The Digital Afterlife: Who Protects the Data of Fetuses and the Deceased?
The GDPR protects natural persons. But what happens to the data of those who are not yet — or are no longer — considered such? From prenatal genomic sequencing linked to the mother's medical record to medical data that continues to circulate after death, digital law reveals its blind spots. Recent leaks from UNSS and Cegedim Santé have highlighted the urgency of these issues. This is an overview of a grey area where ethics and GDPR compliance clash.

While recent massive leaks from UNSS and Cegedim Santé have exposed the flaws in our current security, a darker question is emerging in courtrooms and laboratories: what happens to the data of those who are not yet — or are no longer — considered "natural persons" by law? Between a legal void for the unborn child and a "digital will" for the deceased, we delve into the heart of a grey area where ethics and technology collide.
The General Data Protection Regulation (GDPR) is clear: it protects "natural persons." But this seemingly simple definition becomes a real headache when it encounters the two ends of life.
The Fetus: Data Without a Data Subject?
This is one of the most troubling aspects of current digital law. Legally, in France, legal personality is acquired at birth, provided the child is born alive and viable. Before that, the fetus is not a "data subject" in the sense of the GDPR. Yet, modern science generates terabytes of data concerning it: genomic sequencing, high-resolution 3D ultrasounds, prenatal screenings (NIPT test).
If the fetus is not a person, to whom does this data belong? Today, it is legally linked to the mother's medical record. But what happens when this data reveals a future pathology of the child? In the Cegedim Santé case, millions of lines of medical comments were leaked. Among them were pregnancy reports. Here, the risk is twofold: the exposure of the mother's privacy, but also the digital "tagging" of the child even before its first cry. Could an insurance company, 20 years from now, use leaked fetal data from today to adjust a premium?
The "Digital Ghost": Data Survival After Death
Contrary to popular belief, the GDPR ceases to apply upon death. The European regulation does not apply to deceased persons. However, France, through the Lemaire Law of 2016 (Law for a Digital Republic), has established a unique framework in Europe.
What the law says (Article 85 of the French Data Protection Act)
Any person can define "post-mortem directives." You can decide on the erasure, retention, or communication of your data after your death. In the absence of such directives, your heirs have only a limited right: they can access the data only if it is necessary for the "settlement of the estate" or to protect the memory of the deceased.
A practical case: imagine a patient who was a victim of the Cegedim data breach and dies shortly after. Their medical data continues to circulate on the Dark Web. Can the heirs demand its deletion? Yes, but the process is an administrative obstacle course if nothing has been anticipated.
In practice: paradoxical everyday situations
In our daily lives, this legal distinction creates paradoxical situations:
- The Shared Medical Record (DMP): upon the patient's death, the record is closed, but the data is retained for 10 years. Without clear instructions, your loved ones could be denied access to crucial information (e.g., genetic history)
- Recreational DNA tests: you provide your saliva to a platform. You pass away. Your genetic data (which also concerns your children and unborn fetuses) remains the commercial property of the platform if your data deletion clauses have not been activated
Securing medical data: strategic levers for professionals
For healthcare professionals, managing data related to pregnancies and deceased patients is a critical responsibility. Recent news (UNSS, Cegedim) shows that the weakest link is often data retention periods.
Strategic levers to implement
- The specific Data Protection Impact Assessment (DPIA): for prenatal data, a DPIA must assess the risk of future discrimination against the child
- Post-mortem access management: institutions must establish clear protocols for requests from legal beneficiaries to prevent leaks through social engineering
- End-to-end encryption: whether the patient is born or not, health data must be unreadable to anyone who is not the legitimate recipient
Conclusion: Ethics beyond the law
Protecting the data of fetuses and deceased individuals reminds us that privacy is not just a legal rule for the living; it's about respecting human dignity over the long term. As data breaches accelerate, we must no longer just protect "users," but entire family lineages.
For businesses, compliance doesn't end when a customer leaves your active database. It continues in how you manage their digital legacy.
FAQ — Frequent questions about data protection for fetuses and deceased persons
Does the GDPR protect the data of deceased persons?
No. The GDPR applies only to living natural persons. In France, the Data Protection Act (Article 85, stemming from the 2016 Lemaire Law) governs post-mortem data, allowing any individual to define directives regarding the fate of their data after their death.
What are "post-mortem directives" and how can they be implemented?
Post-mortem directives allow any individual to decide, during their lifetime, on the erasure, retention, or communication of their personal data after their death. They can be registered with a trusted digital third party or directly with the platforms concerned. In the absence of such directives, heirs have very limited rights.
Are a fetus's genetic data protected by the GDPR?
Not directly. As a fetus does not have legal personality under French law, its data are linked to the mother's medical record. They benefit from the protection granted to sensitive health data, but without the unborn child itself being a "data subject" in the sense of the GDPR.
What can heirs do in the event of a data breach involving a deceased person's medical data?
Heirs can request the erasure or restriction of processing of the deceased's data, but only under strict conditions: necessity for the liquidation of the estate or protection of the deceased's memory. Without advance directives, the process is long and complex. It is therefore highly recommended to anticipate these situations via a digital will.
What is a DPIA and why is it mandatory for prenatal data?
A Data Protection Impact Assessment (DPIA) is a mandatory evaluation for processing operations likely to result in high risks to individuals' rights and freedoms. For prenatal data, a specific DPIA is necessary to assess, in particular, the risk of future discrimination against the child based on genetic or medical data collected before birth.


