Processing of personal data of children and adolescents

*This is an AI-powered machine translation of the original text in Portuguese.

**The image used in this article was created by a generative artificial intelligence.

*** Originally published in Conjur.

The integration of children and adolescents into the virtual world is a phenomenon consolidated by the expansion of internet access, especially through mobile devices. In Brazil, 92% of the population between 9 and 17 years old uses the internet, with the mobile phone being the primary means of access [1].

Due to the everyday relevance of various online applications and sites, the United Nations (UN) has repeatedly recognized the importance of internet access as an indispensable means closely related to the consolidation and enjoyment of human rights [2]. This has encouraged nations to provide infrastructure and promote secure web access [3].

Despite the various benefits associated with digital inclusion and connectivity, there are risks associated with the excessive use of these devices and access to inappropriate content [4][5]. Additionally, the dynamic nature of digital environments expands the risks to which children and adolescents are exposed, requiring constant updates to mitigation strategies in response to virtual landscape transformations [6].

Risk Reduction

In this context, collective and social practices such as education and digital literacy through school and community activities, involving parents and guardians, along with the support of multidisciplinary professionals, play a significant role in developing digital skills. This allows children and adolescents to enjoy the benefits and opportunities provided by digital technologies while reducing associated risks [7].

On the other hand, technical and organizational measures also assist in risk mitigation by establishing access control mechanisms and content limitations. Often, the effectiveness of these tools is directly related to the processing of personal data of children and adolescents, where the extent of their treatment influences the proposed solutions to the issue.

Legal Aspects of Data Processing

Therefore, it is essential to understand the legal contours of the processing of personal data of children and adolescents to appropriately and effectively provide protection.

Concerning the protection of personal data and information related to children and adolescents, the General Data Protection Law (Lei Geral de Proteção de Dados Pessoais - LGPD) in Brazil, through Article 14, mandates that the processing of personal data of children and adolescents must strictly align with their best interests. It also specifies that access to applications, in general, should not be contingent on obtaining or collecting personal data [8].

Moreover, a literal interpretation of the article would lead to the conclusion that the processing of personal data of children requires consent from at least one parent or guardian [9].

These legal provisions have sparked discussions about the limits and conditions for processing personal data of minors [10][11]. The National Data Protection Authority (Autoridade Nacional de Proteção de Dados - ANPD) published a statement [12] after a public consultation, explicitly stating that the processing of personal data of children and adolescents can be conducted in accordance with the legal bases provided by LGPD, as long as these operations consider the best interests of these individuals in the specific case [13][14].

Data Minimization and the "Best Interest" of the Child

Despite the doctrinal consolidation [15] and institutional reaffirmation [16] of this understanding, the application of the necessity principle [17], or data minimization, often occurs in a way that is not aligned with, and may be detrimental to, the best interest of the child or adolescent. This situation reflects apprehension and uncertainty among agents regarding the processing of any personal data of minors.

The principle of minimization stipulates that the information used in a data processing operation should be "relevant, proportional, and not excessive," limited to what is necessary for achieving its purposes, measured in connection with the inherent purposes of the data processing in question.

The need to observe the principle of minimization as a parameter for the development and optimization of data processing operations is evident. However, what is sometimes observed is the application of the principle as if it were a rule, seeking data minimization at any cost, even at the expense of pursuing best practices for data processing in the face of situations faced by agents.

Within the strict scope of processing data of children and adolescents, this phenomenon persists, sometimes even obscuring the conceptual boundaries between the "best interest" and what the principle of minimization truly represents. This lack of understanding and differentiation implies a mistaken confusion between the concepts, leading to the reduction of one to the other, the notion that the best interest of the child is automatically and necessarily data minimization.

However, data minimization and the best interest of the child are not synonymous, nor are they mutually exclusive. There will be circumstances in which consciously restricting access to the data of minors will undoubtedly be the most suitable approach to safeguarding their best interest, demonstrating the possibility of practical equivalence between minimization and the best interest.

Targeted Advertising and Seeking Advantages

This fact is particularly relevant when considering contexts such as targeted advertising, predictive analyses of various kinds, and other applications that, in general, seek to use data for commercial advantages. Some of these practices are even prohibited by legislation protecting children and adolescents, as well as consumer rights [18].

Nevertheless, when addressing the online security of minors, the possibility of conducting a more comprehensive data treatment may provide more effective control mechanisms. Thus, by preserving the best interest of children and adolescents - with the purpose of mitigating the risks to which minors are exposed in digital environments - treatment mechanisms that could be considered more intrusive are promoted.

In this sense, therefore, possibilities are identified not only for strict congruence between the minimization of children's personal data and the best interest of their data subjects but also for situations in which the best interest of the child actually requires the processing of more data [19]. Sometimes, therefore, the more comprehensive processing of data of children and adolescents is more compatible and appropriate to their best interests.

Quantity and Quality of Collected Information

It can be verified that the best interest of the child is not subsumed or reduced to the principle of minimization. Moreover, the principle of necessity can be violated not only through improperly extensive collection of personal data but also through insufficiently comprehensive data collection for the necessary best interest of the child to be preserved.

Furthermore, it can be affirmed that the lack of robustness in the data resulting from a certain information collection may demonstrate a quality defect in that set of information, whose relevance is linked to the purpose of that data processing operation - which may be related, for example, to the protection of minors in digital environments. In other words, the dimension or quantity of information collected sometimes immediately concerns the quality of the processed data, considering the purpose of that treatment.

The potential inadequacy in the robustness of collected and processed data (input), therefore, may imply deficiencies in the quality of this data, potentially prejudicing the primary purpose of safeguarding the best interest of children and adolescents (output). This situation would involve a questionable decision to prioritize minimization over the imperative of the best interest of minors.

Parental Consent

The General Data Protection Law also stipulates the obligation to ensure that consent obtained through electronic devices originates from parents or guardians whenever this hypothesis constitutes the appropriate legal basis for data processing. One of the practical limitations highlighted for identity verification is precisely the availability of technologies, which may allow future technological advancements to improve identification systems, probably through more robust data processing.

"Art. 14 [...] § 5º The controller must make all reasonable efforts to verify that the consent referred to in § 1º of this article was given by the person responsible for the child, considering the available technologies."

Processing of Personal Data and User Identification

Already today, however, the capacity for processing personal data enables the identification of users through various elements, including the treatment of data known as 'soft biometrics': information derived from the measurement of aspects of the human body that do not necessarily function as unique identifiers of a specific person but allow the understanding of certain characteristics [20].

This category of information includes a wide range of data such as typing patterns, the position of the mobile device during use (obtained through the gyroscope integrated into the cell phone), relative height to the ground, among other factors.

When combined, features employing such elements can contribute, for example, to an assessment of the likely age of a particular user. Other categories of data, such as accessed sites, language patterns employed, and the temporal record of screen activity, can also be incorporated into a predictive analysis that, while not infallible, can enhance accuracy in determining the actual age of various users of electronic devices, beyond the self-declared age.

Legality of Data Processing

The feasibility of such identification forms is intrinsically linked to the legality associated with processing a substantial volume of personal data. However, considering the best interest of minors and aiming for their protection - for example, against exposure to inappropriate content - this processing would be justified in the protection of the minors themselves who use this type of platform.

It is in this sense that the EU Commission decided in late December 2023 [21], stating, in the words of Commissioner Thierry Bretton, that "creating a safer online environment for our children is a priority" [22].

Since December 2023, among the "very large online platforms" (VLOPs), three adult content platforms are now included, and they will have the obligation to "redesign their systems to ensure a high level of privacy, security, and protection of minors" [23], and they may adopt more intensive personal data processing measures to achieve the safety goal for minors set by the regulator.

Moreover, if the analysis of these inferences can reveal the identity of minors claiming to be older, under the same logic, it would be feasible to identify those who, online, seek to portray themselves as younger than they really are. The discrepancy between the self-declared age and observed behavior emerges as a crucial factor in the effective management of minors' access to various types of content, as well as other previously listed risk elements.

Best Interest and Minimization of Processed Data

In the context of personal data protection, the consideration of the best interest of minors should not automatically mean the minimization of processed data. Despite the unquestionable importance of data minimization for the protection of minors in various contexts, there are nuances involved in the treatment of this information, for example, when seeking to ensure a safer online environment.

The possibility of identification through the processing of personal data, although subject to legal and ethical considerations, can represent an effective tool in managing the access of minors, both in terms of the types of online content accessed and the time spent accessing this digital content. In this sense, it acts as a mechanism that, although more intrusive, is more effective in ensuring the best interest of the child in the context of a digitized world.

[1] TIC KIDS ONLINE BRAZIL. Research on Internet Use by Children and Adolescents in Brazil: 2022. São Paulo: Cetic.br, 2023. Available at: https://cetic.br/media/docs/publicacoes/1/20230825142135/tic_kids_online_2022_livro_eletronico.pdf. Accessed on Dec 28, 2023.

[2] In this regard, see: UNITED NATIONS GENERAL ASSEMBLY. Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue. Index A/HRC/17/27, May 16, 2011. Available at: https://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/A.HRC.17.27_en.pdf. Accessed on Jan 2, 2024.

UNITED NATIONS GENERAL ASSEMBLY. The promotion, protection and enjoyment of human rights on the Internet. Index A/HRC/47/L.22, July 7, 2021. Available at: https://ap.ohchr.org/documents/dpage_e.aspx?si=A/HRC/47/L.22. Accessed on Jan 2, 2023.

[3] "9. Encourages all States to support civil society in its efforts to address barriers to digital access; 10. Also encourages all States to take the necessary and appropriate measures to promote free, open interoperable, reliable and secure access to the Internet and, in a manner that complies with their international human rights obligations, address disinformation and advocacy of hatred constituting incitement to discrimination, hostility or violence, in order to ensure the full enjoyment of human rights; 11. Condemns unequivocally measures in violation of international human rights law that prevent or disrupt an individual’s ability to seek, receive or impart information online, including Internet shutdowns and online censorship, calls upon all States to refrain from and to cease such measures, and also calls upon States to ensure that all domestic laws, policies and practices are consistent with their international human rights obligations with regard to freedom of opinion and expression, and of association and peaceful assembly, online; […] 14. Stresses that many States all over the world need support in expanding infrastructure, technological cooperation and capacity-building, including human and institutional capacity-building, to ensure accessibility, affordability and availability of the Internet in order to bridge digital divides, to meet the Sustainable Development Goal and to ensure the full enjoyment of human rights” [highlights in the original] (UN, 2021, Index A/HRC/47/L.22).

[4] GAGLIONI, Cesar. What is healthy screen use in childhood, according to studies. Nexo, Sep 8, 2022. Available at: https://www.nexojornal.com.br/expresso/2022/09/08/O-que-%C3%A9-uso-saud%C3%A1vel-de-telas-na-inf%C3%A2ncia-segundo-estudos. Accessed on Dec 28, 2023.

[5] GRINBERGAS, Daniella. The danger in the use (and abuse) of screens by children. Veja Saúde, Jan 21, 2022. Available at: https://saude.abril.com.br/familia/o-perigo-no-uso-e-abuso-das-telas-pelas-criancas. Accessed on Dec 28, 2023.

[6] OECD. Children in the digital environment: revised typology of risks. OECD Digital Economy Papers, No. 302, Jan 2021. Available at: https://www.oecd-ilibrary.org/docserver/9b8f222e-en.pdf?expires=1702904054&id=id&accname=guest&checksum=C0890857D435ECC91BA82C09E321C2D2. Accessed on Dec 28, 2023.

[7] OECD. Protecting children online: an overview of recent developments in legal frameworks and policies. OECD Digital Economy Papers, No. 295, Jun 2020. Available at: https://www.oecd-ilibrary.org/docserver/9e0e49a9-en.pdf?expires=1702904114&id=id&accname=guest&checksum=1281571492916AA83F42D290E77EA4E6. Accessed on Dec 29, 2023.

[8] As stipulated by the General Data Protection Law, see:

Art. 14. The processing of personal data of children and adolescents must be carried out in their best interest, in accordance with this article and relevant legislation. […]

4th Controllers shall not condition the participation of the holders referred to in § 1st of this article in games, internet applications, or other activities on the provision of personal information beyond what is strictly necessary for the activity. [9] Art. 14. […]

1st The processing of personal data of children must be carried out with specific and prominent consent given by at least one parent or legal guardian. [10] INTERNATIONAL ASSOCIATION OF PRIVACY PROFESSIONALS (IAPP). Can mandatory consent be optional? Processing children’s personal data under Brazil’s LGPD. International Association of Privacy Professionals (IAPP), Apr 2021. Available at: https://iapp.org/news/a/can-mandatory-consent-be-optional-processing-childrens-personal-data-under-brazils-lgpd/#. Accessed on Dec 28, 2023.

[11] Preliminary Study: Legal hypotheses applicable to the processing of personal data of children and adolescents. National Data Protection Authority (ANPD), September 2022. Available at: https://www.gov.br/anpd/pt-br/documentos-e-publicacoes/estudo-preliminar-tratamento-de-dados-crianca-e-adolescente.pdf. Accessed on Dec 29, 2023.

[12] BRAZIL. Official Gazette of the Union (DOU). Statement CD/ANPD No. 1, May 22, 2023. Available at: https://www.in.gov.br/en/web/dou/-/enunciado-cd/anpd-n-1-de-22-de-maio-de-2023-485306934. Accessed on Dec 28, 2023.

[13] In the scope of the Study conducted by the Coordination-General for Standardization of ANPD, three interpretive hypotheses of the incidence of legal hypotheses for the processing of data of children and adolescents were addressed. The first of these currents argues for the requirement of applying parental or guardian consent as the exclusive hypothesis for the processing of data of these holders. The second, in turn, goes in the direction of equating the personal data of children and adolescents to sensitive personal data, applying, in this sense, only the hypotheses set forth in Article 11 of LGPD. The prevailing understanding, however, is that the hypotheses of Article 7 and Article 11 are fully applicable as long as the best interest of the child is preserved, in accordance with the Statement.

[14] Statement CD/ANPD No. 1/2023. “The processing of personal data of children and adolescents can be carried out based on the legal hypotheses provided for in art. 7 or art. 11 of the General Data Protection Law (LGPD), as long as its best interest is observed and prevailing, to be evaluated in the specific case, in accordance with art. 14 of the Law”.

[15] See, in this regard: FICO, Bernardo. SOUSA, Beatriz de. Can mandatory consent be optional? Processing children’s personal data under Brazil’s LGPD. International Association of Privacy Professionals (IAPP), Apr 2021. Available at: https://iapp.org/news/a/can-mandatory-consent-be-optional-processing-childrens-personal-data-under-brazils-lgpd/#. Accessed on Dec 28, 2023.

TEFFÉ, Chiara Spadaccini de. Protection of data of children and adolescents. Revista do advogado, n.º 144, Nov 2019. Available at: https://aplicacao.aasp.org.br/aasp/servicos/revista_advogado/paginaveis/144/53/index.html#zoom=z. Accessed on Jan 2, 2024.

FEDERAL JUDICIARY COUNCIL. IX Civil Law Conference – Statement No. 684. Article 14 of Law No. 13,709/2018 (General Data Protection Law – LGPD) does not exclude the application of other legal bases, if applicable, observing the best interest of the child. Available at: https://www.cjf.jus.br/enunciados/enunciado/1823. Accessed on Jan 2, 2024.

[16] BRAZIL. Official Gazette of the Union (DOU). Statement CD/ANPD No. 1, May 22, 2023. Available at: https://www.in.gov.br/en/web/dou/-/enunciado-cd/anpd-n-1-de-22-de-maio-de-2023-485306934. Accessed on Dec 28, 2023.

[17] Principle established by virtue of art. 6, item III, of LGPD, as follows:

Art. 6. The processing activities of personal data must observe good faith and the following principles: […]

III – necessity: limitation of processing to the minimum necessary for the accomplishment of its purposes, with coverage of relevant, proportional and not excessive data in relation to the purposes of data processing.

[18] The Statute of the Child and Adolescent (Law No. 8,069/1990, ‘ECA’), especially due to its article 15, recognizes the peculiarity of the condition of minors, due to the need for their development. The Consumer Defense Code (Law No. 8,078/1990, ‘CDC’), in accordance, points out in its article 37, §2, the abusiveness of advertising that takes advantage of such infant condition, due to the "deficiency of judgment and experience" with manipulative purposes; in the same sense, article 39, item IV, of the CDC explicitly prohibits the instrumentalization of the vulnerability of consumers in abusive practices, including due to their health. The regulation that most directly addresses the issue, however, is Resolution 163, of March 2014, of the National Council for the Rights of Children and Adolescents (‘CONANDA’), which defines as abusive "the practice of directing advertising and marketing communication to the child, with the intention of persuading them to consume any product or service" (article 2, caput). Also noteworthy is what is provided in article 31 of the UN Convention on the Rights of the Child, according to which it is the child's right to be protected "against economic exploitation".

[19] This circumstance was even recognized by the National Data Protection Authority in Technical Note No. 6/2023/CGF/ANPD "5.47. […] it is necessary to assess whether a more robust tool for age verification at the time of registration - and which probably deals with more personal data, but with greater control - would be more appropriate and pose less risks than a flawed mechanism that allows extensive processing of personal data of millions of children who should not even be on the platform." [emphasis added]. Available at: https://www.gov.br/anpd/pt-br/documentos-e-publicacoes/tiktok-nota_tecnica_6_versao_publica.pdf. Accessed on Dec 29, 2023.

[20] For access to later information regarding the use of biometric data in verifying the age of users of digital applications, see: https://www.biometricupdate.com/biometric-news/age-verification.

[21] EUROPEAN COMMISSION. Commission designates second set of Very Large Online Platforms under the Digital Services Act. European Commission, Dec 20, 2023. Available at: https://ec.europa.eu/commission/presscorner/detail/en/IP_23_6763. Accessed on Jan 2, 2024.

[22] BRETON, Thierry. […] Creating a safer online environment for our children is an enforcement priority under the DSA. Dec 20, 2023. X (Twitter): @ThierryBreton. Available at: https://twitter.com/ThierryBreton/status/1737412433776394727?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1737412433776394727%7Ctwgr%5E6c8f6aef35301f0d245eacedaaaaededee0c9df2%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.euronews.com%2Fmy-europe%2F2023%2F12%2F20%2Fpornhub-stripchat-and-xvideos-to-be-policed-under-eus-stringent-digital-rules. Accessed on Jan 2, 2023.

[23] "Redesign their systems to ensure a high level of privacy, security and safety of minors". EUROPEAN COMMISSION. Commission designates second set of Very Large Online Platforms under the Digital Services Act. European Commission, Dec 20, 2023. Available at: https://ec.europa.eu/commission/presscorner/detail/en/IP_23_6763. Accessed on Jan 2, 2024.

By using our website, you agree to our Privacy Policy and our cookies usage.