the importance of establishing quantifiable harm.

Another significant UK decision is NT1 & NT2 v Google LLC (2018), the first English case applying the “right to be forgotten.” The High Court ordered Google to delist search results relating to a spent conviction for one claimant but refused the other’s request. The judgment balanced privacy against freedom of expression and public interest. While not about the deceased, it demonstrates judicial willingness to consider erasure rights where data retention is no longer justified.

United States

The United States lacks a comprehensive federal privacy law; regulation is sector-specific and state‑based. Two cases illustrate the challenges of post‑mortem data:

• Estate of Justin Ellsworth v Yahoo! Inc. (2005) – A Michigan probate court ordered Yahoo to release the emails of Lance Corporal Justin Ellsworth, who died in Iraq. Yahoo’s terms of service stated that accounts were non‑transferable and terminated upon death[12]. The court nevertheless compelled Yahoo to provide the emails on a CD, though it did not transfer account access or the password[13]. The case showed how provider contracts can conflict with families’ interests and highlighted the absence of statutory rules.

• Ajemian v Yahoo! Inc. (2017) – The Massachusetts Supreme Judicial Court held that the federal Stored Communications Act does not prohibit Yahoo from disclosing the contents of a deceased user’s emails to the personal representatives of the estate[14]. The court remanded the case to determine whether Yahoo’s terms of service constituted an enforceable contract and noted that fiduciary access may be granted when consent is obtained through wills or state legislation. This decision, together with the Uniform Fiduciary Access to Digital Assets Act (UFADAA) and its revised version (RUFADAA) adopted in many states, reflects a growing recognition of fiduciary rights over digital assets.

These cases illustrate the contractual nature of digital services in the U.S. and the tension between privacy rights and estate administration.

Germany

Germany has been at the forefront of recognising digital legacy within inheritance law. In 2018, the Federal Constitutional Court ruled that a deceased teenager’s Facebook account formed part of her estate and must be accessible to her mother. The court held that the contract with the social network is transferable to heirs and that heirs have a claim for access to the account, including communications data[15]. This decision likened digital accounts to diaries or letters, emphasising that the privacy of the deceased does not override the inheritance rights of relatives. The ruling provides clear guidance on post‑mortem data ownership and has been influential in European discussions.

France

France has adopted explicit rules on posthumous data. Under Article 40‑1 of the amended Loi Informatique et Libertés, individuals may give instructions regarding the retention, deletion or communication of their personal data after death. In the absence of such instructions, heirs may request the provider to take necessary measures to close accounts. France thus provides a statutory mechanism for digital wills and recognises that data remains part of a person’s estate.

South Africa

South Africa’s Protection of Personal Information Act 2013 (POPIA) regulates personal data but, like the GDPR, does not address the data of deceased persons. The Act protects living individuals’ personal information and allows for specific sectoral rules, such as the confidentiality of health records. The absence of a general post‑mortem data policy mirrors the situation in Nigeria.

Recent Cases: Highlighting the Legal Vacuum

Several cases across jurisdictions underscore the complexity of posthumous data:

• Bundesgerichtshof (Germany) 2018 (VI ZR 124/18) – The court held that Facebook must provide a mother access to her deceased daughter’s social‑media account because the contract forms part of the estate[16].

• Estate of Justin Ellsworth (USA 2005) – Yahoo was ordered to produce a copy of a deceased marine’s emails despite its contractual terms declaring the account non‑transferable[17].

• Ajemian v Yahoo! Inc. (USA 2017) – The Massachusetts Supreme Judicial Court held that the Stored Communications Act does not bar disclosure of emails to estate representatives and remanded the case to assess the enforceability of terms of service[18].

• Digital Rights Lawyers Initiative v NIMC (Nigeria 2021) – The Court of Appeal affirmed that the constitutional right to privacy includes data protection rights[19]; though not about deceased persons, the case strengthens privacy jurisprudence in Nigeria.

These cases demonstrate courts grappling with the interplay between contractual terms, privacy rights and inheritance law. They reveal a trend toward recognising some form of digital succession while emphasising the need for legislative clarity.

 Ethical and Policy Considerations

The persistence of digital ghosts raises ethical questions beyond legal ownership. Should an individual’s consent given during life extend after death? Who should decide whether to delete or preserve a deceased person’s data: their family, the platform provider or an executor appointed in a will? Balancing privacy and access becomes delicate when communications may reveal sensitive information about third parties or living relatives.

From a policy perspective, posthumous data may carry economic value. Digital photographs, unpublished manuscripts, cryptocurrency keys or patents may be part of an estate. Conversely, data may be used for research or AI training without benefiting the estate. Policymakers must weigh the rights of heirs against broader public interests such as freedom of expression and historical memory. There is also the issue of data minimisation, a core principle under the GDPR and NDPA. Once the purpose for which the data was collected has ended, continuing to store the information may violate storage‑limitation principles. Death arguably terminates the purpose of many data processing activities. Without clear rules, data controllers may either delete valuable information prematurely or retain data indefinitely.

Recommendations

1. Legislative amendment in Nigeria: The NDPA should be amended to address the handling of personal data after death. Legislators could adopt provisions similar to France’s Article 40‑1, allowing individuals to leave instructions regarding their digital assets and enabling heirs or appointed digital executors to access or delete accounts. Such provisions should recognise both privacy and succession principles.

2. Digital wills and executors: Nigerian law should recognise digital wills or clauses in existing wills that specify how digital assets and data should be managed. This approach would align with initiatives like the Revised Uniform Fiduciary Access to Digital Assets Act in the United States, which provides a legal basis for fiduciaries to access digital assets.

3. Regulatory guidance: The Nigerian Data Protection Commission (NDPC) should issue guidelines on posthumous data processing. These could require data controllers to verify death notifications, provide options for account deletion or memorialisation, and specify retention periods. Platforms operating in Nigeria should be mandated to inform users about their legacy options and to implement accessible tools for managing digital legacy.

4. Judicial interpretation: Nigerian courts should interpret the constitutional right to privacy and the NDPA in a manner that protects the dignity of the deceased. Borrowing from German jurisprudence, courts could recognise that digital accounts may be part of an estate and allow heirs to access them, subject to safeguards for third‑party privacy.

5. Public awareness: Awareness campaigns should encourage individuals to plan their digital legacy, including designating legacy contacts, drafting digital wills and understanding platform policies. Legal practitioners should incorporate digital assets into estate planning.

6. International cooperation: Given the cross‑border nature of digital data, Nigeria and other jurisdictions should participate in regional and international initiatives to develop harmonised standards for posthumous data. Collaboration with organisations such as the African Union could produce model laws addressing digital legacy and cross‑border data transfers.

 Conclusion

The digital revolution has created a new frontier where personal data outlives its creator. Neither the GDPR nor Nigeria’s NDPA provides clear rules on what happens to personal data after death. This regulatory gap leaves the dignity and privacy of the deceased vulnerable and burdens families with uncertainty. Comparative experiences show that courts are beginning to recognise digital inheritance, but without legislative frameworks, decisions remain inconsistent. Nigeria, as a major digital hub in Africa, has an opportunity to lead by enacting laws that respect both privacy and inheritance. Doing so would ensure that digital ghosts are treated with the dignity they deserve and that the rights of the living and the dead are appropriately balanced.

[1] Staying Ahead of The Curve: Navigating Nigeria’s Data Protection Compliance Landscape – Pavestones Legal https://pavestoneslegal.com/staying-ahead-of-the-curve-navigating-nigerias-data-protection-compliance-landscape/

[2] The Nigerian Data Protection Act 2023 defines personal data as any information relating to an identified or identifiable natural person and does not mention data of the deceased.

[3] Under France’s amended Loi Informatique et Libertés, individuals may give instructions for the use of their personal data after death, and heirs may request necessary measures to close accounts.

[4] Grieving parents can inherit their late daughter’s Facebook account, Germany’s top court finds | South China Morning Post https://www.scmp.com/news/world/europe/article/2155027/grieving-parents-can-inherit-their-late-daughters-facebook-account

[5] The NDPA enumerates principles such as lawfulness, fairness and transparency, data minimisation, accuracy, purpose limitation, storage limitation, integrity and confidentiality.

[6] The Nigeria’s Data Protection Act 2023: A Look at Key Provisions – Lexworth Legal Partners https://www.lexworthlegal.com/the-nigerias-data-protection-act-2023-a-look-at-key-provisions/

 [7] Key Updates from the Nigeria Data Protection Act – General Application and Implementation Directive 2025 https://www.afriwise.com/blog/key-updates-from-the-nigeria-data-protection-act---general-application-and-implementation-directive-2025

[8] Nigeria’s Data Protection Act is Not a Catch-All Tool - Tech Policy Advisory https://techpolicyadvisory.com/nigerias-data-protection-act-is-not-a-catch-all-tool/

[9] Staying Ahead Of The Curve: Navigating Nigeria’s Data Protection Compliance Landscape – Pavestones Legal https://pavestoneslegal.com/staying-ahead-of-the-curve-navigating-nigerias-data-protection-compliance-landscape/

[10] The Court of Appeal in Incorporated Trustees of Digital Rights Lawyers Initiative & Ors v NIMC held that the constitutional right to privacy includes data protection rights.

[11] In Digital Rights Lawyers Initiative v Unity Bank Plc, the Federal High Court held that failure to approach the Administrative Redress Panel before filing a data‑protection action divests the court of jurisdiction.

[12] The case of Estate of Justin Ellsworth v Yahoo! illustrates conflict between terms of service and family access; Yahoo’s contract declared accounts non‑transferable and terminable at death.

[13] but a probate court ordered the release of emails.

[14] In Ajemian v Yahoo! Inc. the Massachusetts Supreme Judicial Court held that the Stored Communications Act does not bar disclosure of a deceased person’s emails to estate representatives and remanded to consider the enforceability of terms of service.

[15] Germany’s Federal Constitutional Court ruled that a deceased teenager’s Facebook account formed part of the estate and that the user contract is inheritable.

[16] Grieving parents can inherit their late daughter’s Facebook account, Germany’s top court finds | South China Morning Post https://www.scmp.com/news/world/europe/article/2155027/grieving-parents-can-inherit-their-late-daughters-facebook-account

[17] Illinois attorney blog by Richard A. Magnone: The Ellsworth Case with Yahoo! https://illinoisattorneyblog.blogspot.com/2010/11/ellsworth-case-with-yahoo.html

[18] Fiduciary access to digital assets in Massachusetts: Ajemian v. Yahoo! and the path forward https://www.massbar.org/publications/ejournal/ejournal-article/section-review-2018-january-february/section-review-fiduciary-access-to-digital-assets-in-massachusetts-ajemian-v.-yahoo!-and-the-path-forward

[19] The European Data Protection Supervisor has called for a harmonised framework on digital legacy and noted that posthumous data may affect the privacy of relatives and the reputation of the deceased.