Brazil: Children's data under the LGPD
The entry into force of the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') in Brazil creates a new legal regime for children's personal data, with some sectors being particularly impacted. Patricia Peck Pinheiro, Marcelo Crespo, Camila Bruna do Nascimento, and Helen Batista Battaglini, from Peck Advogados, discuss this area and its nuances.
Parents generally do everything possible to keep their children safe. With the digital society we live in, this protective instinct extends to the online environment. Meanwhile, the growing use of computer devices and the facilitation of internet access creates a social need for all citizens to acquire some knowledge about cybersecurity.
As children and teenagers (in Brazil, according to the Child and Adolescent Statute, a child is the individual up to 12 years old and teenager is aged between 12 and 18 years old) become more and more exposed to technology, they also become more vulnerable to the risk of exposure of their personal data, or from data breaches. As minors tend to be less aware of the risks and consequences concerning the processing of their personal data, they need specific attention from data protection laws.
Moreover, as a country that is signatory of the United Nation's Convention on Children's Rights, in Brazil, one must consider a child's best interests when taking any action that concerns them.
Brazil is a country that regards minors as individuals in development and, therefore, in need additional protection. This means that, according to the LGPD, consent from at least one of the minor's parents or legal guardians is normally required to process their personal data. Yet, one should not make a literal interpretation of this rule. In certain occasions, such as the cases in which the law requires the processing of the minor's personal data or when the processing is necessary for protection of the minor's life or health, parental consent simply cannot be a requirement.
The one exception that is mentioned in the law is in regards to the processing of the minor's personal data to contact their parents or legal guardians, or to protect the minor. Nonetheless, it is forbidden to share their data with third parties or even to store it. In all cases, the minor's best interests must always be considered when making decisions concerning their personal data processing.
An important point to bear in mind when considering parent's consent is how informed and valid this consent truly is. In other words, the parents or legal guardians must be informed about how the minor's data is being collected, stored, and deleted, as well as that the consent may be withdrawn at any time. Moreover, information about data processing concerning minors' data should always be given in a clear and simple way to allow them to progressively understand how data processing works as they become more mature. The aim of this process is to give parents some control over their children's data, as well as freedom of choice.
Nonetheless, the fact is that the personal data of children and adolescents deserves special protection because it can generate greater risks, since their young age may not allow them to deeply understand the dangers and consequences of the processing of their personal data.
Despite its benefits, the internet can also pose serious threats for the most vulnerable in society, especially children and teenagers. Of course, adults are more aware of the dangers of the internet and the risks associated with using technology.
Thus, it is important to alert adults that parental control should be an aid tool, which serves to educate and warn minors about the dangers they may encounter on the internet. These days, youngsters have access to an unlimited source of content that may not be suitable for their age.
Another interesting question to consider concerning parents' control and minor's personal data is 'sharenting'. In the digital age we live in, children already become connected even before their birth, with their parents posting information, such as ultrasound photos, on social networks. This methodology of starting early in the online world creates digital footprints for minors even without them being aware of it, as parents or guardians have the power to decide the privacy of these children.
It should be clarified that the concept of the 'digital footprint' refers to all the information on the internet about a specific individual. Information can appear in an active and passive way; that is, information entered the network by the person themself, or through recorded data without their knowledge. It is up to parents to decide what content they will share, where to share it, and how much to share. This has a particular impact on bloggers that find themselves in an internal conflict when deciding whether to share their children's experiences online. Parent bloggers must balance their child's right to privacy with the desire to represent their identity in relational terms (as a parent and in solidarity to other parents).
In this same line of thought, the responsibility of parents for the rights of minors, even before birth, can lead to a conflict between rights and, also, generate risks to a healthy development or cause problems in adulthood.
Thus, sharenting, known as the excessive sharing, that parents make of their underage children, is commonly described in specialised literature as any situation in which an adult or the legal guardian of the child or adolescent externally communicates intimate details about a child through digital channels, social media, or any technological means that can handle personal data, such as smart toys or cloud servers.
When it comes to education, the COVID-19 pandemic has had a great impact on the traditional learning system. Brazilian schools are employing more technological resources than ever before. Smartphones, interactive boards, and remote classes have all become routine. Children and teenagers have become used to dealing with this sort of technology and spend many hours a day interacting with it. Nevertheless, parents must pay attention to how and why their children's personal data is being processed.
Similarly, schools also must comply with the LGPD, not only when enrolling students, but also when hiring professionals. This is necessary because schools naturally have access to a multitude of their students', the students' family, and the school's employees' personal data. Therefore, it is essential that all the principles mentioned in the LGPD be respected so that the processing can be legitimate.
It is important to highlight that it is common for Brazilian schools to also store sensitive data regarding students' health. This type of data must be especially protected as the impacts of an eventual data breach could be very harmful.
In short, what should schools do to ensure compliance with the LGPD?
The video game industry
A very interesting theme that affects children and teenagers is video games. Many video games have an indicative age rating and are often inappropriate for the user's age, such that they can influence the development and behaviour of that human being, who is still under development.
An important clarification is that Brazilian legislation for the protection of personal data also applies to the sector of video games. Nowadays, since the creation of the game, developers and marketers need to adopt Privacy by Design and provide transparency to their players' community.
Many modern games have already added a consent notice option to the initial screen of their interface, where they usually provide clear and transparent information about the types of data they will collect and the purpose for doing so (e.g. to add to the gaming experience).
Thus, as children are becoming involved in gaming, it is important that parents or legal representatives pay attention to privacy, security, and data protection issues.
The gaming industry involves devices connected to the internet, including dedicated consoles, personal computers, laptops, tablets, and mobile phones, creating an ecosystem with a high volume of personal data processing activities. Furthermore, the gaming experience often involves watching other players, which display the images and voices of children and teenagers.
Consider a user's right to access the data that the game collects about them, in accordance with the Article 18 of the LGPD. When this user is a child or an adolescent, this right must be invoked by the person who holds parental authority; that is, either one of the parents or the legal guardian, in the same way that these adults are given the duty to consent or not to the processing of the minor's personal data.
In conclusion, before processing minor's personal data, under Brazilian law, it is essential to verify that consent was properly given by the child's parent or legal guardian. Also, their data must always be processed in their best interest and the information regarding the processing should be given in a clear and accessible way to ensure understanding.
Patricia Peck Pinheiro CEO and Founding Partner
Marcelo Crespo Partner
Camila Bruna do Nascimento Associate
Helen Batista Battaglini Associate and Coordinator of Law and Innovation Lab
Peck Advogados, São Paulo