Authored By: Sujal Vasant Jain
Vidyavardhaka Law College, Mysore
ABSTRACT
This article discusses the status of posthumous digital rights in India, in the context of Section 14 of the Digital Personal Data Protection Act, 2023 (‘DPDP Act’). The law has been lagging behind as people build up their digital selves through social media, profile data, AI-generated avatars, virtual assets, and more, and wonder what happens to them when they die. Based on comparative approaches in the European Union, United States and United Kingdom, the article concludes three main lessons: the autonomy of the individual governs posthumous management of their data; the right of publication must be extended after the individual’s death to AI-generated likenesses; and international cooperation is necessary for cross-border enforcement. The article analyzes the section 14, and pinpoints its major shortcomings and suggests a feasible reform strategy.
Posthumous data rights, digital estate, DPDP Act 2023, Section 14, digital will, right of publicity and AI avatars.
INTRODUCTION
There is a secret weirdness about the death of a person in the age of the internet. Internet accounts still exist, email archives are still waiting for use, and, more and more, an AI that knows the person’s voice and style of writing responds to the world. The ‘digital estate’— emails, photos, social media accounts, files stored in the cloud, AI-generated models, and online intellectual property— has created an asset class for which succession law was never intended. These assets don’t depreciate, they’re stored on servers in various jurisdictions, and contractual agreements give discretion to the companies operating the platforms. If there is no statute in place, those terms of service are the only laws that count.
The main issue is whether the passing away of the individual gives rise to a “digital identity” that should be legally protected, and who should have the authority to assert it on their behalf? India’s response to the DPDP Act is, at best, half-hearted. Although the digital identity adds ‘economic, emotional and cultural value’, the law’s lack of provisions with regard to posthumous identities exposes them to misuse, technological exploitation and jurisdictional conflicts. The article introduces the concept of the digital persona, explores comparative concepts, analyzes the Section 14, and recommends amendments.
Now, the Digital Persona and Digital Death are introduced.
Identity in the digital world has become multifaceted and different than a generation ago. The key elements of personal identification data — names, photos, biometric identifiers — tie an online identity to a recognisable person are at the base. On top of that is expressive content: writing, video and creativity built up over years on the platform. A third layer is behavioural and predictive: every purchase, every browsing then every communication employed to build up algorithmic profiles of the individual. The most complicated is the AI avatar. Machine learning enables the development of digital persons that mimic a human voice and voice of command, and can even learn from the deceased. This is truly new: a semi-autonomous persona that doesn’t fit into any legal category in terms of consent and authorship.
Digital death, by legal definition, is not the end of life but the more complicated situation where digital identity lives on, is repurposed, or falls apart after death. Digital information does not decompose, as does physical property. If not controlled by statute, platforms will effectively be self-regulated arbiters of digital estates, making unilateral decisions about their preservation, deletion and monetisation. The consequences of these are tangible: deepfakes for fraud, voice synthesis for impersonation, and unauthorized use of a deceased person’s face for commercial purposes.
III. COMPARATIVE FRAMEWORKS
The European Union
Deceased individuals are not covered by GDPR and member states must enact laws accordingly. France is the most advanced. The Loi pour une République numérique allows people to make binding advance instructions for the management, deletion or disclosure of their personal data upon their death. In Germany, by contrast, social media accounts are considered to be transfers of assets to the heirs in accordance with general rules of succession. The patchwork shows the quick pace at which platform-to-platform solutions become outdated.
The United States
The U.S. has dealt with posthumous digital rights mostly with the Revised Uniform Fiduciary Access to Digital Assets Act (‘RUFADAA’) which has been enacted in most states. The priority of RUFADAA is based on a hierarchy of user instructions through an online tool, followed by provisions, then platform terms. The ordering doesn’t regard platform contracts as primary source of posthumous rights. A number of states have established “posthumous publicity rights” that give the portrayal of dead people fixed durations of protection.
The United Kingdom
The UK GDPR doesn’t apply to deceased persons, and no such concept as the French model exists. The Law Commission has admitted the digital assets law is confused and there are consultations in progress to reform it. The example from the UK shows that even a well-developed common law system has not been able to answer these questions — and not by chance, as it is a real challenge.
The DPDP ACT is the framework of India.
The Nomination Mechanism
Section 14 is the most explicit tackling of what happens to personal data after the death or loss of that person. It allows a Data Principal to designate a trusted person to have certain rights (access, correction, erasure, and grievance redressal) after his death or incapacitation. The proposed DPDP Rules, 2025 will mandate that Data Fiduciaries establish nomination mechanisms that are easily accessible. The mechanism is a conscious break from the long-held judicial doctrine that rights to privacy, publicity, and personality are rights that end at death. The nominee does not get proprietary rights to the data, only the authority to manage and, if necessary, destroy the data according to the Data Principal’s wishes. The correspondence with a digital executor is apt; the problem is that Section 14 is much from an adequate framework.
Structural Deficiencies
The first is that there is no compulsion. The Act does not include a default when there is no nomination made (and most Data Principals will not, as most people will not make a will). Data is collected and/or inaccessible to those with a lawful interest. This is the main drawback which is in sharp contrast to the statutory hierarchy of RUFADAA.
Secondly, there is no limitation on posthumous rights in Section 14. It does not indicate when or for how long such rights can be exercised. This vagueness is hard to justify in the light of U.S. laws requiring periods of ten to one hundred years for post-mortem and French laws which envision defined periods.
Thirdly, there is a sharp territorial divide. The majority of the personal information of Indian users is kept on American and European servers, which have their own set of rules as it happens posthumously. Section 14 is silent on whether a nominee’s jurisdiction is granted over data located outside of the country, or what happens if the foreign platform refuses to accept the jurisdiction.
Fourth, the range is more limited than it seems. Section 14 relates to personal data, but the most commercially valuable aspects of a digital estate – cryptocurrency wallets, virtual assets, subscription services, online intellectual property – are not in any obvious way personal data. RUFADAA does not apply to this entire spectrum, as does Section 14. Current succession rules also do not acknowledge digital assets as assets that can be inherited.
Fifth, Section 14 does not require any procedure to be followed to verify anything: there is no requirement to prove death, to verify the identity of a nominee, no procedure for dealing with competing claims. There are opportunities for fraud in these omissions which are not closed by the present text.
CROSS-CUTTING CHALLENGES
The deficiencies in Section 14 are exacerbated by structural issues which can only be addressed through a combination of provisions. The greatest problem is jurisdictional fragmentation: the enforcement of rights against globally operating platforms necessitates bilateral or multilateral arrangements which are not in place at the moment in India. Technology is outpacing the legislation as well. A fiduciary nomination mechanism is not intended to protect against harm arising from the use of AI holograms, deepfakes and voice synthesis in fraud. The architecture of section 14 is one of asset management – the harms that are created by digital resurrection technology need specific and targeted prohibitions with extraterritorial application. The framework must also account for the real conflicts between the wishes of the deceased and those of the surviving family and the interests of historical preservation, and allow for a range of legislative judgments.
REFORM PROPOSALS
Statutory Recognition
The voluntary nature of Section 14 can only be addressed through more detailed and thorough statutory protection, either by amendment to the DPDP Act or by a special Act on Digital Succession. It should be afforded for a limited time (a better starting point would be 20 years) to the name, image, likeness, voice, and personal data of an individual. The legislation should provide a default prioritization of authorized persons similar to RUFADAA, in order to avoid a legal “no man’s land” for digital data in the absence of planning.
Digital Wills
The Digital Will should be considered a legally binding document in India, allowing the individuals to dictate how their digital accounts, personal information, and online content are to be accessed or transferred, memorialized, or deleted. These instruments should have the formal characteristics required to be applicable to testamentary documents, and should be registrable in a national digital estate register centrally maintained, and accessible to platforms and the foreign authority in the event of enforcement.
Digital Estate Executor
The Section 14 nominee is to be rethought as a proper Digital Estate Executor with clearly defined fiduciary obligations. Unlike succession law, drawing on trust law allows for trust-based obligations of loyalty and care without proprietary rights to personal data. Digital accounts, IP, virtual assets and data management should all be covered by the mandate. When there is no nomination, it is important to provide for court-appointed executors.
Posthumous Right to Erasure
The law needs to include a posthumous erasure right for authorised representatives to apply for the deletion or anonymisation of a deceased’s personal data if there was no consent to the use of it for retention. That right shall be qualified to allow for legitimate public interests in historical preservation and research, but exceptions shall be specifically identified, rather than left to the ad hoc actions of platforms or courts.
Cross-Border Enforcement
The territorial problem can’t be solved at home. India should explore bilateral and multilateral options that include mutual recognition of executor authority and processes for platform compliance, as well as for data localisation in the context of posthumous scenarios. The current EU negotiation on data adequacy offers a natural means to embed posthumous Data Governance.
Regulations on the misuse of technology
Statutory bans on deepfakes, AI-generated likenesses and synthetic voices, as well as on digitally reconstructed identities of dead persons, should be targeted. There should be meaningful penalties and there should be provisions in these prohibitions that are extraterritorial, similar to what is already in the Information Technology Act. Bans that could not be imposed on foreign platforms are no use, and the precedent of imposing bans on platforms has been set and should be followed here..
VII. CONCLUSION
The DPDP Act has made a helpful first step to recognising that a person’s digital identity doesn’t stop when they die. The choice to give agencies a measure of control over post-mortem data, rather than relinquish the well-established judicial rule that privacy rights are personal, is found in Section 14. That’s not just nothing — but not enough. It is voluntary, has no time limit, does not mention foreign servers, applies to personal data only, and has no procedural protections.
The reforms suggested here, which include statutory recognition, Digital Wills, appropriate executors, a posthumous right to erasure, cross-border arrangements and bans on technological exploitation, need to be able to be seen as a unified system. The stakes are not technical, but rather related to dignity, identity, and how much control a person has over their story after their death, as it pertains to digital rights. The more commercially appealing and feasible digital resurrection becomes with the help of Artificial Intelligence, the more expensive the decision to not do so will be. India has the comparative models, constitutional underpinning, and legislative opportunity to respond with something durable.
REFERENCE(S):
Statutes and Cases
Digital Personal Data Protection Act, No. 22 of 2023 (India).
Information Technology Act, No. 21 of 2000 (India).
Indian Succession Act, No. 39 of 1925 (India).
Council Regulation 2016/679, 2016 O.J. (L 119) 1 (GDPR).
Loi n° 2016-1321 du 7 octobre 2016 pour une République numérique, J.O., Oct. 8, 2016.
Revised Uniform Fiduciary Access to Digital Assets Act (Unif. Law Comm’n 2015).
Deepa Jayakumar v. A.L. Vijay, O.S.A. No. 75 of 2020 (Mad. H.C. 2021).
Krishna Kishore Singh v. Sarla A. Saraogi, 2023 SCC OnLine Del 2243.
Secondary Sources
Swarup Mukherjee, Digital Death: Legal Rights of Digital Avatars and Posthumous Data, 12 Int’l J. Innovative Rsch. in Tech. 6806 (2025).
Posthumous Personality and Data Protection, 13 Int’l J. Creative Rsch. Thoughts b728 (2025) (IJCRT2509210).
Law Commission of England and Wales, Digital Assets: Final Report, Law Com. No. 412 (2023).
