Authored By: Tahyat Azhary
Newcastle University
The dead have never had more of a presence. Social media algorithms surface memories of the deceased, AI can now recreate their voice from a handful of recordings, and startups offer to build a chatbot from a lifetime of messages. The law, meanwhile, still treats your digital identity as either a contractual arrangement or a piece of property. Neither model is adequate for what digital life has become and neither does anything to protect the person it claims to represent.
Introduction
In the twenty-first century, death no longer marks the end of a person’s presence in the world. Social media profiles continue to gather comments years after their owners have died, algorithms surface old photographs on anniversaries, and artificial intelligence can now recreate a person’s voice, likeness, and conversational patterns from the data they left behind. This phenomenon broadly described as the “digital afterlife” raises profound legal questions that existing frameworks have so far failed to answer coherently.
The problem is not a shortage of law. It is the wrong kind of law being applied to the wrong kind of problem. In the United Kingdom and European Union, data protection regimes protect only the living. Succession law struggles to classify digital identity, which does not fit neatly into the category of heritable property. Meanwhile, the terms of service drafted by private platforms unilaterally, and without democratic accountability, typically determine what happens to a person’s digital remains: whether their accounts are memorialised, deleted, or passed to the people they trusted most. The rise of AI-generated avatars and so-called “griefbots,” which are chatbots trained on a deceased person’s messages to simulate conversation with them, complicates matters further. It enables the replication of the dead on a commercial basis and without any requirement of prior consent.
This article argues that existing legal frameworks fail to protect digital identity after death because they treat online personhood as a matter of property or contract rather than an extension of human dignity. A rights-based model, one that recognises posthumous digital personhood as a coherent legal category, is necessary to regulate three distinct problems: the inheritance of digital identity, the exercise of platform power over the deceased, and the use of AI to replicate people after their deaths.
The Digital Afterlife
Before addressing what the law should do, it is worth being precise about what it is dealing with. “Digital afterlife” is a broad term, and the legal questions it raises differ sharply depending on which aspect of it is being considered. Three categories of posthumous digital material require distinct treatment: digital assets, personal data, and digital identity.
Personal data is a more complicated category. It includes emails, messages, search histories, health data, and the vast accumulation of behavioural records generated by daily digital use. Critically, under the GDPR and UK GDPR, personal data belongs to a regime built around the living: Recital 27 of the GDPR explicitly declines to extend its protections to deceased persons, leaving member states free to make their own provision, though very few have done so substantively.[1] This exclusion reflects a design choice rather than a principled conclusion. It means that the data people generate in life effectively falls off a legal cliff the moment they die.
Digital identity is the category that defies both of the above frameworks and is the principal concern of this article. It encompasses a person’s online persona: their social media presence, their voice recordings, their photographs, the conversational patterns encoded in years of messages, and the likeness that can now be reconstructed by AI from that aggregated data. This is not property in any meaningful sense. It is not detachable from the person it represents. It is, to borrow the formulation of legal scholar Edina Harbinja, a posthumous expression of the self.[2] The question is whether the law is capable of treating it as such.
The Legal Vacuum
UK and EU Law
The starting point in both UK and EU law is that data protection ends at death. Recital 27 of the GDPR notes that its provisions do not apply to deceased persons, and neither the UK GDPR nor the Data Protection Act 2018 extends those protections posthumously. The result is that the extensive rights a person holds over their personal data during their lifetime; the right of access, the right to erasure, the right to object to processing, simply cease to apply when they die. Their data does not disappear; it remains on servers, continues to be processed, and can in some cases be used to train AI systems. The legal protection disappears.
There have been incremental legislative efforts. Germany has gone further than most EU jurisdictions: the Federal Court of Justice held in 2018 that a deceased person’s Facebook account could be inherited by her parents, treating the contractual relationship as transmissible under German succession law.[3] This is a more robust position than English law currently adopts, but it remains a contractual solution to what is fundamentally a rights problem. It asks what the platform agreed to, not what the deceased person was entitled to.
US Law
In the United States, the Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA), adopted by the majority of states, provides a framework for fiduciary access to digital property after death. It allows executors and trustees to access certain digital assets but explicitly excludes personal communications unless the deceased person specifically authorised access in advance.[4] The Act’s instinct is sound: it recognises that different categories of digital material warrant different treatment. Its limitation is that it remains entirely within the property paradigm. It addresses what can be transferred; it does not address what must be protected. Digital identity is not within its scope at all.
California’s posthumous right of publicity under Civil Code §3344.1 offers a partial analogy: it extends certain likeness rights for seventy years beyond death, providing a basis for restricting unauthorised commercial use of a deceased person’s image or voice.[5] This is the most developed statutory recognition in any jurisdiction that something beyond property is at stake in digital identity. But it is framed as an economic right, available to the estate as a commercial asset, rather than a dignitary right enforceable in the interest of the deceased person’s integrity. The distinction matters when the question is not commercial exploitation but AI replication.
Platform Governance as Substitute Law
In the absence of meaningful legal rights, platforms have developed their own governance systems.
These are not rights. They are products. Each platform decides unilaterally what options to offer, on what terms, and reserves the right to change those terms at any time. They generate the appearance of control while preserving complete institutional discretion. And they are available only to users who proactively engage with them, a minority in every survey conducted on the subject. For the majority of users who die without having activated any of these settings, the platform decides everything: whether the account is deleted, archived, or memorialised; whether family members are given access; and whether the data is retained for commercial use.
Case Studies: What the Legal Vacuum Produces
The inadequacy of current frameworks is not merely theoretical. It produces real harm in identifiable cases, and examining those cases is necessary to understand why doctrinal reform matters.
The AI replication problem is both newer and more troubling. Services such as Project December and HereAfterAI allow users to create AI chatbots trained on the messages and social media content of deceased individuals, enabling survivors to simulate ongoing conversations with the dead.[6] These services operate entirely outside any regulatory framework. They require no consent from the deceased person, no authorisation from their estate, and no assessment of the psychological or dignitary implications of replicating a person’s personality for commercial use. That even living public figures have felt compelled to seek trademark protection against AI voice and likeness replication, Taylor Swift filed to trademark her voice and image in 2025 precisely because no statutory framework exists to prevent it, illustrating how inadequate existing intellectual property law is as a response to this technology. The problem is compounded after death, when no individual can take protective action at all.
Property, Privacy, and Personhood: The Theoretical Choice
The inadequacy of current law reflects a deeper theoretical choice made by default rather than design. Digital identity has been handled through the property model because property law was the nearest available instrument, not because anyone seriously argued that a person’s online persona is equivalent to their furniture. It is worth making the alternatives explicit.
The Property Model
The property model treats digital identity as an asset capable of being owned, transferred, and inherited. Its appeal is practical: property law provides established mechanisms for transmission, management, and dispute resolution. Its fundamental limitation is that it mischaracterises what digital identity is. Property can be separated from its owner without altering its nature. Digital identity cannot. A photograph, a collection of messages, a voice recording. These are constitutive of a person in a way that a bank balance is not. Treating them as property permits their commodification and their use in ways that bear no relationship to the person’s own wishes or values.[7]
The Privacy Model
A posthumous privacy model would extend data protection principles beyond death. Several jurisdictions have considered this: France’s Loi pour une République Numérique (2016) allows individuals to leave instructions about the use of their personal data after death, a modest but meaningful recognition that the interest in privacy does not terminate at the moment of death.[8] The limitation of the privacy model is that it is principally retrospective: it addresses how data should be handled, not the broader question of what a person’s digital identity means or how it should be protected as a matter of human dignity.
The Personhood Model
The personhood model, advanced by scholars including Harbinja, Floridi, and Edwards, holds that digital identity is an extension of the self and should be treated as carrying rights-based protections that reflect the dignity and autonomy of the person it represents.[9] This model has several advantages. It is coherent with the existing structure of human rights law, which recognises dignity and autonomy as values that do not depend entirely on biological life for their normative force. It provides a principled basis for distinguishing between uses of digital identity that the deceased person would have sanctioned and those they would not. And it addresses the specific problem of AI replication directly: a personhood model asks not whether a particular use is commercially permitted, but whether it respects the integrity of the person being replicated.
Proposed Reforms
Statutory Digital Wills
The most straightforward reform is the creation of a legal mechanism which allows individuals to record binding instructions for their digital identity after death. This is distinct from the optional tools currently offered by platforms. A statutory digital will would be legally enforceable, creating obligations on platforms and other data controllers to give effect to those instructions. It would operate alongside rather than instead of existing succession law, addressing the specific gap in provision for personal data and digital identity. The UK Law Commission’s 2023 report recommended steps in this direction; the government should legislate to implement them.
Posthumous Data Rights
The exclusion of deceased persons from data protection law should be partially reversed. Following the French model but extending it, individuals should hold a right to leave instructions about the use of their personal data after death, with those instructions binding on data controllers for a defined period, ten years after the date of death would be a reasonable suggestion. In the absence of instructions, a default framework should apply: data should not be used for commercial purposes without the authorisation of a designated representative, and personal communications should be presumed private unless the deceased person indicated otherwise. The extension of data protection to the deceased would not require radical revision of the GDPR. Recital 27 is a permissive exclusion, not a prohibition: it leaves member states free to legislate, and several have already done so to varying degrees.
Regulating AI Replication
The use of AI to replicate deceased persons requires specific legislation that the property and privacy models alone cannot provide. At minimum, consent requirements should be introduced: no AI-generated replica of a deceased person should be created or commercially deployed without prior authorisation, whether expressed by the individual during their lifetime or granted by a designated representative after death. This should apply to voice, likeness, and any system trained substantially on the deceased person’s personal data. The EU AI Act, which entered into force in 2024, regulates certain high-risk AI applications but does not address posthumous replication as a specific category.[10] Given the pace at which the technology is developing, the regulatory gap is widening faster than the legislative response.
Limiting Platform Power
The privatisation of posthumous digital governance to platforms is the most structurally significant problem and the hardest to remedy directly. At a minimum, platforms should be required to offer transparent, standardised options for posthumous account management and to give effect to users’ expressed wishes. The current position in which platform terms of service function as the operative law governing digital identity after death is untenable and should not be allowed to persist by legislative default. This requires either direct regulation of platform governance practices or the creation of statutory rights that override contractual terms, both of which are achievable within existing legislative competence.
Conclusion
The legal frameworks governing digital identity after death were not designed for the world they now operate in. They were borrowed from adjacent doctrines; property law, contract, data protection because no bespoke framework existed, and they have been applied to problems they were never designed to solve. The result is a system in which platforms determine the fate of people’s digital remains, AI companies replicate the dead without consent, and grieving families litigate for years to obtain access to a loved one’s emails.
The argument of this article is that the current property model is not just inadequate. It is wrong. Digital identity is not property. It is an extension of the self, carrying dignity, autonomy, and meaning that do not disappear at the moment of death. A rights-based model recognising posthumous digital personhood is the principled response to that reality, and it is a response that existing legal instruments, including human rights law, data protection principles, and succession doctrine, can accommodate with targeted reform. The choice is not between the possible and the impossible. It is between action and continued avoidance of a problem that will not resolve itself.
Reference(S):
[1] Regulation (EU) 2016/679 (General Data Protection Regulation), Recital 27.
[2] Edina Harbinja, ‘Post-Mortem Privacy 2.0: Theory, Law, and Technology’ (2017) 31 International Review of Law, Computers & Technology 26.
[3] Bundesgerichtshof (Federal Court of Justice), 12 July 2018, III ZR 183/17; see also Liane Colonna, ‘Facebook Inheritance: The German Approach’ (2019) 27 International Journal of Law and Information Technology 142.
[4] Revised Uniform Fiduciary Access to Digital Assets Act 2015 (RUFADAA), ss 4–6.
[5] California Civil Code § 3344.1 (Astaire Celebrity Image Protection Act 1999).
[6] Joshua Barbeau, ‘I Talked to a Chatbot for Months — Here’s What I Learned About Grief and AI’ San Francisco Chronicle (San Francisco, October 2021); see also HereAfterAI <https://www.hereafter.ai> accessed 30 April 2026.
[7] Luciano Floridi, ‘The Ontological Interpretation of Informational Privacy’ (2005) 7 Ethics and Information Technology 185; Meg Leta Jones, ‘The Right to a Human Death’ (2018) 110 California Law Review 1.
[8] Loi n° 2016‑1321 pour une République Numérique (French Digital Republic Act 2016), art 63.
[9] Harbinja (n 3); Lilian Edwards and Edina Harbinja, ‘Digital Assets on Death’ in Lilian Edwards (ed), Law, Policy and the Internet (Hart Publishing 2019); Jeffrey Rosen, ‘The Right to be Forgotten’ (2012) 64 Stanford Law Review Online 88.
[10] Regulation (EU) 2024/1689 (EU AI Act), OJ L, 12 July 2024.
