TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Can mandatory consent be optional? Processing children’s personal data under Brazil's LGPD Related reading: Globally, adequately protecting children's data is being prioritized

rss_feed
GDPR-Ready_300x250-Ad

""

""

Society's "datafication" also affects children, who are especially vulnerable to the exposure of their personal information. In its children's data and privacy online report, the London School of Economics divides children's privacy into three segments: interpersonal (the creation of children's digital footprints), institutional (how the government and related agencies handle children's data) and commercial (how children's data is used by businesses and for marketing purposes). With the proliferation of data protection laws worldwide, several debates have arisen, including appropriate safeguards for the processing of children's data by businesses.

Brazil's General Data Protection Law is no different, but further guidance on children's data processing is currently missing. 

To grant children's data special protection, the LGPD establishes consent from parents or legal guardians as the rule for processing. This is not necessarily the case in other jurisdictions. For example, in countries regulated by the EU General Data Protection Regulation, companies can use legitimate interest as a legal basis for processing children's data, provided they take particular caution to balance rights (see Article 6(1)(f)). Thus, one may argue the GDPR is more concessive, while the LGPD tends to be more protective of children. But should consent only apply to children's data on all occasions? As seen below, Article 14 of the LGPD indicates the need to process children's data taking into account rules beyond a black-letter interpretation of the law.

Consent as the rule

The rules on processing children's data are summarized in Article 14 of the LGPD. Article 14, Section 1 is the legal basis for adopting consent as the general rule for processing children's data, thus limiting alternatives. Given Article 14 provides equal treatment to both parental and legal guardian consent, references to "parent" or "parental" hereafter are intended to include "legal guardians." 

format_quoteThe processing of children's personal data shall be done with specific and highlighted consent given by at least one of the parents or the legal guardian.

 

The paragraphs that follow, under Article 14, govern how this consent is obtained and the cases it may be waived. This choice of the legislator aligns itself with the reasoning behind other laws within Brazil's legal framework, e.g., prohibiting children-directed advertising, a scenario in which companies would notoriously want to argue for their legitimate interest a legal basis for processing. 

It is common ground that the interests of the child are to be especially protected. However, the special protection of the child must not be limited to the (less than) 300 words about the subject in the LGPD. Further, the Special Commission's Discussion Report on the drafting of Article 14 of the LGPD clearly states it drew inspiration from the Children's Online Privacy Protection Act, the U.S. legislation that protects children's personal data online. The Special Commission then suggested the online world as the ideal scenario of the LGPD's application, further considering the conflict between parental consent for processing children's data and online authentication capabilities. 

Exceptions to consent

Despite Article 14, Section 1 establishing consent as a legal basis, the first rule that Article 14 of the LGPD, caput establishes is that the processing of minors' data should always be done in their best interest. However, as the Special Commission recognized, this rule alone would be superficial, not adding "any special protection for this vulnerable group of people." Thus, in addition to the best interest of the child, Article 14 caput explicitly mentions two hypotheses for processing children's data: the "terms of this article" — which are the very rules of LGPD — and the "terms of the relevant legislation." 

The terms of Article 14

While Article 14's primary focus is parental or legal guardian consent, as determined in Section 1, it also provides important exceptions to this hypothesis. For example, Section 3 addresses the possibility of processing children's data when necessary to contact their parents, or to protect them. See:

format_quoteChildren's personal data may be collected without the consent mentioned in §1 of this Article when the collection is necessary to contact the parents or the legal guardian, and as long as the data are used one single time and not stored, or for their protection, and under no circumstances shall the data be passed on to third parties without consent as provided in §1 of this Article.

 

Thus, the LGPD recognizes in Article 14, Section 3 the child's best interests do not necessarily equate to the will of parents expressed via consent. There are cases in which a child's best interests may not be subject to consent. In the scenario presented in Section 3, obtaining consent may be impossible. If there is physical separation between the child and the parents (as currently happens with children in the U.S.), it would be unreasonable to require data processing based solely on consent. 

Further, in child protection cases, there is the possibility that data processing may be performed despite, or even against, the wishes of parents. This is because the child's best interests may not correspond with their parents, either because of ignorance of the need for protection or because of malice. Therefore, aiming to protect children, one can infer this Section 3 exception implies the applicability of at least two legal bases not mentioned in Article 14: protection of health and protection of life or physical safety. Even if not explicitly included in Article 14, both of these hypotheses fit the concept of "protection" of the child and are an authoritative ground for processing data without consent.

The terms of the relevant legislation

Article 14 caput references the "relevant legislation." There are two possible meanings to this clause. 

format_quoteThe processing of personal data belonging to children and adolescents shall be done in their best interest, pursuant to this Article and relevant legislation.

 

First, one shall read the LGPD together with other laws, notably the Brazilian Child and Adolescent Statute and the Civil Code, seeking harmonic interpretations and avoiding contradictory conclusions. This is a more consensual interpretation of the Article, and little to no dispute arises.

Second, a less explored viewpoint is that Article 14 caput opens the LGPD to the possibility of processing children's data based on compliance with legal or regulatory obligations, in the execution of public policies prescribed in laws or regulations, or to guarantee the regular exercise of rights, provided these obligations and rights are pursuant to relevant legislation.

Negative consequences of consent-only interpretations

Regardless of the interpretation adopted to Article 14, the processing of children's data cannot be reduced to consent and the few exceptions brought in the LGPD. For example, early childhood education schools would be subject to parental consent to process student data to keep track of children's development and produce reports mandatory under Brazilian Federal Law No. 12,796/2013. The same could happen in health services, which have the legal obligation to notify cases (suspected or confirmed) of certain diseases to health authorities as epidemiological information due to public health concerns, according to Law No. 6,259/75. If a doctor violates this particular duty, they commit a criminal offense under Article 269 of the Brazilian Penal Code and may be sanctioned with up to two years of detention and a fine.

In this sense, when harmonizing the LGPD's interpretation with these other laws, one can conclude legal obligations can and should be fulfilled regardless of consent. A restrictive interpretation would distort legal and regulatory obligations that could be impaired by the will of parents, particularly considering consent implies a right to revocation.

A restrictive interpretation of Article 14 causes further gaps. One of them is the impossibility of processing children's data when necessary to exercise rights of the defense in judicial, administrative or arbitral proceedings. The regular exercise of such rights is a legal basis under Articles 7 and 11 of the LGPD, allowing the processing of any other type of personal data. 

For example, consider a dispute between a controller and the parents of a child. In this case, with parental consent being the sole legal basis for data processing, the controller would be prohibited from producing evidence using any data linked to the child, even if such data is in the controller's possession. Further, the LGPD guarantees the right to request deletion of data processed based on consent without justification. This would, at least, allow the parents, in that case, to request deletion of strategic data, enabling undue manipulation of documents. 

One could argue that Article 16 lists hypotheses for refusal to delete personal data and could prevent the above-mentioned distortion. However, the exercise of rights is not a justification under the LGPD to retain information subjected to deletion requests. The legal hypotheses cover only compliance with a legal obligation, study by a research body, transfer to a third party and exclusive use by the controller if the data is anonymized. Therefore, interferences may be caused by the "consent-only" rule for processing children's data. Nonetheless, the LGPD does not provide adequate safeguards for the regular exercise of the controller's rights against such interferences as a valid justification against deletion.

Conclusion

The processing of children's data can and should be largely based on the consent of parents and legal guardians. Information from minors ought to be protected and adequately cared for. However, these assertions should not blind data controllers to instances when processing based on consent would be inadvisable or even unfeasible. 

Data protection laws should focus on protecting children's information to prevent abuse, more frequent with vulnerable data subjects. Nonetheless, this should not prevent all processing of children's data, particularly when in their best interest. 

Legal bases provided for in the LGPD — such as the protection of health, protection of life and physical integrity, legal or regulatory obligation, and regular exercise of rights — may be compatible with these interests in certain scenarios. Other legal bases not discussed, including the execution of public policies prescribed in laws or regulations, could also be considered. Not recognizing the applicability of these legal bases can seriously distort a complex system of legal and regulatory obligations and potentially harm the very well-being of these minors who are intended to be protected.

Photo by Jonathan Borba on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Comments

If you want to comment on this post, you need to login.