Privacy Due Diligence In A Merger Or Acquisition

The exchange of information about individuals, including customers, employees and security holders, is often an integral part of merger and acquisition transactions. Compliance with privacy law is and must always remain a consideration in merger and acquisition transactions. This is particularly due to the evolving privacy regulation and enforcement regarding personal information in Canadian law.
PIPEDA is enforced by the Office of the Privacy Commissioner of Canada which may investigate privacy-related complaints, make findings, conduct audits and take other steps permitted under the legislation. Alberta and British Columbia also have independent Offices of the Information and Privacy Commissioner and the Quebec Act is enforced by the Commission d’accès à l’information du Québec.
The general rule under these Canadian privacy statutes is that personal information must not, with limited exceptions, be collected, used or disclosed unless consent is obtained from the individual to whom the personal information pertains.
PIPEDA applies to the collection, use and disclosure of personal information in the course of commercial activity within a province except where there is privacy legislation in that province that has been determined by the Governor in Council to be substantially similar to PIPEDA. Both the Alberta PIPA and BC PIPA include exceptions to the consent rule that specifically deal with the handling of personal information in the context of a “business transaction”. In general terms, these statutes provide that personal information may be collected, used or disclosed without consent if the information is “necessary” for parties to decide whether to proceed with a “business transaction” or whether to finalize the deal. In order to take advantage of the business transaction exemption, the parties to the transaction must have entered into an agreement, which among other things, must include provisions that the collection, use and disclosure of the information must be restricted to the purposes of the transaction and that, if the transaction is completed, the acquiring entity (the “Acquirer”) may only use the information for the same purposes for which the information was initially collected. “Business transaction” is defined in section 20(1) of the BC PIPA as the purchase, sale, lease, merger or amalgamation or any other type of acquisition, disposal or financing of an organization or a portion of an organization or of any of the business or assets of an organization. The definition in section 22(1)(a) of the Alberta PIPA also refers to “the taking of a security interest in respect of, an organization or a portion of an organization or any business or activity or business asset of an organization and includes a prospective transaction of such a nature”. Note, however, that the Alberta PIPA business transaction exemption will not apply where the primary objective or result of the transaction is the sale, disposal or disclosure of personal information itself. The BC PIPA contains a similar exclusion.
Neither PIPEDA nor the Quebec Act contains a “business transaction” exemption.
Where transactions have a cross-border element, PIPEDA will continue to apply to the collection, use and disclosure that takes place across provincial or national borders.
In addition to the privacy statutes, there is a growing body of common law in which privacy rights have been recognized. For example, the Ontario Court of Appeal recently recognized a new and independent cause of action in tort for invasion of privacy in the case of Jones v. Tsige (2012), 108 O.R. (3d) 241 (C.A.).
Given the patchwork of Canadian law applicable to a merger or acquisition, the parties will need to consider the objective of the transaction, what kind of personal information will be collected, used or disclosed as part of the transaction, what personal information will transfer to the Acquirer at closing and what uses the Acquirer will make of that information post-closing.