LGPD in Brazil: How the New Data Protection Law is impacting Businesses and Deals

  • Businesses are facing challenges in terms of protecting user’s data as well as the security of stored information.
  • M&A negotiations and deals should include separate provisions on data processing.
  • New rules push forward not only the importance of securing personal data but also a global discussion on data protection issues.

Recently, Brazil adopted its first comprehensive data protection law, the LGPD (Lei Geral de Proteção de Dados, General Data Protection Law). Heavily inspired by the European GDPR, the LGPD has several distinctions, namely a much broader scope of protected data.  The law which impacts all business sectors was expected to come into force on August 14, 2020. It was the later postponed to 2021. Nevertheless, at the end of August, the Federal Senate approved the expedited implementation of the LGPD. Now, the law is waiting to be sanctioned by the President, Jair Bolsonaro. The LGPD norms are mandatory, not only for national companies but also for foreign businesses operating in Brazil.

To discuss the impact of the LGPD on businesses and deals, the M&A Community hosted a webinar on the subject in August. Though the sanctions for law breaches might only come into effect in a year, depending on the parliament’s decision, companies and organizations have a lot to prepare for.

Privacy and security

The LGPD was designed to ensure that people's personal data is protected and to provide them with the tools to better control this. The new law is a Brazilian response to the global trend of addressing privacy issues. Though markets generally follow these demands, it is important to make a distinction between privacy and security. These concepts often get mixed up, said Daniel Aviz Bastos, Information Security Manager from TOTVS.

‘We have access to data and have to protect this data from inappropriate access and alterations. Thus, security is in fact focused on the protection of information in general, not directly on privacy. Privacy is associated with the rights of the owner of this data, and how they want their data to be used, he said. Daniel recommended companies to start with a review of their current situation in terms of privacy and data security.

As the LGPD lists the cases in which authorization to use personal data is required, IT teams need to rethink their policies concerning the storage of users’ information in a way that complies with the new regulations.

‘LGPD is a challenge that demands different perspectives and professional expertise. We started by identifying data contexts, the ways it is hosted and registered’, added Alexandre Faustino, IT Supervisor at Eletrobras. He also pointed out that in terms of data storage, businesses should evaluate the need for data so as to dispose with the excessive amounts.

How does LGPD differ from GDPR?

Though these legal frameworks have similar goals (and, apparently, the LGPD’s authors drew inspiration from the European GDPR) there are some noteworthy differences, however.

  • Data protection officers (DPOs). The European piece of legislation clearly lists the situation when a DPO is needed.  The Brazilian one gives a broader scope saying that a data controller has to appoint such an officer. Perhaps this idea will be clarified later. For now, it suggests that any company processing personal information in Brazil has to appoint/hire a DPO.
  • Territorial scope. Both frameworks apply to entities located outside its territories as long as they offer goods and services to individuals located in the European Economic Area (for GDPR) or Brazil (for LGPD). The European legislation includes organizations beyond the EEA but who monitor the behavior of its citizens. For its part, the LGPD has no rules concerning data protection in the case of information in transit in its territory that doesn’t have Brazil as a final destination.
  • Lawful grounds for data processing. Both documents define the basis for processing data, i.e. justification for the use of information. The Brazilian LGPD includes 10 of these (while the European GDPR just six). One of the most significant differences in the LGPD list of legal grounds is the protection of credit (for instance, credit scores).
  • Data breaches. The GDPR requires any data breach to be reported to the data protection authorities within 72 hours. The LGPD does not give any firm deadline aside from a ‘reasonable time period’.

Dealing with data during M&A activities

The pandemic and its impact on the economy have changed the market’s behavior, as well as M&A and IPO activities. The rushed LGPD enactment does not seem to correspond with the reality on the ground. Though the law was approved two years ago, several businesses still face trouble complying with its rules. The same goes not only for software but also for information security tools and processes, not to mention privacy-related training for the staff.

The difficulties with adhering to the LGPD could have consequences for business deals, especially international ones, said Thiago Luís Sombra, Technology, Anticorruption, and Infrastructure Partner at Mattos Filho, Veiga Filho, Marrey Jr. e Quiroga Advogados. He pointed out several important practical aspects of the new law through the M&A prism.

  • As Virtual Data Rooms (VDRs) are the fundamental tool for M&As and IPOs, the negotiations between the participating companies should consider data processing procedures. ‘A data processing agreement provides clarity to the data exchange processes and defines the ways in which the data will be transferred’ Thiago says. Consequently, the VDR solution has to not only evaluate the minimal security requests but also to indicate the jurisdiction to which the agreement applies as well as the jurisdiction in which the VDR will be hosted.
  • A company should establish policies and procedures to both ensure the security of personal data and have a plan ready, in the case of a security breach. ‘In the past 4 years, Mattos Filho managed several incidents related to data leaks in Brazil. Some of them happened on the eve of an M&A transaction. This means high exposure of the companies and a risk of the devaluation of the assets,’ explains Thiago. While thinking of an M&A deal or an IPO, he adds, businesses should pay extra attention to encryption and data anonymization.
  • A data processing agreement also has to define further actions with the data, i.e. when the data will be deleted; what happens if the transaction isn’t successful, etc. The terms of the data disposition should be also included in the agreement.

Data protection culture

The panelists also highlighted the importance of nurturing a data protection culture, in businesses and government structures. As Catia Veloso, Compliance Officer from CCR S.A., pointed out, both the LGPD and the Brazilian anti-corruption laws were adopted as a result of incentives from international organizations and investors.

‘If you are an investor, you are worried about the data being given for an IPO or an M&A. Breaches don’t only happen in Brazil, but also in other countries,’ she added. Warranties and special provisions might be included in the agreements to set out the procedures in the case of a potential breach of the data protection law by the target company. 

Redaction is another option to protect personal data that has no value to a deal. Some alternatives are anonymization and pseudonymization of personal information. Thus, one can reduce the risks of breaches of the legislation.

Nevertheless, data protection is a global challenge that businesses and governments need to continue discussing. ‘One may think that it is an IT problem. In fact, it is not, as different areas are involved. People need to develop a culture around that, starting with messaging apps, public Wi-Fi connections, social media, etc. This is a great challenge for our culture which has gotten used to sharing data openly’, said Daniel Beltran Motta, Data Protection Officer at Eletrobras. He believes this issue is a part of the global digital transformation.

Other Insights

See More
Russia
Agriculture

Will Smart Farming Make Agriculture More Sustainable? An Interview with the Founder of iFarm

Digitization in agriculture can help use resources efficiently and rationally, allowing farmers to get the most out of the outcome.

See More
Russia
iFarm - vertical farm in Finland
Agriculture

Innovations in Agriculture: A Lucrative Field for Investors

Investor interest in vertical farming surged in 2020, reaching $929M in the US alone.

See More
Russia
M&A Agriculture
Agriculture

What’s Happening in the Agribusiness in Russia? An M&A Point of View

Crop production seems to be the most lucrative segment in Russian agriculture as the demand is substantially higher than the supply.

See More
USA
Health Tech M&A
Healthcare

Telemedicine is Changing the Healthcare Landscape: Expert Outlook 2021

With several new coronavirus strains circulating, it is hardly likely that the healthcare industry will soon escape from this period of...

See More
USA
M&A AI Tech
Tech

M&As in the AI Market: Tech and Deals Explained

The artificial intelligence (AI) industry survived its ‘winter’, in terms of limited hardware capacities, some time ago. Now, this sector seems...

See More
USA
Bruce Molloy
Tech

AI Industry: What Any Business Leader Should Know

Business leaders can understand what AI can do in straightforward ways, including the opportunities it creates, the problems it solves, and the...

See More
USA
Healthcare

The Post-pandemic Health Industry: Tech Is Poised to Play a Much Bigger Role

The next normal presents itself with emerging opportunities, challenges, and new health tech use cases in the US, and globally.

See More
Brazil
Sao Paulo, Brazil
M&A

Experts Show Optimism for the M&A Market in Brazil in 2021

Economic recovery in a Brazilian context will involve greater liquidity and an enormous structural change.

See More
Brazil
The National Congress of Brazil
M&A

The LGPD to Attract More Foreign Investment to Brazil

With the LGPD, the business environment will have more clarity about the regulations to be made a clearer perspective for foreign investors.

See More
New Normal
M&A

M&A: Getting Used to the ‘New Normal’ 

Political and geopolitical tensions worldwide may also hint at the events we might see in the nearest future. What are the main currents in the...

See More
Portugal
Oporto, Portugal
M&A

M&A in the North of Portugal: Tough Situation, Plenty of Opportunities

The outlook of the mergers and acquisitions landscape in the north of Portugal.

See More
Reva Goujon
M&A

‘Strategic Scenario Planning’: Reva Goujon — about resilient M&A Approach, US-China Rivalry, and Cyber Influence Ops 

How to design smart and resilient M&A strategies amidst global uncertainties?

See More
Russia
moscow city
M&A

M&A in Russia: Negative Trends with a Silver Lining?

Despite several periods of turbulence, and downturns, the Russian M&A market ‘is still alive’.

See More
USA
Crossroads
M&A

Global Business Climate, Geopolitics, and M&A: Where we are at now 

Everyone, from small firms to large corporations, has to adapt to the new realities and find new ways to stay afloat.

See More
USA
Tech

‘AI Hype’ and M&A: Artificial Intelligence Strategies and Putting a Value on a Deal

How AI technologies can create value for different industries, and what to consider during any AI-related M&A transaction.

See More
Ignacio Tornero
M&A

China Goes Overseas: The Successes and Challenges of PRC in Latin America. An Interview with Ignacio Tornero

Digging deeper into the Chinese expansion in Latin America.

See More
USA
Tech

Tech, M&As and their Future: Reality and Expectations

From the valuation of AI assets to IoT, blockchain, and ESG (Environmental and Social Governance) in business.

See More
Portugal
Porto, Portugal
Legal

Legal Frameworks for Turbulent Times: Cases of Distressed Investments in Portugal

Are there ways to prevent the wave of insolvencies expected in 2021?

See More
USA
M&A

Geopolitics and M&A: Power Play in the Turbulent World. An Interview with Klisman Murati

How do geopolitics define the long-term strategies of states, and impact the economic actors?

See More
Portugal
M&A

Distressed Investments in Portugal: An Economic and Legal Outlook

The number of insolvencies in Portugal is rising and businesses are facing uncertainty in terms of future financing.

See More
USA
Hong Kong harbor
M&A

China’s Gordian Knot of Geopolitics: Regional Expansion or Global Ambitions?

Though Beijing is being careful with international politics, in an economic scene it is more active.

See More
Israel
Healthcare

China and Russia: Behind the Scenes of Healthcare and Biotech M&As

How is the M&A landscape in the healthcare industry changing?

See More
USA
Investment

The US vs. China: How their Geopolitical Game is Affecting M&As

Beijing remains cautious in terms of restrictive measures against the US in response.

See More
Israel
Healthcare

Changing Landscapes in Chinese, Russian, and Israeli Healthcare Investments 

The healthcare and life sciences branches seem to be struggling with the new challenges.

See More
Australia
M&A

Four Human Capital Factors to Consider during an M&A Deal

Without the proper management of human resources, the majority of M&A deals are bound to fail.

See More
Australia
M&A

Extracting Commercial Benefit from Data: Lessons for M&As

Data can be applied and bring value at various stages of the M&A process.

See More
China
Investment

M&A Regulatory Updates in China and Abroad 

How can tightening regulations impact the M&A situation in the Asia-Pacific region?

See More
M&A

Global M&A: Is a Recovery in Sight?

The full impact of the coronavirus crisis has manifested itself in Q2 2020. Here’s a brief overview of the global M&A situation in Q&A.

See More
China
M&A

Trends That Are Defining Cross-Border M&A in China

The global M&A market is showing a strong decline: it has more than halved to $0.9T in the first half of 2020.

See More
USA
Inner city investment in the USA
Investment

Three Cases to Describe the Progression of Impact Investing 

Investors wanting more societal changes are fueling growth in impact investing, allocating capital to assets that push positive changes forward.

See More
USA
Investment

Paradigm Shift in Impact Investing: Trends to Influence Businesses in a Post-Pandemic World

While the world is living through turbulent times, businesses and investors cannot stand aside unaffected. To dive deep into the issues of...

See More
China
Energy

Global Energy Investments and M&A: A Quick Guide

The chaos this year on the oil market seems to have echoed into other energy sectors, leaving investors in a state of uncertainty. However, this...

See More
China
Energy

Investment Opportunities and Risks in the Global Energy Industry

2020 looks like being the biggest black swan event since WWII. The global pandemic has affected the mentality of investors all over the world....

See More
China
legal service
Legal

The Role of Legal Service Providers in Cross-Border M&A

In recent years, an increasing number of Chinese companies are seeking international expansion in response to the nation’s “Go Global” campaign....

See More
China
business mna
M&A

How to improve bid success rate in cross-border M&A

Initiated by iDeals and co-organized by several key players in the cross-border M&A industry such as KPMG, Eurasian, and GORG, the China-EU...

See More
China
mna community
Investment

M&A Community In-depth Interview: The Three Key Questions in China-EU M&A

Recently, iDeals hosted the M&A Community: China-EU Cross-border Best Practice Sharing event in Shanghai.

Speakers of this event

See More
Brazil
Catia Veloso M&A Community

Catia Veloso

Compliance Officer at CCR
See More
Brazil

Daniel Aviz Bastos

Information Security Manager, TOTVS MATRIZ
See More
Brazil

Thiago Luís Santos Sombra

Partner at Mattos Filho
See More
Brazil

Alexandre Albuquerque Faustino

CIO at Eletrobras
See More
Brazil

Daniel Beltran Motta

Data Protection Officer of Eletrobras

Upcoming Events

Get In Touch

Our team is happy to answer your questions. Fill out this form and we will get in touch with you.