That's None of Your Business: Privacy in M&A

Transaction Tips

You want to buy a business and you need information about the target's customers, employees and contractors before you can make your decision. More importantly, you want to be able to use that information after the purchase has been made. But privacy laws have tightened in Canada, and transferring personal information is not so straightforward. How do you handle the information so it doesn't end up being none of your business?

Canadian privacy laws generally prohibit sharing personal information without the consent of the individual. For companies with thousands of employees, customers and other contacts—not to mention market disclosure restrictions—seeking individual consent to share information before a transaction has even been announced is a non-starter.

Some businesses obtain consent in advance through the use of privacy policies or terms of service. Without advanced consent, most national businesses subject to the federal privacy laws (i.e., PIPEDA) can now rely on two deal-friendly provisions known as the "business transaction exemption." These provisions allow parties to share personal information for diligence purposes and permit the buyer to use that information after closing without seeking individuals' consent.

But there's a catch.

In order to use the business transaction exemption, the parties need to contractually restrict how they use the data. While these restrictions can easily be incorporated into any purchase agreement, where and when these terms are actually agreed to should be considered early on in the life of the deal.

For example, the seller cannot rely on contractual terms that only come into effect on closing to allow information relating to its employees, customers or other contacts to be posted in a data room during due diligence. As a buyer, you must agree—in your non-disclosure agreement or other pre-diligence contract—to use and disclose personal information solely for purposes related to the deal, to protect the security of that information, and to ultimately destroy it if the deal dies.

It's also important to note that the business transaction exemption is narrow: disclosure of personal information is only permitted for due diligence purposes if it is necessary to decide whether to go ahead with an acquisition and close the deal. To address this, parties should document the types of personal information posted to the data room as well as their mutual agreement that this information is necessary to assess and close the transaction. This is especially true where the target holds sensitive personal information: the data should be vetted for true relevance before it is shared with a prospective buyer.

What happens next?

After the transaction closes, one of the parties has to notify all individuals whose information was shared that their information was disclosed under the business transaction exemption. As the buyer, you'll want to own this obligation so that you can introduce your company's privacy policies and control the messaging around the deal.

Tip: If you are a prospective buyer, find out—as early as you can—whether the target already has consent to share customer or employee personal information with you. If not, negotiate an agreement that lets you rely on the business transaction exemption before due diligence begins.

To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2017 by Torys LLP.
All rights reserved.

Tags:

Get in Touch