PRIVACY ISSUES IN M&A TRANSACTIONS Adam D. Vereshack McCarthy Tétrault LP Barristers & Solicitors Patent & Trade-mark Agents www.mccarthy.ca
PART I PRIVACY LEGISLATION www.mccarthy.ca
Overview Business lawyers need to take into account the impact of privacy laws on business transactions Need to consider whether any personal information is being transferred or disclosed If so, consents to such transfers are required Need to consider what form such consents may take Express consents may be impractical or impossible to obtain 3
Overview Qualification as to no opinion being given as to compliance with privacy laws may need to be included in legal opinions for certain transactions Need to consider whether representations, warranties, covenants and/or indemnities with respect to privacy matters should be included in transactional agreements 4
PIPEDA and Provincial Laws Application of PIPEDA and Provincial Privacy Laws As of January 1, 2004, all businesses operating in Canada are required to comply with the federal Personal Information Protection and Electronic Documents Act ( PIPEDA ) Similar provincial legislation 5
PIPEDA and Provincial Laws Both regulate the collection, use and disclosure of personal information The application of PIPEDA to provinciallyregulated businesses is subject to the federal government s right to exempt from compliance with PIPEDA organizations operating in provinces which have passed substantially similar privacy legislation 6
PIPEDA and Provincial Laws Quebec has had private sector privacy legislation in place since 1993 which the federal government has determined is substantially similar to PIPEDA Quebec legislation applies to companies, other than federal works, undertakings or businesses, with respect to their collection, use and disclosure of information within Quebec, without the application of PIPEDA 7
PIPEDA and Provincial Laws British Columbia and Alberta each have privacy legislation which came into effect on January 1, 2004 As of April 10, 2004 the federal government proposed draft exemption orders that, once passed, will declare both the British Columbia and Alberta legislation to be substantially similar 8
PIPEDA and Provincial Laws Ontario released draft privacy legislation for the private sector in 2002 Like PIPEDA it is modeled on the Canadian Standard s Association Model Privacy Code It is not yet clear whether Ontario will legislate comprehensively in the privacy area 9
PIPEDA and Provincial Laws The Legislative Assembly of Ontario is currently considering sectoral legislation to protect the privacy of health information PIPEDA currently applies to businesses in Canada s three northern territories where the entire commercial sector is a federal work or undertaking under the Canadian constitution 10
PIPEDA and Provincial Laws PIPEDA does not apply to the personal information of employees who are not employees of federal works, undertakings and businesses If a company is not a federal work, undertaking or business, and its employees are generally governed by provincial employment laws, the personal information of employees of such company will generally not be covered by PIPEDA 11
PIPEDA and Provincial Laws Certain situations in which a company s employee information would be covered by PIPEDA For example, use or disclosure of employee information in a commercial way such as to a third party for marketing purposes 12
PIPEDA and Provincial Laws Disclosure of such information to an entity that is subject to PIPEDA such as a payroll service provider who is collecting such personal information in the course of carrying on a commercial activity 13
Summary PIPEDA addresses rights of privacy with respect to personal information that is collected, used, or disclosed by private sector organizations in the course of commercial activities Personal information includes any information about an identifiable individual, but does not include the name, title, business address or telephone number of an employee of an organization 14
Summary Personal information of an identifiable individual cannot be collected, used or disclosed without the individual s knowledge and consent except in limited circumstances 15
Schedule 1 The following fair information practice principles set out in Schedule 1 are at the core of PIPEDA: Accountability Identifying Purposes Consent Limiting Collection Limiting Use, Disclosure, and Retention Accuracy 16
Schedule 1 Safeguards Openness Individual Access Challenging Compliance 17
Consent Consent The fundamental principle of PIPEDA There should be no collection, use or disclosure of personal information without consent In order to comply with PIPEDA companies need to obtain the consent of those providing personal information for its collection, use or disclosure, except in limited circumstances 18
Consent The form of consent and the manner in which it is obtained may vary according to the sensitivity of the personal information Consent may be given in writing or orally Such consent may be implied where reasonable But, where a particular use or disclosure would not necessarily be presumed by the individual, consent should be express 19
Express consent may take different forms Consent opting in whereby a customer would indicate his or her consent by checking a box opting out or a negative option where a customer is advised by a company that the company will use the customer s personal information for specified purposes unless the customer contacts the company to opt out 20
Consent The Privacy Commissioner of Canada has indicated that express consent is preferred If companies intend to use personal information for any purpose other than that for which the individual provided the information, obtain the individual s consent Companies need to ensure that affiliates, third party service providers and any other party to whom they transfer personal information comply with PIPEDA 21
PART II TRANSACTIONS www.mccarthy.ca
Share Purchase Share Purchase Transactions Generally, for share purchase transactions, there is no need for consent to the transfer of personal information as there is no specific transfer or assignment of personal information Personal information continues to be held by the company whose shares have been transferred 23
Asset Purchase Asset Purchase Transactions Technically consent to the transfer of personal information by an organization to whom PIPEDA applies appears to be required As a practical matter, it may be prohibitively expensive and time-consuming to obtain express consent to the transfer of personal information in the context of an asset purchase transaction and in some cases it may not even be possible 24
Asset Purchase Express consent may not be needed based on the argument that when an individual provides personal information to an organization, he/she is providing an implicit consent to the transfer of personal information to a successor organization that would only use the personal information for the purposes for which it was collected 25
Asset Purchase Could also be argued that the reasonable person test would be met by implying consent in this case However, whether such implicit consent meets PIPEDA requirement is not free from doubt 26
Asset Purchase The Privacy Commissioner's Office has indicated that PIPEDA may be interpreted to allow for an implicit consent to the transfer of personal information to a successor organization that would only use the personal information for the purposes for which it was collected 27
Asset Purchase To date, none of the cases considered by the Privacy Commissioner have involved the disclosure of personal information in the context of purchase and sale transactions As there are no cases on point, not yet clear whether the implied consent interpretation will apply Practical approach assume implied consent 28
Disclosure of Personal Information Disclosure of Personal Information for Due Diligence Purposes Is consent required by a company for its disclosure of personal information to a potential purchaser for due diligence purposes in either a proposed share or asset purchase transaction? 29
Disclosure of Personal Information Technically, consent appears to be required for the disclosure of personal information by an organization to which PIPEDA applies to a potential purchaser for due diligence purposes 30
Disclosure of Personal Information If the view is accepted that individuals provide implicit consent to the transfer of their personal information to a successor organization that would only use the personal information for the purposes for which it was collected, then: There may also be an implicit consent provided for the disclosure of personal information to a potential purchaser for due diligence purposes, subject to a confidentiality agreement 31
Disclosure of Personal Information Such implicit consent is not free from doubt To minimize risks, it is very important that the potential purchasers enter into confidentiality agreements 32
Representations, Warranties and Indemnities Representations, Warranties and Indemnities re: Compliance with Privacy Laws Generally speaking, it may be difficult for vendors of businesses to give representations and warranties in Purchase and Sale Agreements as to compliance with PIPEDA Due to the difficulty in interpreting and ensuring full compliance 33
Representations, Warranties and Indemnities As well, many companies are still in the process of creating and implementing privacy policies and privacy compliance procedures Vendors may seek to specifically exclude any representations and warranties respecting compliance with privacy laws Purchasers may seek to include them 34
Representations, Warranties and Indemnities Ultimately it is a matter of allocation of business risk Risk may be taken into account as one of factors in determining the purchase price or in certain cases may be covered by an indemnity from the vendor to the purchaser 35
Representations, Warranties and Indemnities With respect to the possible use of indemnities, it is difficult to quantify the risks of non-compliance because of complaints (discussed below) Vendors may also seek to obtain a covenant from the purchaser that it will comply with its obligations under privacy laws with respect to its use of any personal information transferred to it by the vendor 36
Representations, Warranties and Indemnities A vendor may wish to conduct due diligence on its own privacy practices to determine what representations, warranties and indemnities it may give Advisable for the purchaser to carry out due diligence on the vendor s compliance with privacy laws 37
Representations, Warranties and Indemnities The purchaser will want to ensure that going forward the privacy practices of the business it is purchasing are in compliance with applicable privacy laws 38
Securitization Securitization Transactions Personal information covered by PIPEDA may be transferred from the company that originally collected the information to the trust to which customer receivables, for example, are sold Technically, consent would be required Likely be impractical and very costly to seek explicit consent in such circumstances 39
Securitization Also unlikely that explicit consents will be in place from the relevant customers to transfer personal information in such circumstances As in the case of information transfers that are part of asset purchase transactions, the argument could be made that consent may be implied Again, these arguments are not free from doubt and there are no cases concerning this issue 40
Securitization Accordingly, as discussed below, it may be appropriate to add to the legal opinion to be given in such circumstances the qualification that no opinion is expressed as to compliance with privacy laws 41
Legal Opinion Qualification Legal Opinion Qualification in Transactions If: a legal opinion is to be provided in connection with an asset purchase transaction involving a transfer of personal information; and the opinion includes language to the effect that the performance under the asset purchase agreement and other agreements referred to in the opinion will not contravene any law of Canada; and 42
Legal Opinion Qualification any of the asset purchase agreement or these other agreements provide for the transfer of personal information; and express consent has not been obtained Should a qualification be added that no opinion expressed as to compliance with PIPEDA? Yes, because the view that an implicit consent may be relied upon for the transfer of personal information in an asset purchase transaction is not free 43
Legal Opinion Qualification Similarly, opinions in asset and share purchase transactions and securitization transactions concerning compliance with applicable laws may need to include qualification that no opinion is expressed as to compliance with PIPEDA if personal information is disclosed without all relevant express consents having been obtained 44
Legal Opinion Qualification Reason - difficult to ascertain whether privacy laws are complied with when disclosing personal information for due diligence purposes in transactions, or when transferring personal information as it is not clear whether compliance based on implied consent is sufficient 45
Privacy Concerns Privacy Concerns Re: Outsourcing of Business Functions Many companies outsource certain business functions to third party providers A company must ensure that other entities providing services to it that have access to personal information collected by the company comply with PIPEDA 46
Privacy Concerns In outsourcing agreements, companies will need to require third party service providers to comply with all applicable privacy laws Includes - safeguard personal information and prohibit the use or disclosure of it for any purpose other than those for which it was collected 47
Privacy Concerns Companies should have express contractual provisions with third party Companies should also include indemnities in the case of failure to comply with applicable privacy laws 48
Related Party Transactions Related Party Transactions PIPEDA requires consent for the disclosure of personal information by a company to related companies Any sharing of personal information within a corporate group must comply with applicable privacy laws 49
Related Party Transactions Any disclosure of personal information in the context of joint ventures, co-branding and other business arrangements with related and/or nonrelated parties must comply with privacy laws 50
Social Insurance Numbers Social Insurance Numbers Social insurance numbers are hot buttons for privacy advocates Consumers are especially sensitive about providing their social insurance numbers in light of what appears to be a growing crime of identity theft 51
Social Insurance Numbers Companies are required to make a reasonable effort to obtain a person's social insurance number where they are selling products to a customer that require the company to make a tax-related information return The Income Tax Act (Canada) prohibits the unauthorized use of social insurance numbers. (sec. 237(2)(b)) 52
Social Insurance Numbers It provides that persons shall not knowingly use, communicate or allow to be communicated, a person's social insurance number, without such person's written consent Also, the Commissioner stressed that the social insurance number is not a piece of identification and should not be used as such 53
Immediate Priorities Immediate Priorities for Businesses In order to comply with PIPEDA companies should: adopt a privacy compliance strategy appoint a privacy officer review the current personal information practices review and update, if necessary, the company s privacy policy 54
Immediate Priorities review the company s data management infrastructure to ensure it is adequately flexible to allow implementation of the company s privacy policies implement consent language in contracts, forms and other documents require third parties to whom personal information is disclosed to agree to use the personal information only for the purposes for which it was disclosed formulate a precise plan to deal with privacy complaints from individuals implement training for all employees with respect to the company s privacy policy 55
Conclusion Conclusions Privacy laws must be taken into account in any transaction involving the disclosure or transfer of personal information It may be impractical or impossible to obtain express consent to the transfer of personal information as part of a transaction 56
Conclusion While it may be argued that implicit consent may be relied upon this view is not free from doubt Opinions may need to be qualified 57