Introduction
Importance of data protection in M&A transactions
Valuation and due diligence in data protection
Comment


Introduction

Since entering into force on 18 September 2020, the General Data Protection Law (LGPD) has impacted M&A transactions by directly affecting the preliminary activities of valuation and due diligence, as well as the actual implementation of such deals. Now, with the increasing digitalisation and virtualisation of companies, there are also greater risks for post-M&A activities, especially in the acquirer's absorption and integration of many of the target company's databases.

In essence, personal data protection becomes a concern in these deals, whether before, during or after completion, as there is a risk of acquiring a business model that is not in compliance with the LGPD or is susceptible to information security incidents that may result in serious data leaks and penalties from the newly created National Data Protection Authority.

Importance of data protection in M&A transactions

Although the approval of the LGPD is relatively recent and the possibility to assess penalties became effective only in 2021, the topic of data protection in the sphere of M&A transactions is not new, as evidenced by notable cases of data breaches during Verizon's acquisition of Yahoo in 2014(1) and Marriott's acquisition of Starwood.(2)

On the one hand, this demonstrates the need for companies to comply with personal data protection rules and, on the other, the importance of taking these aspects into account in an M&A transaction.

Valuation and due diligence in data protection

A survey published in 2019 by Merrill Corporation and the result of interviews with over five hundred M&A professionals in Europe, Africa, and the Middle East identified that around 55% of respondents have worked on transactions that had not progressed as a result of concerns about the target company's compliance with data protection laws and that over 50% of respondents in France, Germany and the United Kingdom consider data security as one of the top three issues in a due diligence process in an M&A transaction. Another survey, conducted by Forescout Technologies with approximately 2,700 IT professionals and business managers, pointed out that 53% of respondents have experienced situations where the transaction was put at risk due to critical cybersecurity issues.

From this, Brazilian businesses can learn that the existence of data governance mechanisms, in addition to the establishment of a robust privacy and data protection compliance program, directly impacts the valuation of companies in M&A contexts. Therefore, acquisitions of companies that do not comply with the LGDP represent not only a financial risk (ie, with the possibility of incidents or the application of penalties) but also a reputational risk.

In turn, the due diligence processes become essential to identifying such problems and reduce information asymmetries between the parties. Therefore, besides the conventional procedures of this stage related to corporate, tax, environmental, contractual, labour and real estate aspects, the analysis of the target company under the perspective of personal data protection preceding M&A transactions is essential to help the acquiring party to:

  • assess the target company's compliance with the LGDP to calculate possible post-transaction expenses to align it with the legislation;
  • identify the purposes and the legal basis that justify the processing of the data in the target company's business processes to ensure the future use of the database without any breaches of the LGDP's provisions;
  • determine the correct valuation, considering any contingency plans required, both from a legal and technical point of view;
  • identify and assess possible risks of unmaterialised data incidents and their potential financial and reputational impacts;
  • identify whether the target company has incident contingency and business continuity plans in place to deal with an information security incident or a data protection incident; and
  • identify the existence and evaluate the target company's data protection policies and data map.

Comment

All this information helps to identify contingencies that may represent significant risks for the purchasing party. It is worth remembering that the administrative penalties set out in the LGPD entered into force in Brazil on 1 August 2021 – they range from the application of fines, which may reach 50 million reais ($10 million), to blocking or eliminating personal databases of the penalised companies.

Given the above, it is certain that M&A transactions, especially those involving the acquisition of companies or assets that contain large sets of personal data, will draw the attention of the relevant authorities, such as the Administrative Council for Economic Defence.

Therefore, the parties involved in an M&A deal in Brazil must dedicate special attention and efforts to perform ostensible due diligence regarding the target company's compliance with the LGPD. To do this, they must apply the appropriate treatment to the verified risks in the transaction's agreements to ensure the necessary security to the purchasing party and enable the completion of the deal.

For further information on this topic please contact Bernardo Freitas, Gustavo Paulinelli‚Äč or Eugênio Corassa at Freitas Ferraz Advogados by telephone (+55 31 4141 0308) or email ([email protected], [email protected] or [email protected]). The Freitas Ferraz Advogados website can be accessed at www.freitasferraz.br.

Endnotes

(1) Further information is available here.

(2) Further information is available here.