On September 8, 2022, the Brazilian Data Protection Authority (“ANPD”) launched a public consultation on the processing of minors’ personal data (encompassing children under 12-years-old and adolescents between the ages of 12- and 18-years-old).  The consultation will conclude on October 7, 2022.  According to the ANPD, the purpose of the consultation is to resolve divergent interpretations among public authorities, academics, privacy professionals, and representatives of civil society regarding the Brazilian Data Protection Law’s (“LGPD”) provision on the processing of minors’ personal data (Article 14).  The Authority will use the feedback it receives to draw up guidelines on the topic and, possibly, amend the LGPD.

The consultation is informed by a “preliminary study” prepared and published by the ANPD that examines the following three most common interpretations of Article 14 of the LGPD that the abovementioned stakeholders have put forth:

  1. that processing the personal data of children under 12-years-old will always require the consent of a parent or legal guardian;
  2. that processing children’s and adolescents’ personal data must comply with the LGPD’s requirements for processing “sensitive” data to the extent that it meets that definition – i.e., personal data concerning racial or ethnic origin, religious conviction, political opinion, membership of a trade union or of a religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data when linked to a natural person; and
  3. that any processing of children’s and adolescents’ personal data must always be carried out in a manner that takes into account their best interests.

The ANPD’s study discusses the pros and cons of each of these interpretations, but ultimately concludes that the third option is the most appropriate interpretation of the LGPD.  As a result, the Authority proposes to amend Article 14 of the LGPD by adding the following draft language:

The processing of personal data of children and adolescents may be carried out pursuant to the legal bases [listed] in Article 7 or, in the case of sensitive data, [the legal bases listed] in Article 11 of the General Law of Data Protection (‘LGPD’), provided that their best interest is taken into account, which needs to be assessed in each concrete case, in accordance with Article 14 of the LGPD.

However, the Authority has not yet taken a final decision on this matter and invites anyone interested to contribute to the consultation via this platform.

The ANPD’s consultation follows from a long line of recent regulatory and legislative developments around children’s privacy worldwide, including, by way of example, the United Kingdom’s Age Appropriate Design Code in September 2021 (see our blog posts here and here), Ireland’s Fundamentals for A Child-Oriented Approach to Data Processing in December 2021 (see our blog posts here and here), as well as California’s recently enacted Age-Appropriate Design Code Act. 

*            *            *

Covington is continually monitoring these developments and is happy to assist organizations in assessing their compliance with the requirements set out in these frameworks. 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.

Nicholas is a member of the Bar of Texas and Brussels Bar (Dutch Section, B-List). District of Columbia bar application pending; supervised by principals of the firm.