M&A due diligence in the #MeToo era: privacy, privilege and purchase agreements

| Lauren MacLeod

The #MeToo hashtag and the resulting movement swept across social media in 2017 following reports of sexual assault allegations against film producer Harvey Weinstein. Due in part to the #MeToo movement and the attention it brought to the issue of misconduct at work, purchasers are now increasingly alert to the reputational and financial risks associated with workplace sexual harassment. Some purchasers are addressing these risks by requiring that vendors provide diligence disclosure and a legal representation concerning sexual harassment in merger and acquisition agreements (often referred to as “Weinstein Clauses” or “#MeToo Reps”)1.

In addition to a compliance representation asserting that the target has complied with its legal obligations with respect to sexual harassment, such as maintaining a workplace policy, implementing anti-harassment training, and properly investigating all complaints or instances of harassment, a purchaser may want a specific representation regarding the experience of the target with respect to sexual harassment. For instance, a purchaser may request disclosure of any allegations of workplace sexual harassment made against employees, officers, or directors at the target company, any complaints of workplace sexual harassment received by the target company and/or its human resources department, and/or any settlements that the target company has entered into related to workplace sexual harassment. Further, a purchaser may want a vendor to represent and warrant that, other than those disclosed, no further allegations, complaints, or settlement agreements related to workplace sexual harassment of the kind described above exist.

What degree of comfort can a purchaser secure that such representations are accurate, and how effective are they at compelling the vendor to provide thorough disclosure? One pervasive problem with #MeToo diligence is that workplace sexual harassment typically goes unreported2. If the vendors are unaware of such conduct taking place, they cannot disclose that conduct to a purchaser, and a vendor’s insistence that it has no allegations or complaints to disclose may be indicative of a cultural problem at the target. However, where a vendor does have knowledge of allegations, complaints, or has entered into settlements relating to sexual harassment, the effectiveness of #MeToo diligence will largely depend on how the vendor chooses to navigate the tension between providing thorough disclosure while upholding its obligations regarding privacy, privilege, and confidentiality.


In the context of a transaction, it is important to consider the privacy implications of disclosure. Canadian privacy laws generally prohibit sharing personal information without the consent of the individual whose information is being shared. In some cases, employees will have already consented to disclosure of their personal information for due diligence purposes through a company privacy policy, employment agreement, or other vehicle. In that scenario, if the consent is clear and applies to the information within the confines of the disclosure request, the target is in a better position to disclose allegations or complaints of sexual harassment to the purchaser. However, a target should consider whether any competing policies, such as the company’s workplace sexual harassment policy, affects privacy policy consent by placing limits on the disclosure being requested.

Where this consent has not been obtained, businesses subject to federal privacy laws may be able to rely on the “business transaction exemption”, which allows parties to share personal information for diligence purposes without seeking consent3. This exemption is also found in certain provincial privacy regimes4. Under this exemption, disclosure of personal information is only permitted if it is necessary to decide whether to go ahead with an acquisition and close the deal. Given the personal and sensitive nature of a sexual harassment allegation, complaint, or settlement, the vendor should be certain that any associated personal information is truly necessary and relevant before disclosing it. What is relevant and necessary to disclose will be highly contextual and vary according to the circumstances.

For example, where the vendor has investigated a complaint, found misconduct had occurred, terminated the employment of the accused as a result, and received a release from the accused, it might be unnecessary to disclose the accused’s identity for the deal to move forward. Providing a redacted copy of the release may be sufficient. On the other hand, if the vendor is actively investigating accusations against a senior executive, the accused’s identity may very well be relevant to whether a prospective purchaser wants to continue with the proposed transaction. Notably, the Federal Government’s Bill C-11 to amend PIPEDA proposes that personal information should be de-identified before it can be shared without consent under the business transaction exemption, emphasizing the need to closely consider what information is necessary and whether meaningful consent has or can be obtained from the individuals involved5.

Regardless of how much is disclosed, parties should document the types of personal information posted to the data room as well as their mutual agreement that this information is necessary to close the transaction. After closing, pursuant to PIPEDA, all individuals whose information was shared must be notified6. Further, purchasers should ensure that this sensitive information remains properly protected, including within the company, and destroyed when it is no longer required.

Privilege and confidentiality

During the due diligence process, vendors and purchasers often share privileged and confidential documents and information in the interests of a common goal: the transaction. This is done on the understanding that such communications shared between parties to a commercial transaction retain their privileged status - despite being shared with a third party - by falling under the ambit of common interest privilege7. In this regard, disclosing the existence and/or results of an internal investigation related to an allegation or complaint of sexual harassment will likely be protected by common interest privilege.

However, disclosure of a settlement agreement relating to sexual harassment attracts additional considerations. First, it is questionable whether common interest privilege would apply to the sharing of a settlement agreement with a third party by the vendor, since settlement privilege is jointly held by all parties to the settlement and cannot be unilaterally waived by any one party8. Second, settlements of this nature typically include confidentiality clauses which, if breached, can have cost consequences9. Thus, vendors need to be alert to potential claims brought by the counterparty to the settlement agreement relating to breach of settlement, particularly in agreements containing confidentiality clauses, and should mitigate to the extent possible while balancing its commercial interest in providing thorough disclosure to the potential purchaser. The vendor should ensure that all such communications and documents are clearly marked as privileged and confidential, and parties should consider limiting sensitive document access to only those deal team members who need to review them firsthand.


While there are reasons for a vendor to be careful in what it chooses to disclose and how much, there are other factors that weigh in favour of thorough disclosure. If a vendor makes a #MeToo Rep that turns out to be false, the vendor may be liable for misrepresentation. This typically gives rise to ordinary remedies for breach of contract, unless the contract between the parties stipulates otherwise10. Moreover, if the vendor negligently or fraudulently withheld the relevant information, they may be concurrently liable in contract and tort11.

Mishandling employer obligations

A vendor may also find themselves liable for losses resulting from their mishandling of sexual misconduct allegations. Employers are subject to many overlapping obligations with respect to workplace harassment. One fact scenario can lead to a breach of multiple duties and multiple heads of damages. Share purchasers in particular will want to be informed of any such liabilities in advance of completing a deal.

For example, in Ontario, employers have a positive duty to create policies and programs that set out reporting mechanisms for workplace harassment12. When an employer becomes aware of an incident or a complaint of sexual harassment, they then have a duty to investigate13. If the target has previously ignored an allegation, failed to follow protocol in response to a complaint, or conducted an improper investigation, any and all of these breaches could attract regulatory and/or civil liability resulting in losses14.


As purchasers continue to regularly insist that vendors provide #MeToo Reps, their reliability and efficacy in compelling disclosure is likely to vary by the circumstances. As vendors navigate sometimes competing interests related to privacy and privilege against their role in the due diligence process, purchasers should be aware that vendors may have differing approaches as they weigh the risks of thorough disclosure against those associated with sharing limited information. Vendors should take steps to mitigate risks regarding privacy law and privilege rules in view of the potential pitfalls associated with providing the purchaser with an incomplete view of the sexual harassment experience at the target company.


1 Grace Maral Burnett, “#MeToo Reps Becoming M&A Market Standard”, Bloomberg Law (June 25, 2019).

2 The Angus Reid Institute concluded in 2014 that while nearly 30% of Canadians surveyed had experienced sexual harassment at work, four in five of them never reported it to their employer. See Angus Reid Institute, Canadian Public Opinion Poll on Sexual Harassment at Work (2014).

3 Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”), which applies in respect of employees’ personal information in federally regulated organizations. The employee privacy provisions in PIPEDA do not apply to provincially regulated companies (PIPEDA, s. 4(1)(b)).

4 British Columbia and Alberta have each passed their own private-sector privacy legislation substantially similar to PIPEDA. The business transaction exemption is included in those statutes: Personal Information Protection Act, S.B.C. 2004, c. 63, s. 20; Personal Information Protection Act, S.A. 2003, c. P-6.5, s. 22. Ontario does not currently have regulations for privacy in the private sector – rather, businesses are subject to PIPEDA, although there have been recent attempts to introduce private-sector legislation: see, e.g. Ontario Discussion Paper, “Ontario Private Sector Privacy Reform: Improving Private Sector Privacy for Ontarians in a Digital Age”.

5 Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, 2nd Sess, 43rd Parl, 2020 (second reading as at the time of writing).

6 PIPEDA, s. 7.2(2)(c).

7 See, e.g. IGGillis Holdings Inc. v. The Minister of National Revenue, 2018 FCA 51, leave to appeal refused [2018] S.C.C.A. No. 207.

8 Re Chiang, 2013 ONSC 6753, para. 14.

9 See, e.g. Jan Wong v. The Globe and Mail Inc., 2014 ONSC 6372.

10 See, e.g. Extreme Excavating & Backhoe Services Ltd v. Scott, 2018 ABQB 102, citing BG Checo International Ltd v. British Columbia Hydro and Power Authority, [1993] 1 S.C.R. 12.

11 Ibid.

12 See, e.g. Occupational Health and Safety Act, R.S.O. 1990, c. O1, ss. 32.0.1(1)(b), 32.0.6(1-2) (“OHSA”).

13 OHSA, s. 32.0.7(1).

14 See, e.g. Disotell v. Kraft Canada Inc, 2010 ONSC 3793; Silvera v. Olympia Jewellery Corporation, 2015 ONSC 3760; Doyle v. Zochem Inc, 2017 ONCA 130, OHSA, s. 66, and Human Rights Code, R.S.O. 1990, c. H-19, ss. 46.1-46.2.

This article was originally published by The Ontario Bar Association.

To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2021 by Torys LLP.
All rights reserved.


Get in Touch