Contributions of the Brazilian Act for the Protection of Personal Data for treating Digital Legacy

In this article, we analyze how the Brazilian Act for the Protection of Personal Data --- Lei Geral de Proteção de Dados Pessoais (LGPD) in Portuguese --- can contribute to handling some situations involving post-mortem digital legacy. For that purpose, we investigate some aspects of this act that can concur with the development of software and internet applications that cope with users’ digital assets. We analyzed the role of LGPD in the Brazilian legal system. The research was carried out based on a literature review and on the analysis of the relevant legislation and some bills proposed to regulate the matter. In line with the national constitutional order, the results point to the possibility of applying the principles and foundations of the data protection act as an axiological matrix for the treatment of the existing digital legacy.


Introduction
The technological evolution that took place since the 1980s, with the appearance of the first personal computers (Blum, 2015), and entered the 21st century in full expansion, raised society to a level of uninterrupted connectivity and even of dependence on the Internet, due to the constant inter twining of our online and offline activities. To get an idea, in 2017, the United Nations report on Trade and Develop ment indicated Brazil as the fourth country in number of In ternet users (UNCTAD, 2017), with 120 million Brazilian users connected, representing 59% of its population (Valente, 2017). In the following year, the Internet Steering Commit tee in Brazil (CGI.br/NIC.br., 2019), through the Regional Center for Studies for the Development of the Information Society of the Ponto BR Information and Coordination Cen ter, released a survey revealing the use of the internet by 74% of the population, the equivalent of 134 million Brazilians CGI.br/NIC.br. (2019).
Virtual life gains more and more space and importance in our daily lives. And the increasing sharing of personal data on the network raises questions about the privacy of users and even those who -even though are not users -end up be ing exposed indirectly, for various reasons such as postings and crossings of various data. Hence, over the past few years, laws and regulations have emerged around the world, in or der to regulate the processing of personal data of individuals and preserve the fundamental guarantees of users. In this ar ticle we will deal with some points of Law No. 13.709/2018 (General Law on Personal Data Protection -LGPD) (Brasil, 2018) which, as will be seen below, is the basis of the legal microsystem for data protection in Brazil.
On the other hand, the end of life does not eliminate the vir tual personal data left by a deceased person. These data per sist and can generate implications both in the image of those who have gone and in the lives of those who remained and who had some type of interaction with the dead. Therefore, the issue of postmortem digital legacy and its repercussions should also be discussed. By the way, Carroll and Romano (2010) understand digital legacy as being "the sum of the digital possessions a person leaves for others" (apud Maciel (2011) ). Edwards and Harbinja (2013) explain that transfer able digital assets would be, in a broad and nonexhaustive way, intangible information assets, associated with the on line or digital world, such as social media profiles (Face book, Twiter etc.), emails, databases, images, sound records, videos, passwords for access to digital goods and services and several others.
For Edwards and Harbinja (2013), digital legacy: (…) can be defined as the collection of information available digitally about a user after they have died [2,6]. A digital legacy is made up information that the user has personally posted, coauthored, shared, or has had posted or shared about them. Digital Legacies consist of digital assets that contain data about a user from every facet of their digital and realworld lives.
The authors explain that this collection reflects the user's profile in the context of the real world; and the more it is increased, the richer this reflection becomes. The focus of this work is the existential facet of the digital legacy. Along this line is the concept of "affective testament", developed by Jones Figueiredo Alves, cited by Tartuce (2018), in order to deal with the curation of data of Internet users. Although the concept sounds simple, the challenges that surround it are complex. Firstly, because they involve interdisciplinary issues and apparently paradoxical interests, such as privacy and freedom of communication and expression. Second, due to the controversy over whether the idea of finitude of life in the digital world (deletionists) or the preservation of the legacy for descendants (preservationists) should prevail. Or yet, how will the management of the data of the deceased take place, whether or not there is a digital will (Maciel and Pereira, 2012).
Thus, in the face of this problem, it is important to investi gate and debate how the digital legacy is being addressed (if it is), in the data protection laws and how it has been treated in the bills that aim to regulate the matter. What is observed, be forehand, is that the handling of digital legacy lacks specific regulations that provide greater stability and legal security to users and developers of systems and application providers that handle dead data. In this context, the new General Law for the Protection of Personal Data in Brazil (LGPD) (Brasil, 2018), which came into force on September 18, 2020, can contribute to the construction of a normative path for this regulation.
More than a simple transmission of inheritance, as if it were a property, or a vehicle, or a copyright, the digital legacy involves content that touches on topics such as privacy, inti macy, honor and image, guarantees guaranteed to all, without distinction, by Federal Constitution, in its article 5, X (Brasil, 1988). In addition, it is important to note that, due to the tech nological advances already mentioned, the very concept of privacy has migrated from the individualistic perspective, of "proprietary matrix", to the terrain of the collectivity (Rodotà, 2015), given the complexity of social relations forged in the contemporary world. Regarding the technical aspect, the de velopment of tools and applications, the modeling of privacy must be considered from different perspectives. Due to its multicontextual character and the human values that make up the theme, it is difficult to establish a strict and absolute approach in this regard (Baranauskas et al., 2015). The tech nologies and the profusion of their use have brought up many technical issues that are ahead of the legal ones, because the speed in the legislative work is not able to follow, pari passu, the technological development.
Therefore, this article poses as a problem the absence of a specific law for the treatment of the postdeath digital legacy and the consequences of this gap, whether from the perspec tive of privacy, or from the perspective of the development of new applications and features. In this line, the work aims to analyze the possible repercussions of LGPD to cases of data treatment of dead people in the context of the digital environment. In other words, it is intended to analyze how the LGPD can guide the regulation of the hereditary trans mission of digital content that is not economically valuable, that is, related to the privacy of the deceased, such as private communications and emails, private posts and / or that say respect to third parties who related to the deceased on social networks or outside them.
The present study will be developed by exploratory re search (Gil, 2008), to investigate the technical and legal aspects that permeate the matter. Through the deductive method, we started from the analysis of the general standard to verify its application to the particular situation investigated (Castrianni et al., 2007). Initially, a documental analysis was carried out to verify the scope and adherence of the legisla tive proposals presented in the Brazilian Federal Legislative Power for the treatment of the digital legacy. To this end, a cut was made in legislative projects of the last decade, which intended or intend to regulate at national level the treatment of digital inheritance. Next, we conducted a bibliographic re view to understand the nuances of privacy in the current con text, as well as the normative path that Brazil has adopted in relation to the protection of personal data. These steps al lowed to identify some gaps existing in these bills and, al though the LGPD does not specifically address the issue, it is possible to glimpse in this law some principiological and normative parameters capable of guiding a future project for the regulation of the digital legacy more adherent to social dynamics.
This article is an extended version of Beppu and Maciel (2020). This is structured as follows. After this introduc tion, in Section 2, we discuss some proposals for the regula tion of digital inheritance in Brazil. In Section 3, we present the panorama of the personality rights of the Brazilian le gal system and its repercussions on the treatment of the dig ital legacy; in this section we list some works found and re searching this theme. In Section 4, we analyze the data pro tection regulation in Brazil and how the LGPD can reflect on the treatment of the digital legacy with no economic value. In Section 5, we address the situations in which the LGPD presents itself as a viable solution to the treatment of that legacy. Finally, in Section 6, we bring the conclusions of this research and signal the future work needed to deepen the sub ject investigated.

Proposals for the regulation of digi tal inheritance in Brazil
Although, there is an absence of specific laws in Brazil for dealing with the postdeath digital legacy, we could note that some aspects affecting the user's privacy are already, in some way, dealt with in foreign legislation. We summarize ahead some laws that deal with the subject, allowing the verifica tion, albeit superficial, of the legal directions adopted in other countries. Almeida (2019) enumarates specific legislation about dig ital legacy in the United States, Bulgary and Estonia. In the United States, in Oklahoma and Idaho, there is a law that con fers broad powers on the executor or inventory administrator (control, continue, close any accounts of the deceased on any websites, applications or social networks). In the state of In diana, a specific law allows access to digital assets only by expression of the user's will (in life) or in case of court deci sion. In Connecticut, the law allows access to heirs, when re quested, only to the deceased's email accounts. There is also an American uniforming law, revised in 2015, which pro hibits access to digital legacy by unauthorized persons; estab lishes that privacy choices made in life continue in death; pro tects the rights of living users who communicated privately with the deceased.
In Bulgaria, the law establishes the transmission of the dig ital legacy to the heirs, adopting a proprietary bias. In Estonia, the law provides for the treatment of digital legacy as copy right, establishing that the legacy falls into the public domain 30 years after the user's death. Finally, in China, according to Mango and Garla Filho (2020), there is an amendment to the Civil Code that states that "the choices about privacy made in life continue in death".
In Brazil, the challenges related to the theme of privacy in the connected world, posthumous interaction and postdeath digital legacy have been debated in the field of Computing for almost ten years, when they became part of the chal lenges of the HumanComputer Interaction area of the Brazil ian Computer Society (SBC) (Maciel et al., 2015). However, there is still no consensus on the regulation, social and legal, on the subject, which demonstrates the relevance and need for research in this area, as will be shown below. With re gard to data management, more precisely the transmission of digital legacy, over the last decade bills have been pre sented in the Chamber of Deputies and the Federal Senate, aiming to regulate the matter. In this context, for this study, two projects were selected that were processed in 2012 and whose texts were represented in other legislatures, in addi tion to a 2015 project and one presented in 2020, as detailed below.

Bill No. 4099/2012
Bill No. 4099, presented on 06/20/2012 in the Brazilian Chamber of Deputies, in a nutshell, only proposed the amend ment of article 1788 of the Civil Code, providing that "all contents of accounts or digital files of ownership of the au thor of the inheritance." (Brasil, 2012a).
In justifying the proposition, the author claims: Situations in which the families of deceased persons wish to gain access to files or accounts stored on internet services have been brought to the Courts and the solutions have been very different, generating different and often unfair treatment in similar situations. [...] The best thing is to make the suc cession law reach these situations, regularizing and standard izing the treatment, making it clear that the heirs will receive in the inheritance access and full control of these accounts and digital files.
This bill, archived in that legislative house, was resubmit ted to the Senate, under number 6468/2019, by the same con gressman. It is in process, awaiting designation of rapporteur since February of this year (Brasil, 2019).

Bill No. 4847/2012
Bill 4847, presented to the Chamber of Deputies on 12/12/2012 (Brasil, 2012b) provided for the insertion of a specific chapter on digital inheritance in the Civil Code, Chapter IIA (of Book IV Title I), containing articles 1797 A to 1797C. By digital heritage, the author defined it as "everything that is possible to store or accumulate in virtual space".
The proposal established that if the user had not left a will about the digital inheritance, this would be destined to the legitimate heirs. According to the text, the heir would be re sponsible for defining the fate of the deceased's accounts, be ing able to (a) transform them into memorials, leaving access restricted to confirmed friends and keeping only the main content or; (b) erase all user data or; (c) remove the old user's account.
It is possible to observe that there is no mention of the deceased's will, respecting any choices and settings he has made in his social network accounts, emails and applications. In the case of converting the account into a memorial, the project provided for a limitation in terms of contacts (only confirmed friends) and content, without explaining what was considered "main content". This project is also archived.

Bill No. 1331/2015
More specifically, but along the same lines, was Bill No. 1331, of 04/29/2015 , also presented in the Chamber of Deputies, and which intended to amend Law No. 12.965/2014 Marco Civil of the Internet (Brasil, 2014) .
The bill provided for the possibility of definitive deletion of the personal data of a deceased or absent internet user, "at the request of the spouse, ascendants or descendants, up to the third degree, at the end of the relationship between the parties, except in the cases of mandatory custody of records". However, this bill was also archived by the Chamber of Deputies at the end of 2019, due to the end of the legislature.

Bill No. 3050/2020
Bill No. 3050, presented on 06.02.2020 (Brasil, 2020), is cur rently being processed in the Chamber of Deputies. The bill also provides for an amendment to Article 1788 of the Civil Code to add the sole paragraph, with the following wording: "All contents of patrimonial quality will be transmitted to the heirs, accounts or digital files owned by the author of the in heritance.".
It is noted that the project is not clear whether it intends to limit the hereditary transmission to content of heritage value or to allow wide access to the digital legacy by the heirs of the deceased. The wording presents some ambiguity in the part "or digital files owned by the author", not making it clear whether they would be any other digital files or only those with equity value.

Bill Analysis Process
The legislative proposals mentioned in this section present very timid solutions, given the complexity of the subject. Bills No. 4099/2012 and No. 3050/2020 of the Chamber of Deputies deal with the matter solely from the perspective of inheritance law, that is, the transferability of assets and rights with pecuniary value, generalizing the situations and autho rizing the transmission of the digital legacy , without distinc tion, to the heirs.
Such a path is incomplete, as it ignores the nature of the large amount of data and information stored by users in inter net applications, trusting that content deposited there would be preserved, or that it would be shared only with members of that community or network of contacts .
The content of an email or conversations, testimonials, photos, which make up the deceased user's digital legacy, should deserve special attention, as they are in the field of the owner's privacy and intimacy. They cannot simply be trans ferred in the chain of succession the way a house or a car is transferred.
In turn, project No. 4847/2012 regulated the fate of ac counts on social networks, allowing their conversion into memorials, at the discretion of the heir, who could also ex clude the deceased's account or personal data. Despite the possibility of preserving the profiles of the deceased, in the form of a memorial, the norm's connotation is still limited to the idea of ownership. The author of the project declares in the justification that "everything that is possible to store in a virtual space such as music and photos, becomes part of people's heritage and, consequently, of the socalled "digital heritage"." Likewise, Bill No. 1331/2015 did not consider any provi sion of the deceased's will, allowing the exclusion of their personal data provided to a certain internet application by the simple request of the heirs. In this case, the legislator's concern with the protection of the deceased's personal data is verified, which is already an advance. However, the proposal only transferred to the heirs the right that the data subject had while alive, to request the deletion of their personal data con tained in internet applications. The proposal does not men tion, for example, the destination of these data if the heirs did not request the deletion of the data.
After analyzing the investigated bills, it is possible to con clude that they all address the digital legacy after death only from the perspective of good with economic value, not see ing the problem from other angles. There is a delay even in relation to other laws in force in other countries.
Thus, it is concluded that the bills that have been presented to the Brazilian Parliament in the last decade, with the pur pose of regulating the digital heritage, do not take into ac count other values attributable to the digital legacy, which do not have a pecuniary nature. To address all the nuances of the topic, it is necessary to bring up the rights of personality, which we will analyze in the next section.

Personality rights in the Brazilian le gal system
The order inaugurated with the Federal Constitution of 1988 promoted the shift from the centrality of private law, previ ously marked in the Civil Code, to the constitutional rule (Leal, 2018b), whose main paradigm is the dignity of the hu man person. With this, even the field of private law, which was previously considered exclusively from the patrimonial perspective, starts to focus on the human person. In this context, what are called personality rights, which are those "inherent to the human condition" (Almeida, 2019) ascend. Examples of personality rights are privacy, intimacy, honor and image. With this new paradigm, the classic di vision between public and private law is overcome (Leal, 2018b), which are now understood from the perspective of complementarity and no longer opposition. Leal (2018b) emphasizes the interpretive role of human dignity, the essential core of fundamental rights. Thus, if there is a conflict between a patrimonial right and an ex istential right, the protection of the individual will prevail, with regard to the guarantee of his fundamental rights. This interpretation ensures that, in the face of a concrete unregu lated case, the individual has their existential rights protected (Leal, 2018b).
To ensure the protective effectiveness of the constitutional rule, it is necessary to understand the rights of the personal ity as "centers of interest", the result of "subjective legal sit uations" and, therefore, depriving them of the dogma of the theory of subjective law, for which the presence of a subject in the legal relationship is essential.
According to Pietro Perlingieri's theory of the "subjective legal situation", the subject is an accidental element in a le gal relationship, that is, it is not essential for it to exist and receive legal protection. For the author, the legal relationship is formed by the relationship of two or more centers of inter est (Almeida, 2019). This is what happens, for example, in the case of the guar antee of rights to the unborn child (the one who is yet to be born), who, even though not endowed with a civil personality (the personality begins as birth with life), has assured some rights, such as that of receive donation (Almeida, 2019).
Along these lines, personality rights must be analyzed from the perspective of centers of interest and, therefore, tran scending the subject's problem. For Leal (2018b), it is nec essary to consider personality rights as a legally relevant as set and, therefore, deserving of legal protection (objective bias), surpassing the "purely structural and sectoral analysis of personality, by which protection is sought in only negative terms, in the sense of repelling any violations, a technique de rived from the right to property".
As a result, in the same way that the law protects certain legal situations for those who have not yet been born, the same can occur to guarantee equal protection for those who have already died, as will be seen later.

Privacy and protection of personal data as personality rights
Based on the premise established in the previous section, the analysis of privacy and the protection of personal data is con sidered as part of the personality's center of interests. By way of contextualization, it should be noted that the initially con ceived idea of privacy arises from the proprietary, individu alistic and bourgeois matrix. Without completely detaching from this perspective, Warren and Brandeis, in the late nine teenth century, coined the famous definition for what would be a right to privacy, that is, the right to be let alone (Rodotà, 2015). From then on, however, they advance towards con sidering privacy also as a "tool for protecting minorities and dissonant opinions and, therefore, for free expression and the right to freely develop one's personality" (p. 16). The con cern of the two American jurists was technological advances, such as newspaper cameras, which invaded the privacy of cit izens.
Currently, due to the growing development of technology, which allows the massive collection and processing of data made available on the Internet, the treatment of privacy is shifting to the collective dimension (Rodotà, 2015). In this sense, Rodotà defines privacy, in current times, and as "the right to maintain control over one's own information and to determine the way to build one's own private sphere" (2008, p. 15).
In Brazil, the right to privacy has a constitutional posi tion. The Federal Constitution of 1988 included the inviola bility of intimacy and private life in the list of fundamental rights and guarantees (Art. 5º, X, CF). In addition, data pro tection has already been recognized by the Federal Supreme Court (ADI nº 4687) as an autonomous fundamental right, extracted from the guarantee of inviolability of intimacy and private life and the principle of human dignity (p. 55). Therefore, privacy is not limited to the treatment of sec torial laws; as it is a fundamental guarantee, it must be pro tected by the entire legal system, reaching situations that oc cur in the "real world" and on the Internet. Dealing with the right to privacy in the digital sphere is dealing with the protection of personal data and the possibility of its control (Almeida, 2019). Hence the relevance of a national data pro tection law that, as Law No. 13.709/2018 does, looks at the data subject and his personality rights.

Digital legacy and personality protection
In order to support this research, we searched for works that investigated the treatment of the digital legacy from the per spective of personality rights. In the Catalog of Theses and Dissertations maintained by CAPES 1 , searching for the term "digital heritage", the following researches were found, sum marized in Table 1.
From the analysis of the menu of the works, as well as those whose entirety it was possible to access, we verified the tendency of acceptance of the "post mortem right of pri vacy" and the preservation of the deceased user's sphere of personality.
According to Leal (2018a), there is no succession of per sonality rights in Brazilian law, as they are very personal, nontransferable. What there is, in fact, is the "[...] tutelage of a center of interests related to the personality[...]", for un derstanding the existential aspect of the deceased.
In this regard, Almeida (2019) argues: In this way, it is not due to the absence of personality rights after the death of a holder that anyone is allowed to make whatever they want, for example, with the im age of the deceased. At this point, there is a center of interest protected by law, that is, a duty not to damage this image, due to the existence of nonfreedom. The ex istence of a duty does not necessarily correspond to the existence of a right.
In this sense, the Civil Code  deals with the subject in the chapter on personality rights, granting legiti macy to the deceased's heirs to plead in court to cease the threat or injury to personality rights, or compensation for of fense to these rights 2 .
Thus, in line with what Almeida (2019) and Leal (2018b) and Leal (2018a) maintain, we have as possible and viable to integrate the treatment of nonpecuniary digital heritage left by the deceased in the sphere of protection of personality rights or, in other words, of theory of interest centers, which attract legal protection even in the absence of its owner and which can be carried out even in the face of the heirs.
In fact, this is an important point, as highlighted by Pereira (2017): 1 CAPES is the acronym in Portuguese for Coordination for the Im provement of Higher Education Personnel, a foundation within the Ministry of Education in Brazil whose central purpose is to coordinate efforts to im prove the quality of Brazil's faculty and staff in higher education through grant programs.
It is noteworthy that a user will not always want their direct heirs to have access to their personal emails, pho tos or accounts. Therefore, there is a dilemma between the user's will about what will be done with their data in the future and the right of an heir to digital inheritance or, more specifically, what an heir would be authorized to access in the future under current Brazilian legisla tion.
Personality rights materialize the memory of the deceased (Cadamuro, 2015). The "dilemma" raised can be solved, at least in part, with the approach presented in this work, deal ing with this kind of digital legacy from the perspective of the personality's center of interests, as stated above.
From there, it becomes possible to define the types of dig ital legacy transferable 3 to heirs, those nontransferable and, as will be seen in the next sections, the parameters for soft ware developers and application providers to manage the dig ital legacy related to the personality protection field.
After all, as highlighted by Stokes (2020), on social me dia profiles, "they are less like something we own (and so can be inherited) and more like a part of what people are". According to him, this is what academic literature has called the "digital remains", to differentiate from "digital assets". This conclusion meets the humanist perspective of heritage, which includes in its concept not only legal situations of her itage value, but also those aimed at protecting the dignity of the human person (Almeida, 2019). The treatment of digital legacy must take care of the heritage from this perspective, covering not only the "digital assets", but also the "digital remains". The latter refer to the personality's center of inter ests.
By the way, with regard to privacy from a legal perspec tive, Zaleppa and Dudley (2020) raise three issues: 1) related to the individuality of the account holder, who effectively contracts the services; 2) related to the services contracted by the user, as they establish the rules of what can be done with the deceased's account; 3) the issue of the digital executor 4 or heir(s) who, once in possession of the deceased holder's credentials, may impersonate him. "This could invade the de ceased user's privacy which brings back the ethical question, should heirs be given access to a deceased loved one's on line accounts?" Therefore, it is necessary to search for legal solutions and normative parameters that can guide the path of Brazilian legislators in the elaboration of bills that are closer to the issues currently experienced by individuals and soci ety.

Program
Title Abstract DSc. in Law at PUC Minas The legal protection of digital assets after death: Analysis of the possibil ity of recognizing the dig ital heritage (Almeida, 2017) It concludes on the possibility of inheritance transfer of these assets de spite what the contractual terms may determine. Also, the tools for man aging virtual accounts, although not digital wills, are a way of subsi dizing the user in exercising the socalled post mortem privacy right. If there is no modulation by the user, it concludes that providers will not be able to limit access to heirs, including assets without economic value, because they have procedural legitimacy to defend this legacy. MSc. in Legal Sciences at UFPB Digital inheritance: virtual equity and inher itance law (Carvalho, 2019) Extracted from the CAPES catalogue: Analyzes "the digital heritage in light of the current legal system and comparative law, especially North American and European law, to then present parameters for the protec tion of these contents (...)"; mentions "digital goods of an economic or very personal nature". It seeks to contribute both to judicial protection and to possible state regulation. "As the basis and fuel for such an un dertaking, the use of the constitutionalized and, even more, humanized perspective of Civil Law as a necessary methodology to face so many questions that we are trying to resolve in this writing." MSc. in Law at UERJ Death and mourning on the Internet: beyond the digital heritage (Leal, 2018b) It addresses the issue of digital legacy from the deconstruction of the paradigm of "digital heritage". It understands the idea of transference and unrestricted access of family members to the accounts of the de ceased as inadequate, from the perspective of protecting the rights of the personality, which remain after death as a relevant interest to be pro tected. It concludes, among other considerations, that it is not feasible for the user to authorize the access of the heirs to private conversations with living third parties, as it would violate the right to privacy of these contacts, which should prevail; and clauses of the terms of use that do not adhere to the legal system may be removed by the Judiciary. The inexistence (at the time) of a national data protection law is considered an obstacle to the proper treatment of the digital legacy. MSc. in Law at Estácio de Sá University Digital inheritance: inheritance protection of digital assets (Robert, 2017) Extracted from the CAPES catalogue: "This dissertation has as its object the examination of the succession protection of digital assets. (...) The study was motivated by the existence of a legislative gap with regard to Succession Law. The transmissibility mortis causa of virtual assets must be analyzed from the terms and conditions of use to verify the limits of ownership of the user and the provider of cyber services." MSc. in Com puter Science at UFMG Investigation on Antici pating the Impacts of In teraction in User Digi tal Legacy Management Systems (Pereira, 2017) Extracted from the CAPES catalogue: "Unlike other works that explore Digital Legacy management tools, our approach highlights the quality of use of communicability and how designers deal with issues associ ated with death in their systems. Our methodology uses the Semiotic Inspection Method (MIS), interaction anticipation challenges, analysis of a sample of current systems and the prototyping of a posthumous Digital Legacy Management System to broaden the understanding of technologies related to communication and interaction practices around death." MSc. in Com putational System for Guarantee of Rights at Bauru University Center The protection of per sonality rights and dig ital heritage (Cadamuro, 2015) It concludes that the State "has an obligation to protect the rights of the personality of the deceased, even though it denies judicial requests from their heirs to access assets and/or digital collection digital heritage that exposes their intimacy, private life, honor, secrecy, tarnishing, thus, such rights of the deceased". It addresses the issue of personality rights, of a very personal nature, which cannot be transferred to the heirs. It recognizes the need for specific legislation to adapt the treatment of dig ital legacy to the standard of protection of the fundamental rights of the personality, which survive the user's death.
In this desideratum, established the bases on which we con sider the digital legacy after death in this research, we ana lyzed the new Brazilian law for the protection of personal data, in order to verify possible contributions by this norma tive instrument for future regulation of the subject in Brazil.

The regulation of personal data pro tection in Brazil
As mentioned elsewhere, the protection of personal data in Brazil has a constitutional foundation. At the infra constitutional level, sectorial laws 5 had already been regulat ing the protection of personal data in a timely manner, until the publication of a general law for the protection of personal data. Brazil was the last democracy in Latin America to es tablish a specific regulatory framework for the protection of personal data (Sombra, 2019). In 2014, given the pressing need to regulate the use of the internet in the country, Law No. 12,965/2014 6 (Brasil, 2014) came about, which instituted the Marco Civil da In ternet (MCI) and sheltered among its principles the right to privacy and to data protection. However, at this point it still depended on regulation by specific law (Brasil, 2014).
Thus, despite establishing a principle framework for the use of the Internet in Brazil, the Marco Civil da Internet did not intend to regulate the privacy and protection of personal data "in a comprehensive and structured way" (Salvio et al., 2019).
Such regulation came with Law No. 13.709 (General Law for the Protection of Personal Data -LGPD) (Brasil, 2018) was published only a few years later, on 08/15/2018 7 , estab lishing general rules for the processing of personal data both in digital and physical media.
It should be noted that the LGPD deals with data from in dividuals, not reaching the data from legal entities. It is also worth mentioning the national character of the Brazilian stan dard, that is, it must be complied with by the Union and the States, the Federal District and Municipalities 8 .
By "processing", the law considers "any operation carried out with personal data, such as those referring to the col lection, production, reception, classification, use, access, re production, transmission, distribution, processing, archiving, storage, disposal, evaluation or control of information, mod ification, communication, transfer, dissemination or extrac tion", pursuant to article 5, item X. Furthermore, regarding applicability, Brazilian law establishes the rule of extrater ritoriality. Thus, in summary, if the processing operation is carried out in Brazil, Brazilian law will be applied, regardless of the location of the company's headquarters or the country where the data is located 9 . LGPD (Brasil, 2018) The LGPD inaugurates in the Brazilian legal system the personal data protection microsystem, of which it is the structural basis (Capanema, 2020), and in which the sparse rules that address the subject through sectorial laws orbit. As Freire Sá says, a legal microsystem establishes "a new pro tective order on a given subject, with its own principles, its own doctrine and jurisprudence, autonomous from common law" (Menezes, 2006). This means that the matter regulated by a legal microsystem can be dealt with by provisions of different laws and principles that make up this universe. This is what Erik Jayme called the dialogue of sources (Benjamin and Marques, 2018), a theory that contributes to making human rights effective, based on the joint, comple mentary and nonexcluding application of norms that em anate from different norms of law. This theory admits the need to coordinate, in a harmonic way, the different norma tive sources (internal, international and supranational) for the protection of the fundamental guarantees inherent to the hu man condition (personality rights).
The theory of microsystems is clear in Art. 42, of the LGPD (Brasil, 2018), when establishing the obligation to re pair damage caused by the Controller or Operator, for "viola tion of the personal data protection legislation" (Capanema, 2020). In addition, Article 45 provides for the application of the liability rules of consumer legislation when personal data breaches occur in the context of consumer relations. There fore, the dialogue of sources applies.
Furthermore, in Article 4, which deals with situations to which the LGPD does not apply, §1 expressly says that the principles of the rule will be applied to the treatment situ ations mentioned in item III of that article. That is, even though it does not apply to the LGPD, the principles provided for therein must be applied.
The same situation exists in § 1 of Article 7, when the LGPD says that even in the case of data made manifestly pub lic by the data subject, the processing agents must observe the principles of the law. Therefore, the protection of personal data in Brazil is currently handled by the legal microsystem whose center is the LGPD. In this way, its rules and prin ciples can certainly influence future sectorial legislative pro posals as well as judicial solutions for conflicts involving the matter of personal data protection; and why not say, also the development of software and internet applications.

The principles of the LGPD
The fundamentals of personal data protection listed by the LGPD are presented in Table 2. The reader should note that the purpose of the law is not to prohibit the processing of personal data or their sharing, nor technological develop ment, on the pretext of protecting the privacy of citizens. The representative bias of privacy in the LGPD moves more towards giving the holder greater autonomy over their data. This means giving him the power to decide what his data can be used or shared, with whom and for what purpose.
Privacy is in line with another foundation of the law, that of informative selfdetermination (Art. 2, II, LGPD (Brasil, 2018)), which translates, according to Maldonado and Blum (2019)in "personal control over the transit of data related to the incumbent itself", and must be consciously and transpar

ART. 2º, LGPD (Fundamentals)
(i) respect for privacy (ii) informative selfdetermination (iii) freedom of expression, information, communication and opinion (iv) the inviolability of intimacy, honor and image (v) economic and technological development and innova tion (vi) free enterprise, free competition and consumer pro tection (vii) human rights, the free development of personality, dignity and the exercise of citizenship by natural persons ently, without psychological and economic appeals (Sombra, 2019).
The perspective of privacy adopted by the law is consistent with the concept coined by Rodotà (2015) 10 , mentioned in Section 3. Analyzing the fundamentals listed by the LGPD, we verify that the constitutive elements of this concept of pri vacy, namely, (a) control over information and (b) freedom to build their own private sphere, are included in the list of Article 2 of the law, as shown in Figure 1.
Thus, Brazilian law defines the holder as the center for the protection of personal data, ensuring that the processing of personal data must respect the fundamental guarantees repre senting the sphere of the personality of citizens. In addition to the fundamentals, the LGPD expressly provided in Arti cle 6 a list of principles to be observed in the operations of processing personal data, summarized in Table 3. Table 3. Principles to be observed in the operations of processing personal data provided by LGPD.

ART. 6º, LGPD (Principles)
(i) purpose (ii) adequacy (iii) necessity (iv) free access (v) data quality (vi) transparency (vii) security (viii) prevention (ix) nondiscrimination (x) accountability and reporting It is extracted from the principle analysis of the LGPD that the processing of personal data presupposes, by the process ing agents (controller and operator), compliance with the rule of adequacy, that is, compatibility between the need and the purpose of the operation, according to the bases legal docu ments that authorize the processing of personal data 11 .
The purpose principle guides that the processing of per sonal data must be carried out with a legitimate, specific, ex plicit and informed purpose to the holder (Art. 6, I). In other words, the purpose of the treatment and transparency towards the holder must be respected. This principle is in harmony with that of necessity, which presupposes the proportional collection of data and the minimum treatment necessary to achieve the stated purpose (Art. 6, III).
In addition, agents must respect the holder's right of ac cess 12 to their personal data and the right to rectification 13 . The principle of transparency is embodied in the right to in formation ensured throughout the law, by providing the rules for consent and the right to confirm the existence of process ing and information on data sharing 14 .
It appears that the axiological matrix 15 of the rights of hold ers provided for in the LGPD will be selfdetermination, es pecially given the "magnitude of the processing capacity pro vided by big data and data analytics (Sombra, 2019).
Another important point brought up by the LGPD is the principled orientation expressed in the sense of preventive ac tion in the processing of personal data (principles of security, prevention and accountability). Chapter VII of the law specif ically addresses data security and good governance practices. It establishes that the security measures must be observed from the conception of the project (Art. 46, § 2) 16 .
With this, the LGPD enshrines, in our view, the need for proactive action when dealing with the protection of centers of interest of the personality, according to the seventh founda tion of the law, mentioned in Table 1 to 4. In the same sense, the principle of nondiscrimination underlies the stricter treat ment established by law for the processing of sensitive per sonal data 17 , provided for in Art. 11.

LGPD and the treatment of digital legacy: aspects to consider for future regulation
The LGPD provides, in Article 1, its application to cases of "processing of personal data [...] with the objective of pro tecting the fundamental rights of freedom and privacy and the free development of the natural person's personality". Therefore, it is aimed at protecting the personal data of "nat ural persons". Thus, in the exercise of systematic interpretation of the le gal system, it should be noted that the Brazilian Civil Code 18 , in Article 6, first part, establishes that the existence of the natural person ends with death. Therefore, it can be con cluded that the LGPD does not directly deal with the process ing of data from deceased persons.
Nevertheless, the principles and foundations of the law can guide the processing of personal data on the deceased, es pecially with regard to subjective legal situations involving 12 Art. 18, II, LGPD. 13 Art. 18, III, LGPD. 14 Art. 18, I and VII, LGPD. 15 "The legal axiology deals with the values that make up the legal order. Values are what gives meaning to human action, what requires taking a stand. They can be positive or negative, there is a hierarchy between them, they are relative and correspond to human needs." (Castrianni et al., 2007) 16 Privacy by design: methodology developed by Ann Cavoukian and comprises seven principles, namely, (i) proactive not reactive; non corrective preventive; (ii) privacy as default setting (privacy by default); (iii) privacy embedded in the design; (iv) full functionality; (v) endtoend security (throughout the data lifecycle); (vi) visibility and transparency; and (vii) respect for user privacy (Maldonado, 2019) 17 Art. 5, II, LGPD. 18 Act No. 10.406/2002 . personality rights, as discussed in the previous section. As the LGPD is the structural basis of the new Brazilian per sonal data protection microsystem, its principle radiates as a source of law for the entire legal system, being able to sup port decisionmaking by companies, governments and courts, until a specific law is issued to deal with this subject. Given the legislative gap regarding the treatment of digital legacy and the complexity of situations involving the use of Internet applications and social networks, the LGPD can of fer a new perspective for a future bill and, now, to guide the design features in software and internet applications, espe cially those aimed at configuring digital wills and managing the user's digital legacy after their death.
Thus, considering that the principles and foundations of the LGPD are materialized in various provisions of the law, as mentioned in Section 4.1, we also understand that some rules provided for in the law may support these decision making. It is not about imposing the LGPD, but rather a source of normative guidance, given the absence of a spe cific law. In this sense, we bring to discussion two legal bases for the processing of personal data authorized by the LGPD, consent and legitimate interest. Consent 19 is defined by law as a free, informed and un ambiguous manifestation, whereby the holder agrees to the processing of his/her personal data for a specific purpose. Ac cording to Article 8 of the law, consent must be express and come in a highlighted clause. It must also refer to a specific purpose, with generic authorizations being null. In the case of sensitive personal data, consent must be given in a specific and prominent way, for specific purposes 20 .
It is important to note that consent can be revoked at any time by the holder, that is, the holder must be guaranteed the possibility of revoking the authorization previously given. The controller 21 can also base the processing of personal data on the legal hypothesis of legitimate interest, provided that it is for legitimate purposes, considered from concrete situ ations, for example the protection of the regular exercise of rights of the holder or the provision of services that benefit him, respecting his legitimate expectations and fundamental rights and freedoms 22 . Note that the standard is open, that is, there may be other concrete situations that justify the legiti mate interest of the controller. 19 Art. 5, XII, LGPD. 20 Art. 11, I, LGPD. 21 Art. 7, IX, LGPD. 22 Art. 10, II, LGPD.
In the case of legitimate interest of the controller, the pro cessing must be limited to those data strictly necessary for the intended purpose 23 . And the controller will not be able to process personal data based on the legitimate interest if the holder's fundamental rights and freedoms prevail, or even, in the case of sensitive personal data, unless he has the holder's consent.
Therefore, it is noted that in both cases of treatment, the law expressly provides for the condition of respect for the principle of purpose, necessity and preservation of the fun damental guarantees of the holder provided for in Article 2 (individual freedoms and free development of personality). As can be seen, considering the set of principles and rules (materializing these principles) established in the LGPD, it is possible to draw a safe guideline for the solution of con crete situations involving the nonpatrimonial digital legacy, for which there is still no specific law.

Applying LGPD parameters to digi tal legacy
Having analyzed the matrix of principles of the LGPD, it is worth reflecting on the possibilities for processing personal data mentioned above and how they can guide the develop ment of software and applications that handle data from dead people and their digital legacy.
In the wake of what the regulation considers the processing of personal data, as mentioned in the previous section, it is reasonable and even expected that deceased user accounts on social networks, emails and other applications receive some type of treatment by the controlling companies and/ or oper ators 24 , even if it is to archive or delete the account, since the holder will not be able to do it by himself. We proceed to the analysis of the casuistry.

Application setup by user still alive
The LGPD advances in relation to the consideration of the will of the holder (volitional aspect) and in providing condi tions for the exercise of informative selfdetermination. This reinforces the possibility of a contractual solution for the 23 Art. 10, § 1º, LGPD. 24 Pursuant to Article 5, VII, of the LGPD, an operator is a natural or legal person, governed by public or private law, who processes personal data on behalf of the controller. treatment of the digital legacy, that is, the development of models of digital wills to be made available in the applica tions.
In the operational aspect, having the technological artifact of consent options for the processing of data for postmortem destination presents greater security (from the controller's point of view) and greater protection (from the perspective of the holder) in relation to the treatment.
However, for the contractual solution to be valid, the rules for valid consent must be observed, and should therefore guide the design of applications offered to users.
Thus, for example, if the consent provided by the user for the processing of their data after their death is null (outside the parameters of the LGPD), the heirs may ask the provider company (or the Judiciary) to disregard it. This can generate insecurity for users and for the company itself, in addition to hurting the expectation of privacy that these users expressed in life.
In this sense, if there is a need to deal with this user's dig ital legacy, the functionality options must be provided for in the terms of use or privacy policies, in accordance with the current legal system, to guide the processing of user data af ter their death (Viana et al., 2017).
In the case of conversion into memorial, for example, sec ondary issues arise regarding the design options for this type of profile, which data could be exposed, the limitation or not of access and the duration of the memorial (Maciel et al., 2019).
Therefore, the rules provided for in the LGPD for the col lection and provision of consent under the terms of use of ser vices must be followed by software and internet application companies when establishing the conditions (functionalities) for handling the account after the user's death, reducing the risk of questioning and legal annulments in the succession phase.

No digital will or configuration of ac counts and personal profiles
Observing the legal parameters already adopted for the pro cessing of user data while the user is alive, the legal hypothe sis of legitimate interest is presented as a normative reference to justify its treatment after the user's death. That is how the company could use the legitimate interest route to process and dispose of the personal data of the deceased user who has not left a will or configured their accounts/profiles in life. This seems to be a legitimate justification, as long as it is to protect the interests of the users' personality, such as the preservation of privacy settings, the constructed image and the secrecy of communications.
We understand that the use of the deceased's personal data in the legitimate interest of the company for activities of its in terest would also be possible, but in accordance with the prin ciples and fundamentals of the LGPD and safeguarding the center of interests of the deceased user's personality. If this was not observed by the controlling company, the compensa tion for any damages or threats to the deceased's personality interests could be judicially charged by the legitimate heirs, under the terms of the Civil Code .
It is noteworthy that even for the processing of data made public by the holder (such as those contained in public pro files, public interactions in the feed, published photos) the LGPD determines that the holder's rights and the principles contained in that law be safeguarded (Art. 7, § 4).
The protection of the legitimate expectation of privacy is an important ally of the preservation of privacy, from the perspective of contextual integrity, defended by Nissenbaum (2010) 25 . Privacy must be understood according to the com plex and multifaceted universe that surrounds it, adopting principle guidelines that contemplate not only the individual impacts of privacy, but also the social expectation of protec tion (Sombra, 2019).
In this sense, it is not reasonable, therefore, to give the same treatment, in terms of privacy, in the case of the death of a "youtuber" user, for example, and of another "ordinary" user, whose memorial will only be for mourning and memo ries of their contacts and loved ones (Edwards and Harbinja, 2013). This is because, for a public person, the exposure of their image is a positive and desired factor, which brings benefits to them, unlike a common user, who does not explore the exposure of their image as a source of income or social or political projection. In fact, in the "youtuber" situation, the probable direction to be given to their public accounts and profiles will be that of inheritance law, since these assets have equity value.

Preservation of the living users rights
In any situation, of access by heirs, conversion into memo rial or legitimate interest of the company, the rights of living users must be fully preserved, under the terms of the LGPD. The controller cannot neglect the protection of the data of third parties that were related to the holder.
In this regard, the legitimate interest of the controller, which according to the LGPD, may justify the processing of personal data "for legitimate purposes, considered from concrete situations", citing as an example the "protection, in relation to the holder, of the regular exercise of his rights or provision of services that benefit him, respecting his legiti mate expectations and fundamental rights and freedoms". Therefore, when dealing with this kind of digital legacy, the controller must be aware of the rights of the living holder and the legitimate expectations of privacy of the holders, liv ing or deceased.
Another situation to consider, in this court, is the conver sion of profiles into memorials. If the user has a lot of privacy restrictions on their profile, it may not even be feasible to en able the memorial conversion option. However, in the event of conversion, the privacy options granted to the "heir" must respect the characteristics of the deceased user's profile, tak ing into account the volitional aspects manifested in life, as can be seen from the consideration made by Maciel (2011), as well as from the principle of informative selfdetermination and the legitimate expectation of privacy of the holder.
Regarding interactions with third parties who are still alive, the consent rule must also guide the memorial config urations and the functionalities allowed to the heir indicated by the deceased.
If the dead user has not set up their accounts or nominated an heir, it seems more reasonable to delete those accounts or memorialize them, keeping the user's original settings and contacts, and blocking private messages. These measures are necessary to guarantee the privacy, intimacy and informa tive selfdetermination of those who interacted with the dead user.
Regarding the subject, it is worth mentioning the prece dent judged by the German courts, in which the parents of a 15yearold girl, who died in an underground subway sta tion in 2012, activated Facebook, requesting access to their daughter's account, in order to try to clarify whether the death was due to suicide. The German Court, reforming the lower court decision, denied the request, understanding that access to the daughter's account would represent a violation of the expectation of privacy of their contacts (Leal, 2018b).
Therefore, the foreign precedent also reinforces the con sent and legitimate interest (in the bias of the expectation of privacy) beacons conferred by the LGPD. Furthermore, the law, by establishing its foundations and principles and invok ing the combination of other normative instruments, recog nizes that the specific situations provided for in its text are not capable of regulating and predicting the entire case series of treatment, relationships and contractual arrangements, es pecially in light of technological speed and social dynamics, characteristics of the fluidity of the contemporary world.

Synthesis: LGPD and digital legacy
In summary, as presented in Sections 5.1, 5.2 e 5.3, we can re late LGPD with digital legacy in the follow aspects: (i) valid consent (Articles 7 and 11, LGPD) and (ii) legitimate inter est of the controller (Article 10). The first one can guide con tractual solutions, that is, it can contribute to the design of the terms of use, in which users are allowed to adjust the pri vacy settings available for handling the account after his/her death. But it is important to emphasize that the holder's con sent with the treatment of personal data after his/her death is not able to authorize the sharing of data of other contacts, neither with the deceased's heir, nor with other users or com panies.
The second situation (legitimate interest of the controller) could address solutions when there is no provision in the con tract (terms of use), but some treatment is necessary to pro tect the living or deceased users' rights of personality from exposure or improper access. For example: to preserve pri vacy settings, the built image, and the secrecy of private com munications.
Finally, the legitimate interest is a fair legal basis for pro cessing the deceased's data, as long as the controller observe the principles and fundamentals of the LGPD and safeguard the deceased's personality centers of interest. If some threat or prejudice to these rights occur, due to noncompliance with these parameters, the controller may be sued by the de ceased heirs (Brasil, 2002, Art. 12, sole paragraph).

Final Considerations
In the network society, there is, for many, a life in the virtual world as active or more active than in the concrete world, so to speak, which provides social interactions that survive the death of the physical body, sometimes maintaining the profile of the deceased, with everyone their contacts, who continue to interact with that account, that is, performing the posthumous interaction (Maciel and Pereira, 2012).
The very concept of death has been questioned, given the technological advances around immortality, such as that through software, which considers "AI [artificial intelli gence] techniques, neural networks, big data, machine learn ing and interdisciplinarity with other areas (such as psychol ogy and philosophy) for the replication of a human being" (Galvão et al., 2017).
Furthermore, among other researches, it has already been verified that the "internet generation" wants to manifest its volition regarding the destiny of the digital legacy (Maciel and Pereira, 2012). The question is to establish how this can be operationalized and how to reconcile it with the rights of living holders who related to the deceased on social net works.
In addition to the casuistry solution strategies related to the digital legacy with the existing legal instruments, we em phasize the need for a specific national law, which addresses the issue in all its facets and provides greater legal certainty to heirs, application providers and users from the Web. The lack of specific legal regulation is still an obstacle to the uni form treatment of the digital legacy in the country. Added to this is the complexity required for solutions, given the socio technical issues that challenge software development, the use of systems, data management and data protection, with a pro fusion of accounts, digital identities and access on different devices.
However, the LGPD establishes important guidelines for this treatment, capable of guiding the development of soft ware and applications, as discussed in Section 5. And consid ering that the fundamental guarantee to the protection of per sonal data derives from the constitutional right to privacy and privacy Pinheiro (2016) (PINHEIRO , 2016, p. 95), it can be concluded that the LGPD, especially with regard to its princi ple (Section 3), is a safe way to guide the actions of treatment of the post mortem digital legacy, from the perspective of "guardianship center of interest" related to the personality of the deceased individual, including its existential aspect Leal (2018b) and Leal (2018a).
Furthermore, the LGPD centralizes the Brazilian mi crosystem for protection and personal data, placing the data subject (the human person) in the focus of state protection. It advances in relation to the MCI, which despite providing for the privacy and protection of personal data in the list of princi ples of the law, did not regulate how this would be observed. Furthermore, the focus of MCI is the use of the Internet in Brazil and not the protection of the data subject.
As analyzed in Section 2, the bills submitted in recent years by Brazilian parliamentarians for the regulation of dig ital inheritance are reductionist and deal with the matter only from the perspective of inheritance law and the transferabil ity of assets. As we have seen, this perspective, although ad dressing the problem of the pecuniary value digital legacy, is insufficient to resolve all the conflicts that affect the non patrimonial digital legacy. This species, which affects the personality's interest centers, demands treatment based on the protection of human rights, privacy and the protection of personal data. This category of legacy differs both from the concept of 'legal property' subject to economic valuation and appro priation Leite (2006), and from 'asset', an accounting con cept that refers to a "set of assets and rights" of a company (Goulart, 2002).
Thus, the direction given to the matter by the analyzed bills is insufficient and does not show itself able to contemplate the digital legacy included in the sphere of personality rights (personal profile in social networks, for example). It also dif fers from the protection of the deceased's right to image and privacy, conferred by the Civil Code, in Article 12, sole para graph, as that rule presupposes the occurrence of violation of these rights, which may be repaired by the heirs mentioned in the legal provision.
Therefore, we can affirm, from the analyzed theories and from the current legal system itself, that the LGPD radiates its norms to the legal situations of interests of the personality, including in what concerns the treatment of digital legacy. It is a source of law that is fully capable of directing discussions and contributing to current demands, as well as guiding fu ture law proposals to deal with the digital legacy in a more complete and compliant manner.
Thus, far from exhausting the theme, this work intends to advance the discussions, from the perspective of the new Brazilian data protection law, an approach not verified in the studies found. We realize that the field of research in this area is still extensive and future work can be developed in order to better investigate how this problem can be dealt with by Brazilian law. In addition, it is important to analyze what dif ferent generations of data holders know about digital legacy, what they think about privacy and how it impacts after the user's death.
Finally, a series of legal and technical challenges surround the discussions about the LGPD and the processing of post mortem data, which need to be discussed in an interdisci plinary way and with due care.