PRIVACY ISSUES IN M&A TRANSACTIONS

Similar documents
Privacy in Canada Federal Legislation: Personal Information Protection and Electronic Documents Act

Taking care of what s important to you

SBI Canada Bank Privacy Policy

Taking care of what s important to you

Fundraising and Privacy: Complying with Federal and Provincial Laws

M I L L E R T H O M S O N L L P. Privacy Issues in Franchise Relationships: A Practical Guide. Richard D. Leblanc.

Principles. Bison Transport will implement policies and procedures to give effect to this policy, including:

METRO DIRECTION FINANCIAL INC PRIVACY POLICY

Association of Service Providers for Employability and Career Training ( ASPECT ) PRIVACY CODE

A copy of Ontario Water Polo Association s Privacy Policy is provided to any member on request to Ontario Water Polo Association.

Citi Canada. Privacy of Personal Information Statement

Our Privacy Policy SUPPLEMENTAL INSURANCE. Health Accident Disability Life. combined.ca

CBSA PRIVACY POLICY. Canadian Business Strategy Association Page 1

CANADIAN AMATEUR SYNCHRONIZED SWIMMING ASSOCIATION, INC. SASKATCHEWAN SECTION PRIVACY POLICY

PRIVACY CODE FOR OUR DENTAL OFFICE

PRIVACY CODE FOR THE PROTECTION OF PERSONAL INFORMATION

APPLICATION FOR APPROVAL AS TRADER

Jericho Tennis Club's Privacy Policy

PRIVACY POLICY OVERVIEW

MAWA PRIVACY POLICY. Purpose of this Policy

HSBC Privacy code. Everything you need to know about the security and privacy of your personal information at HSBC

VOLLEYBALL BC Privacy Policy

SYNCHRO SWIM MANITOBA PRIVACY POLICY

Model Code for the Protection of Personal Information, CAN/CSA-Q830-96

Doing business in Canada

PRIVACY AND ANTI-SPAM CODE FOR OUR DENTAL OFFICE Please refer to Appendix A for a glossary of defined terms.

American Federation of Musicians and Employers' Pension Welfare Fund (Canada) (the " Fund") PRIVACY POLICY. Effective January 1, 2004

CHARITY LAW BULLETIN NO.28

Prairie Centre Credit Union

PRIVACY AND INFORMATION MANAGEMENT A Guideline For Alberta Veterinarians

LAW SOCIETY OF BRITISH COLUMBIA PRACTICE CHECKLISTS MANUAL

Access to Basic Banking Services

CHARITY LAW BULLETIN NO.15

Item 5 - Policy Approval: Privacy Policy - Board of Directors GCHRCC Public Meeting - December 7, 2017 Report:GCHRCC: Attachment 1

Nova Scotia Health Employees Pension Plan Policy and Guidelines. Protecting the Privacy of Personal Information

Title CIHI Submission: 2014 Prescribed Entity Review

Guideline 6B: Record Keeping and Client Identification for Accountants and Real Estate Brokers or Sales Representatives

North Simcoe Community Futures Development Corporation (NSCFDC) PRIVACY POLICY 1.0 PURPOSE OF PRIVACY POLICY 3

ONTARIO LACROSSE ASSOCIATION INFORMATION PRIVACY POLICY

McCarthy Tétrault. March 31, 2007 BY

Compliance: Know your obligations

Limited Liability Partnership Legislation Discussion Paper. September 23, 2005

FREQUENTLY ASKED QUESTIONS REGARDING SALE OF NORTEL S MSS BUSINESS TO ERICSSON

CHARITY LAW BULLETIN NO. 70

2001 COOPERATIVE CREDIT ASSOCIATIONS - (in thousands of dollars) TABLE 1 - ASSETS

IN THE MATTER OF THE INVESTMENT DEALERS ASSOCIATION OF CANADA (ENFORCEMENT DIVISION) AND GOLDEN CAPITAL SECURITIES LTD.

OCTOBER Current calculation: Management fee is 2% = $200 GST is 5% = $10 total is $210

DACnet ( )

RICHMOND MINOR HOCKEY ASSOCIATION

THE ASSOCIATION OF JUSTICE COUNSEL THE TREASURY BOARD OF CANADA

10 Things You Need To Know About Privacy

1A-1084 Kenaston Street tel: (613) Ottawa, ON K1B 3P5 fax: (613)

CLHIA STANDARDIZED MGA COMPLIANCE REVIEW SURVEY

Client Privacy Policy

2003 BCSECCOM 67 AND IN THE MATTER OF THE MUTUAL RELIANCE REVIEW SYSTEM FOR EXEMPTIVE RELIEF APPLICATIONS AND

Guide to Going Public in Canada

Mortgage Referral Agreement

Protecting Your Privacy

FRANCO-NEVADA CORPORATION BUSINESS INTEGRITY POLICY

MERGERS & ACQUISITIONS

CLHIA STANDARDIZED ADVISOR PRACTICE REVIEW FOR USE IN THE MGA CHANNEL

1. This is the Canada Country Addendum to the UOB Business Internet Banking Service Agreement.

2008 BCSECCOM 443. Applicable British Columbia Provisions Securities Act, R.S.B.C. 1996, c. 418, ss. 126(a) and (c), 127(1)(b) and 130

PRACTICE CHECKLISTS MANUAL

GUIDELINES FOR THE CONTRACTING OUT OF RESEARCH ACTIVITIES

Policy for the Protection of Personal Information and Privacy University Secretariat

Comments on the Draft Framework for Reporting Performance Measures

Instructions General Information about the Agency Screening Advisors for Suitability... 7

Terms and Conditions for Correspondent Banks

Forms of Business Organizations in Canada

Instructions for Use of the TitlePLUS Acknowledgment and Direction 1

Start-up Crowdfunding Guide for Funding Portals

DATA PRIVACY I. POLICY DEFINITIONS

1.1 What is the purpose of the policy?

Workers Compensation Board of Nova Scotia

2009 BCSECCOM 9. Kegam Kevin Torudag and Lai Lai Chan. Section 161 of the Securities Act, RSBC 1996, c Application

PRIVACY POLICY A. SCOPE & INTERPRETATION. Personal Information. What Personal Information is not. B. Consent

CANADA BUSINESS CORPORATIONS ACT DISCUSSION PAPER SHAREHOLDER COMMUNICATIONS AND PROXY SOLICITATION RULES

BUSINESS ORGANIZATIONS

ALBERTA INFORMATION AND PRIVACY COMMISSIONER. Report of an Investigation into Disclosure of Customer Information without Consent.

COMPANION POLICY MUTUAL FUNDS PART 1 PURPOSE

CKR CARBON CORPORATION PRIVATE PLACEMENT SUBSCRIPTION AGREEMENT (FLOW-THROUGH SHARES) INSTRUCTIONS TO SUBSCRIBER

INVESTMENT ADVISOR SUBSCRIPTION PROCEDURE

APPLICATION THIS IS AN APPLICATION FOR A CLAIMS MADE POLICY WITH DEFENCE COSTS INCLUDED IN THE LIMIT OF LIABILITY. ALL QUESTIONS MUST BE ANSWERED.

DIRECTORS AND OFFICERS LIABILITY INSURANCE INCLUDING CORPORATE INDEMNITY POLICY APPLICATION PROFIT CORPORATIONS

NEW MEMBERSHIP APPLICATION INFORMATION PACKAGE

STEPS TO ASSIST LAWYERS IN COMPLYING WITH THE NEW CLIENT IDENTIFICATION AND VERIFICATION REQUIREMENTS - BY-LAW 7.1 1

CHARITY & NFP LAW BULLETIN NO. 398

CANADIAN SRAM NATIONAL CLASS ACTIONS CLAIM FORM. Canadian SRAM Class Action Claims Administrator P.O. Box 3355 London, ON N6A 4K3

CSA Staff Notice and Proposed Model Provincial Rule Derivatives: Customer Clearing and Protection of Customer Collateral Positions

Investment Terms and Conditions for Tax Free Savings Account

DEPOSIT BROKER MANUAL

GLOBAL TRANSACTIONS. Joint ventures & partnerships

Real Estate Rental and Leasing and Property Management

APPLICATION OF PIPEDA TO SASKATCHEWAN CHARITIES AND NON-PROFITS

Anti-Money Laundering and Terrorist Financing Working Group. Final Report on the Model Rules

575, rue St-Amable, Bureau 1.10 Office of the Privacy Commissioner of Canada

REVIEW REPORT

PROPOSED NATIONAL POLICY INCOME TRUSTS AND OTHER INDIRECT OFFERINGS

EXHIBIT 1 ACCREDITED INVESTOR CERTIFICATE ACCREDITED INVESTORS. HARBOUREDGE MORTGAGE INVESTMENT CORPORATION (the Company )

Transcription:

PRIVACY ISSUES IN M&A TRANSACTIONS Adam D. Vereshack McCarthy Tétrault LP Barristers & Solicitors Patent & Trade-mark Agents www.mccarthy.ca

PART I PRIVACY LEGISLATION www.mccarthy.ca

Overview Business lawyers need to take into account the impact of privacy laws on business transactions Need to consider whether any personal information is being transferred or disclosed If so, consents to such transfers are required Need to consider what form such consents may take Express consents may be impractical or impossible to obtain 3

Overview Qualification as to no opinion being given as to compliance with privacy laws may need to be included in legal opinions for certain transactions Need to consider whether representations, warranties, covenants and/or indemnities with respect to privacy matters should be included in transactional agreements 4

PIPEDA and Provincial Laws Application of PIPEDA and Provincial Privacy Laws As of January 1, 2004, all businesses operating in Canada are required to comply with the federal Personal Information Protection and Electronic Documents Act ( PIPEDA ) Similar provincial legislation 5

PIPEDA and Provincial Laws Both regulate the collection, use and disclosure of personal information The application of PIPEDA to provinciallyregulated businesses is subject to the federal government s right to exempt from compliance with PIPEDA organizations operating in provinces which have passed substantially similar privacy legislation 6

PIPEDA and Provincial Laws Quebec has had private sector privacy legislation in place since 1993 which the federal government has determined is substantially similar to PIPEDA Quebec legislation applies to companies, other than federal works, undertakings or businesses, with respect to their collection, use and disclosure of information within Quebec, without the application of PIPEDA 7

PIPEDA and Provincial Laws British Columbia and Alberta each have privacy legislation which came into effect on January 1, 2004 As of April 10, 2004 the federal government proposed draft exemption orders that, once passed, will declare both the British Columbia and Alberta legislation to be substantially similar 8

PIPEDA and Provincial Laws Ontario released draft privacy legislation for the private sector in 2002 Like PIPEDA it is modeled on the Canadian Standard s Association Model Privacy Code It is not yet clear whether Ontario will legislate comprehensively in the privacy area 9

PIPEDA and Provincial Laws The Legislative Assembly of Ontario is currently considering sectoral legislation to protect the privacy of health information PIPEDA currently applies to businesses in Canada s three northern territories where the entire commercial sector is a federal work or undertaking under the Canadian constitution 10

PIPEDA and Provincial Laws PIPEDA does not apply to the personal information of employees who are not employees of federal works, undertakings and businesses If a company is not a federal work, undertaking or business, and its employees are generally governed by provincial employment laws, the personal information of employees of such company will generally not be covered by PIPEDA 11

PIPEDA and Provincial Laws Certain situations in which a company s employee information would be covered by PIPEDA For example, use or disclosure of employee information in a commercial way such as to a third party for marketing purposes 12

PIPEDA and Provincial Laws Disclosure of such information to an entity that is subject to PIPEDA such as a payroll service provider who is collecting such personal information in the course of carrying on a commercial activity 13

Summary PIPEDA addresses rights of privacy with respect to personal information that is collected, used, or disclosed by private sector organizations in the course of commercial activities Personal information includes any information about an identifiable individual, but does not include the name, title, business address or telephone number of an employee of an organization 14

Summary Personal information of an identifiable individual cannot be collected, used or disclosed without the individual s knowledge and consent except in limited circumstances 15

Schedule 1 The following fair information practice principles set out in Schedule 1 are at the core of PIPEDA: Accountability Identifying Purposes Consent Limiting Collection Limiting Use, Disclosure, and Retention Accuracy 16

Schedule 1 Safeguards Openness Individual Access Challenging Compliance 17

Consent Consent The fundamental principle of PIPEDA There should be no collection, use or disclosure of personal information without consent In order to comply with PIPEDA companies need to obtain the consent of those providing personal information for its collection, use or disclosure, except in limited circumstances 18

Consent The form of consent and the manner in which it is obtained may vary according to the sensitivity of the personal information Consent may be given in writing or orally Such consent may be implied where reasonable But, where a particular use or disclosure would not necessarily be presumed by the individual, consent should be express 19

Express consent may take different forms Consent opting in whereby a customer would indicate his or her consent by checking a box opting out or a negative option where a customer is advised by a company that the company will use the customer s personal information for specified purposes unless the customer contacts the company to opt out 20

Consent The Privacy Commissioner of Canada has indicated that express consent is preferred If companies intend to use personal information for any purpose other than that for which the individual provided the information, obtain the individual s consent Companies need to ensure that affiliates, third party service providers and any other party to whom they transfer personal information comply with PIPEDA 21

PART II TRANSACTIONS www.mccarthy.ca

Share Purchase Share Purchase Transactions Generally, for share purchase transactions, there is no need for consent to the transfer of personal information as there is no specific transfer or assignment of personal information Personal information continues to be held by the company whose shares have been transferred 23

Asset Purchase Asset Purchase Transactions Technically consent to the transfer of personal information by an organization to whom PIPEDA applies appears to be required As a practical matter, it may be prohibitively expensive and time-consuming to obtain express consent to the transfer of personal information in the context of an asset purchase transaction and in some cases it may not even be possible 24

Asset Purchase Express consent may not be needed based on the argument that when an individual provides personal information to an organization, he/she is providing an implicit consent to the transfer of personal information to a successor organization that would only use the personal information for the purposes for which it was collected 25

Asset Purchase Could also be argued that the reasonable person test would be met by implying consent in this case However, whether such implicit consent meets PIPEDA requirement is not free from doubt 26

Asset Purchase The Privacy Commissioner's Office has indicated that PIPEDA may be interpreted to allow for an implicit consent to the transfer of personal information to a successor organization that would only use the personal information for the purposes for which it was collected 27

Asset Purchase To date, none of the cases considered by the Privacy Commissioner have involved the disclosure of personal information in the context of purchase and sale transactions As there are no cases on point, not yet clear whether the implied consent interpretation will apply Practical approach assume implied consent 28

Disclosure of Personal Information Disclosure of Personal Information for Due Diligence Purposes Is consent required by a company for its disclosure of personal information to a potential purchaser for due diligence purposes in either a proposed share or asset purchase transaction? 29

Disclosure of Personal Information Technically, consent appears to be required for the disclosure of personal information by an organization to which PIPEDA applies to a potential purchaser for due diligence purposes 30

Disclosure of Personal Information If the view is accepted that individuals provide implicit consent to the transfer of their personal information to a successor organization that would only use the personal information for the purposes for which it was collected, then: There may also be an implicit consent provided for the disclosure of personal information to a potential purchaser for due diligence purposes, subject to a confidentiality agreement 31

Disclosure of Personal Information Such implicit consent is not free from doubt To minimize risks, it is very important that the potential purchasers enter into confidentiality agreements 32

Representations, Warranties and Indemnities Representations, Warranties and Indemnities re: Compliance with Privacy Laws Generally speaking, it may be difficult for vendors of businesses to give representations and warranties in Purchase and Sale Agreements as to compliance with PIPEDA Due to the difficulty in interpreting and ensuring full compliance 33

Representations, Warranties and Indemnities As well, many companies are still in the process of creating and implementing privacy policies and privacy compliance procedures Vendors may seek to specifically exclude any representations and warranties respecting compliance with privacy laws Purchasers may seek to include them 34

Representations, Warranties and Indemnities Ultimately it is a matter of allocation of business risk Risk may be taken into account as one of factors in determining the purchase price or in certain cases may be covered by an indemnity from the vendor to the purchaser 35

Representations, Warranties and Indemnities With respect to the possible use of indemnities, it is difficult to quantify the risks of non-compliance because of complaints (discussed below) Vendors may also seek to obtain a covenant from the purchaser that it will comply with its obligations under privacy laws with respect to its use of any personal information transferred to it by the vendor 36

Representations, Warranties and Indemnities A vendor may wish to conduct due diligence on its own privacy practices to determine what representations, warranties and indemnities it may give Advisable for the purchaser to carry out due diligence on the vendor s compliance with privacy laws 37

Representations, Warranties and Indemnities The purchaser will want to ensure that going forward the privacy practices of the business it is purchasing are in compliance with applicable privacy laws 38

Securitization Securitization Transactions Personal information covered by PIPEDA may be transferred from the company that originally collected the information to the trust to which customer receivables, for example, are sold Technically, consent would be required Likely be impractical and very costly to seek explicit consent in such circumstances 39

Securitization Also unlikely that explicit consents will be in place from the relevant customers to transfer personal information in such circumstances As in the case of information transfers that are part of asset purchase transactions, the argument could be made that consent may be implied Again, these arguments are not free from doubt and there are no cases concerning this issue 40

Securitization Accordingly, as discussed below, it may be appropriate to add to the legal opinion to be given in such circumstances the qualification that no opinion is expressed as to compliance with privacy laws 41

Legal Opinion Qualification Legal Opinion Qualification in Transactions If: a legal opinion is to be provided in connection with an asset purchase transaction involving a transfer of personal information; and the opinion includes language to the effect that the performance under the asset purchase agreement and other agreements referred to in the opinion will not contravene any law of Canada; and 42

Legal Opinion Qualification any of the asset purchase agreement or these other agreements provide for the transfer of personal information; and express consent has not been obtained Should a qualification be added that no opinion expressed as to compliance with PIPEDA? Yes, because the view that an implicit consent may be relied upon for the transfer of personal information in an asset purchase transaction is not free 43

Legal Opinion Qualification Similarly, opinions in asset and share purchase transactions and securitization transactions concerning compliance with applicable laws may need to include qualification that no opinion is expressed as to compliance with PIPEDA if personal information is disclosed without all relevant express consents having been obtained 44

Legal Opinion Qualification Reason - difficult to ascertain whether privacy laws are complied with when disclosing personal information for due diligence purposes in transactions, or when transferring personal information as it is not clear whether compliance based on implied consent is sufficient 45

Privacy Concerns Privacy Concerns Re: Outsourcing of Business Functions Many companies outsource certain business functions to third party providers A company must ensure that other entities providing services to it that have access to personal information collected by the company comply with PIPEDA 46

Privacy Concerns In outsourcing agreements, companies will need to require third party service providers to comply with all applicable privacy laws Includes - safeguard personal information and prohibit the use or disclosure of it for any purpose other than those for which it was collected 47

Privacy Concerns Companies should have express contractual provisions with third party Companies should also include indemnities in the case of failure to comply with applicable privacy laws 48

Related Party Transactions Related Party Transactions PIPEDA requires consent for the disclosure of personal information by a company to related companies Any sharing of personal information within a corporate group must comply with applicable privacy laws 49

Related Party Transactions Any disclosure of personal information in the context of joint ventures, co-branding and other business arrangements with related and/or nonrelated parties must comply with privacy laws 50

Social Insurance Numbers Social Insurance Numbers Social insurance numbers are hot buttons for privacy advocates Consumers are especially sensitive about providing their social insurance numbers in light of what appears to be a growing crime of identity theft 51

Social Insurance Numbers Companies are required to make a reasonable effort to obtain a person's social insurance number where they are selling products to a customer that require the company to make a tax-related information return The Income Tax Act (Canada) prohibits the unauthorized use of social insurance numbers. (sec. 237(2)(b)) 52

Social Insurance Numbers It provides that persons shall not knowingly use, communicate or allow to be communicated, a person's social insurance number, without such person's written consent Also, the Commissioner stressed that the social insurance number is not a piece of identification and should not be used as such 53

Immediate Priorities Immediate Priorities for Businesses In order to comply with PIPEDA companies should: adopt a privacy compliance strategy appoint a privacy officer review the current personal information practices review and update, if necessary, the company s privacy policy 54

Immediate Priorities review the company s data management infrastructure to ensure it is adequately flexible to allow implementation of the company s privacy policies implement consent language in contracts, forms and other documents require third parties to whom personal information is disclosed to agree to use the personal information only for the purposes for which it was disclosed formulate a precise plan to deal with privacy complaints from individuals implement training for all employees with respect to the company s privacy policy 55

Conclusion Conclusions Privacy laws must be taken into account in any transaction involving the disclosure or transfer of personal information It may be impractical or impossible to obtain express consent to the transfer of personal information as part of a transaction 56

Conclusion While it may be argued that implicit consent may be relied upon this view is not free from doubt Opinions may need to be qualified 57

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback