That’s None of Your Business: Privacy in M&A

Torys Quarterly: Pressure Points

You want to buy a business and you need information about the target's customers, employees and contractors before you can make your decision. More importantly, you want to be able to use that information after the purchase has been made. But privacy laws have tightened in Canada, and transferring personal information is not so straightforward. How do you handle the information so it doesn't end up being none of your business?

Canadian privacy laws generally prohibit sharing personal information without the consent of the individual. For companies with thousands of employees, customers and other contacts—not to mention market disclosure restrictions—seeking individual consent to share information before a transaction has even been announced is a non-starter.

Provisions allow parties to share personal information for diligence purposes and permit the buyer to use that information without seeking individuals' consent.

But there's a catch…

Some businesses obtain consent in advance through the use of privacy policies or terms of service. Without advanced consent, most national businesses subject to the federal privacy laws (i.e., PIPEDA) can now rely on two deal-friendly provisions known as the "business transaction exemption." These provisions allow parties to share personal information for diligence purposes and permit the buyer to use that information after closing without seeking individuals' consent.

But there's a catch.

In order to use the business transaction exemption, the parties need to contractually restrict how they use the data. While these restrictions can easily be incorporated into any purchase agreement, where and when these terms are actually agreed to should be considered early on in the life of the deal.

For example, the seller cannot rely on contractual terms that only come into effect on closing to allow information relating to its employees, customers or other contacts to be posted in a data room during due diligence. As a buyer, you must agree—in your non-disclosure agreement or other pre-diligence contract—to use and disclose personal information solely for purposes related to the deal, to protect the security of that information, and to ultimately destroy it if the deal dies.

It's also important to note the business transaction exemption is narrow: disclosure of personal information is only permitted for due diligence purposes if it is necessary to decide whether to go ahead with an acquisition and close the deal. To address this, parties should document the types of personal information posted to the data room as well as their mutual agreement that this information is necessary to assess and close the transaction. This is especially true where the target holds sensitive personal information: the data should be vetted for true relevance before it is shared with a prospective buyer.

What happens next?

After the transaction closes, one of the parties has to notify all individuals whose information was shared that their information was disclosed under the business transaction exemption. As the buyer, you'll want to own this obligation so that you can introduce your company's privacy policies and control the messaging around the deal.


The Authors

Read More From This Issue
Q4 | Fall 2017: Pressure Points
New technology, new rules and investor satisfaction are just some of the pressure points facing business leaders this year.