- Businesses are facing challenges in terms of protecting user’s data as well as the security of stored information.
- M&A negotiations and deals should include separate provisions on data processing.
- New rules push forward not only the importance of securing personal data but also a global discussion on data protection issues.
Recently, Brazil adopted its first comprehensive data protection law, the LGPD (Lei Geral de Proteção de Dados, General Data Protection Law). Heavily inspired by the European GDPR, the LGPD has several distinctions, namely a much broader scope of protected data. The law which impacts all business sectors was expected to come into force on August 14, 2020. It was the later postponed to 2021. Nevertheless, at the end of August, the Federal Senate approved the expedited implementation of the LGPD. Now, the law is waiting to be sanctioned by the President, Jair Bolsonaro. The LGPD norms are mandatory, not only for national companies but also for foreign businesses operating in Brazil.
To discuss the impact of the LGPD on businesses and deals, the M&A Community hosted a webinar on the subject in August. Though the sanctions for law breaches might only come into effect in a year, depending on the parliament’s decision, companies and organizations have a lot to prepare for.
Privacy and security
The LGPD was designed to ensure that people's personal data is protected and to provide them with the tools to better control this. The new law is a Brazilian response to the global trend of addressing privacy issues. Though markets generally follow these demands, it is important to make a distinction between privacy and security. These concepts often get mixed up, said Daniel Aviz Bastos, Information Security Manager from TOTVS.
‘We have access to data and have to protect this data from inappropriate access and alterations. Thus, security is in fact focused on the protection of information in general, not directly on privacy. Privacy is associated with the rights of the owner of this data, and how they want their data to be used, he said. Daniel recommended companies to start with a review of their current situation in terms of privacy and data security.
As the LGPD lists the cases in which authorization to use personal data is required, IT teams need to rethink their policies concerning the storage of users’ information in a way that complies with the new regulations.
‘LGPD is a challenge that demands different perspectives and professional expertise. We started by identifying data contexts, the ways it is hosted and registered’, added Alexandre Faustino, IT Supervisor at Eletrobras. He also pointed out that in terms of data storage, businesses should evaluate the need for data so as to dispose with the excessive amounts.
How does LGPD differ from GDPR?
Though these legal frameworks have similar goals (and, apparently, the LGPD’s authors drew inspiration from the European GDPR) there are some noteworthy differences, however.
- Data protection officers (DPOs). The European piece of legislation clearly lists the situation when a DPO is needed. The Brazilian one gives a broader scope saying that a data controller has to appoint such an officer. Perhaps this idea will be clarified later. For now, it suggests that any company processing personal information in Brazil has to appoint/hire a DPO.
- Territorial scope. Both frameworks apply to entities located outside its territories as long as they offer goods and services to individuals located in the European Economic Area (for GDPR) or Brazil (for LGPD). The European legislation includes organizations beyond the EEA but who monitor the behavior of its citizens. For its part, the LGPD has no rules concerning data protection in the case of information in transit in its territory that doesn’t have Brazil as a final destination.
- Lawful grounds for data processing. Both documents define the basis for processing data, i.e. justification for the use of information. The Brazilian LGPD includes 10 of these (while the European GDPR just six). One of the most significant differences in the LGPD list of legal grounds is the protection of credit (for instance, credit scores).
- Data breaches. The GDPR requires any data breach to be reported to the data protection authorities within 72 hours. The LGPD does not give any firm deadline aside from a ‘reasonable time period’.
Dealing with data during M&A activities
The pandemic and its impact on the economy have changed the market’s behavior, as well as M&A and IPO activities. The rushed LGPD enactment does not seem to correspond with the reality on the ground. Though the law was approved two years ago, several businesses still face trouble complying with its rules. The same goes not only for software but also for information security tools and processes, not to mention privacy-related training for the staff.
The difficulties with adhering to the LGPD could have consequences for business deals, especially international ones, said Thiago Luís Sombra, Technology, Anticorruption, and Infrastructure Partner at Mattos Filho, Veiga Filho, Marrey Jr. e Quiroga Advogados. He pointed out several important practical aspects of the new law through the M&A prism.
- As Virtual Data Rooms (VDRs) are the fundamental tool for M&As and IPOs, the negotiations between the participating companies should consider data processing procedures. ‘A data processing agreement provides clarity to the data exchange processes and defines the ways in which the data will be transferred’ Thiago says. Consequently, the VDR solution has to not only evaluate the minimal security requests but also to indicate the jurisdiction to which the agreement applies as well as the jurisdiction in which the VDR will be hosted.
- A company should establish policies and procedures to both ensure the security of personal data and have a plan ready, in the case of a security breach. ‘In the past 4 years, Mattos Filho managed several incidents related to data leaks in Brazil. Some of them happened on the eve of an M&A transaction. This means high exposure of the companies and a risk of the devaluation of the assets,’ explains Thiago. While thinking of an M&A deal or an IPO, he adds, businesses should pay extra attention to encryption and data anonymization.
- A data processing agreement also has to define further actions with the data, i.e. when the data will be deleted; what happens if the transaction isn’t successful, etc. The terms of the data disposition should be also included in the agreement.
Data protection culture
The panelists also highlighted the importance of nurturing a data protection culture, in businesses and government structures. As Catia Veloso, Compliance Officer from CCR S.A., pointed out, both the LGPD and the Brazilian anti-corruption laws were adopted as a result of incentives from international organizations and investors.
‘If you are an investor, you are worried about the data being given for an IPO or an M&A. Breaches don’t only happen in Brazil, but also in other countries,’ she added. Warranties and special provisions might be included in the agreements to set out the procedures in the case of a potential breach of the data protection law by the target company.
Redaction is another option to protect personal data that has no value to a deal. Some alternatives are anonymization and pseudonymization of personal information. Thus, one can reduce the risks of breaches of the legislation.
Nevertheless, data protection is a global challenge that businesses and governments need to continue discussing. ‘One may think that it is an IT problem. In fact, it is not, as different areas are involved. People need to develop a culture around that, starting with messaging apps, public Wi-Fi connections, social media, etc. This is a great challenge for our culture which has gotten used to sharing data openly’, said Daniel Beltran Motta, Data Protection Officer at Eletrobras. He believes this issue is a part of the global digital transformation.