The exchange of information about individuals, including customers, employees and security holders, is often an integral part of merger and acquisition transactions. Compliance with privacy law is and will continue to be a considerationin merger and acquisition transactions in light of evolving privacy regulation and enforcement regarding personal information. This article provides an overview of U.S. and Canadian privacy considerations for mergers and acquisitions.
U.S. and Canadian Privacy Law Overview
The law relating to privacy differs significantly as between the U.S. and Canada.
A. U.S. privacy law
The United States has various federal and state privacy laws that apply to certain types of information, entities and circumstances. There are also federal and state privacy guidance and industry standards that are considered best practices. For example, the U.S. Federal Trade Commission ("FTC") final privacy report on consumer privacy describes best practices and applies to commercial entities which collect or use consumer data that can be "reasonably linked" to a specific consumer, computer or device with certain exceptions. (See: Federal Trade Commission, FTC Report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (March 2012)). While the U.S. federal and state privacy laws, guidance, cases and industry standards generally address the collection, use and disclosure of personal information, the requirements are specific to the types of personal information and entities and circumstances involved. Particular U.S. federal and state privacy laws, guidance, cases and industry standards may also have provisions regarding transactions (including mergers and acquisitions) and related provisions (see, e.g., the Health Insurance Portability and Accountability Act (Pub. L. No. 104-191), as amended by the Health Information Technology for Economic and Clinical Health Act (enacted under Title XIII of the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5) (collectively, "HIPPA") and the Gramm-Leach-Bliley Act (15 U.S.C. 6801-6809) (the "GLB Act")).
i. U.S. federal privacy laws
As to U.S. federal privacy laws that could be involved in mergers and acquisitions, the FTC enforces privacy under section 5 of the Federal Trade Commission Act (15 U.S.C. 45), which prohibits "....unfair or deceptive acts or practices in or affecting commerce...." and applies to persons or entities, with certain exceptions. In addition, the U.S. Department of Health & Human Services' Office for Civil Rights and state attorneys general enforce HIPPA, which applies to the use or disclosure of protected health information (i.e., individually identifiable health information, with certain exclusions) by health plans, health-care providers and health-care clearinghouses (i.e., covered entities) as well as by persons and entities that provide certain services to, for or on behalf of covered entities (i.e., business associates).Also, various state and federal regulators, including the FTC, enforce the GLB Act, which applies to financial institutions and covers non-public personal information (i.e., personally identifiable information provided by a consumer to a financial institution, resulting from any transaction with or service performed for the consumer orotherwise obtained by the financial institution). Moreover, the FTC, state attorneys general and certain other regulatorsenforce the Children's Online Privacy Protection Act (15 U.S.C. 6501 et seq.), which applies to an operator of a website or online service, including a mobile application, directed to children under age 13 or having actual knowledge that it is collecting or maintaining personal information from children under age 13.
ii. U.S. state privacy laws
There are different U.S. state privacy laws that could be involved in mergers and acquisitions. These state privacy laws cover personal information, commonly meaning name plus (1) social security number, (2) driver's license number or state identification card number or (3) financial account or credit or debit card information. For instance, state breach notification laws cover the notification that is required for a breach involving personal information and generally apply to persons and entities that own or license or maintain (but do not own) the personal information of residents of a particular state (see, e.g., Cal. Civ. Code Section 1798.82). Note that there is also breach notification for covered entities and business associates regarding protected health information under HIPPA. Moreover, state security procedures laws cover the obligation to maintain reasonable security procedures and practices to protect personal information and often apply to persons and entities that own or license personal information of residents of a particular state. Of note, the Massachusetts security procedures law (201 CMR 17.00 et seq.), which applies to persons and entities regardless of whether they are located in the U.S. (including Massachusetts) and regardless of whether they also must comply with HIPPA or the GLB Act, requires such persons and entities to develop, implement and maintain a comprehensive written information security program. Furthermore, state social security number laws cover restrictions on the use of social security numbers and generally apply to persons and entities (see, e.g., Cal. Civ. Code Section 1798.85).
B. Canadian privacy law
In Canada, there is a patchwork of general private-sector privacy statutes consisting of federal legislation, the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 ("PIPEDA"), and provincial legislation in the provinces of British Columbia, the Personal Information Protection Act, S.B.C. 2003, c. 63 (the "BC PIPA"), Alberta, the Personal Information Protection Act, S.A. 2003, c. P-6.5 (the "Alberta PIPA"), and Quebec, An Act Respecting the Protection of Personal Information in the Private Sector, R.S.Q., c. P-39.1 (the "Quebec Act"). PIPEDA is enforced by the Office of the Privacy Commissioner of Canada which may investigate privacy-related complaints, make findings, conduct audits and take other steps permitted under the legislation. Alberta and British Columbia also have independent Offices of the Information and Privacy Commissioner and the Quebec Act is enforced by the Commission d'accès à l'information du Québec.
Other provinces, such as Ontario, do not have comprehensive privacy legislation that applies to private-sector entities. Instead, Ontario has enacted the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A ("PHIPA"). In general terms, PHIPA has more limited application and primarily applies to the collection, use and disclosure of personal health information by a health information custodian, such as a hospital or physician. The provinces of New Brunswick, Newfoundland and Labrador, Manitoba and Saskatchewan have also promulgated health information protection legislation.
Because the health information protection statutes are more narrowly focused, the broader private-sector statutes of Alberta, British Columbia, Quebec and the federal jurisdiction more frequently arise in the context of commercial transactions. These privacy statutes govern the collection, use and disclosure of "personal information", which is broadly defined as information about an identifiable individual (but, in some cases, excluding employment contact information). The general rule under these Canadian privacy statutes is that personal information must not, with limited exceptions, be collected, used or disclosed unless consent is obtained from the individual to whom the personal information pertains.
PIPEDA applies to the collection, use and disclosure of personal information in the course of commercial activity within a province except where there is privacy legislation in that province that has been determined by the Governor in Council to be substantially similar to PIPEDA. The Alberta, British Columbia and Quebec statutes have been held to be substantially similar to PIPEDA (as have the Ontario PHIPA and the New Brunswick Personal Health information Privacy and Access Act, S.N.B. 2009, c. P-7.05, with respect to the collection, use and disclosure of health information only). As such, where applicable, provincial privacy legislation will apply to the collection, use and disclosure of personal information in the context of commercial transactions within those provinces.
Both the Alberta PIPA and BC PIPA include exceptions to the consent rule that specifically deal with the handling of personal information in the context of a "business transaction". In general terms, these statutes provide that personal information may be collected, used or disclosed without consent if the information is "necessary" for parties to decide whether to proceed with a "business transaction" or whether to finalize the deal. In order to take advantage of the business transaction exemption, the parties to the transaction must have entered into an agreement, which among other things, must include provisions that the collection, use and disclosure of the information must be restricted to the purposes of the transaction and that, if the transaction is completed, the acquiring entity (the "Acquirer") may only use the information for the same purposes for which the information was initially collected. "Business transaction" is defined in section 20(1) of the BC PIPA as the purchase, sale, lease, merger or amalgamation or any other type of acquisition, disposal or financing of an organization or a portion of an organization or of any of the business or assets of an organization. The definition in section 22(1)(a) of the Alberta PIPA also refers to "the taking of a security interest in respect of, an organization or a portion of an organization or any business or activity or business asset of an organization and includes a prospective transaction of such a nature". Note, however, that the Alberta PIPA business transaction exemption will not apply where the primary objective or result of the transaction is the sale, disposal or disclosure of personal information itself. The BC PIPA contains a similar exclusion.
Neither PIPEDA nor the Quebec Act contains a "business transaction" exemption. Accordingly, parties to a transaction ought to make an assessment as to whether the legislation is applicable to a particular collection, use or disclosure of personal information, and if so, whether either or both parties must obtain consent before collecting, using and disclosing that information in the context of the transaction.
Where transactions have a cross-border element, PIPEDA will continue to apply to the collection, use and disclosure that takes place across provincial or national borders. However, the reach of PIPEDA has certain constitutional limitations. Even in the absence of substantially similar provincial privacy legislation, PIPEDA will not generally apply to the collection, use and disclosure by provincially regulated entities of the personal information of such entities' employees. This limitation may give entities more freedom to collect and disclose employee personal information during the course of a transaction. That said, some caution is required since the law in this area is still developing. There is at least one decision of the Alberta Privacy Commissioner that suggests that "employee information" may lose its character as such and become general "personal information" and certain sensitive personal information may not constitute "business transaction information" when used or disclosed in a business transaction (see: Builders Energy Services Ltd., P2005-IR-005, July 12, 2005 (Alberta Information and Privacy Commissioner)). Using the same reasoning, it may remain an open question whether PIPEDA may apply not only to personal information about clients, customers and suppliers, but also to employees in those provinces where the entity being acquired (the "Target") has employees (other than B.C., Alberta and Quebec where the provincial statutes apply).
In addition to the privacy statutes, there is a growing body of common law in which privacy rights have been recognized. For example, the Ontario Court of Appeal recently recognized a new and independent cause of action in tort for invasion of privacy in the case of Jones v. Tsige (2012), 108 O.R. (3d) 241 (C.A.).
Given the patchwork of Canadian law applicable to a merger or acquisition, the parties will need to consider the objective of the transaction, what kind of personal information will be collected, used or disclosed as part of the transaction, what personal information will transfer to the Acquirer at closing and what uses the Acquirer will make of that information post-closing.
Due Diligence/Representations and Warranties
In general, an acquisition transaction will generally involve a due diligence phase where the Acquirer will investigate the Target. The parties will simultaneously or thereafter commence preparing the merger or acquisition agreement. As part of that merger or acquisition agreement, the Target will generally make representations and warranties about the status of its business, and the parties will make various covenants to each other.
As part of due diligence, the Acquirer should assess whether the Target is compliant with applicable privacy requirements (including privacy law, guidance, cases and industry standards) as well as the Target's policies (including website or mobile application privacy policies). The merger or acquisition agreement may contain representations and warranties specific to privacy compliance in addition to a general representation and warranty to the effect that the Target is in compliance with all applicable laws. Specific privacy representations and warranties could be to the effect that the Target (1) complies with all applicable privacy law, guidance, cases and industry standards and (2) complies with its own privacy policy.
The Target should involve persons at the Target with responsibility for or knowledge of its privacy compliance (for example, a privacy officer) in the transaction. Privacy counsel also should be involved and co-ordinate with such persons to ensure that the representations and warranties of the Target are accurate, and if acting for the Acquirer, that the due diligence in respect of these matters is adequate. Whether, when and the extent to which privacy counsel are engaged by the Target varies depending upon the direction provided by the Target and its advisers.
There are clear advantages to retaining privacy counsel at the outset. In Canada, the "business transaction" exception available in two of its privacy statutes only applies if the parties have entered into a non-disclosure or confidentiality agreement ("NDA") that sets out specific parameters around the collection, use and disclosure of personal information in the context of the business transaction. By comparison, an NDA relating to a U.S. Target in a non-regulated industry typically defines confidential information broadly (including corporate information) and does not specifically state how personal information will be handled. In either case, privacy counsel can make recommendations in an effort to ensure that both the applicable legal requirements and that the parties' intentions are met.
A. Compliance with laws and other requirements
Another significant risk in privacy counsel not being engaged at the outset of the transaction is that the Target could make representations and warranties about its privacy compliance that are not true. This risk is also a factor if privacy counsel is engaged at the outset but limited to reviewing and commenting on the merger or acquisition agreement with scant information about the actual privacy compliance of the Target. A merger or acquisition agreement commonly provides that an entity must indemnify the other parties to the agreement for losses relating to the breach or inaccuracy of representations and warranties that the entity makes. Where non-compliance is found, covenants or closing conditions could be added to the merger or acquisition agreement regarding remediation.
A representation and warranty by the Target that it complies with all applicable privacy law, guidance, cases and industry standards could have application worldwide where there is no qualifying language. Factors such as the location in which the Target is based, where the Target conducts business, the industry in which the Target conducts business, the locations in which the individuals whose information is collected, used or disclosed reside, and the types of such information, must be considered. Different countries have different privacy laws, guidance, cases and industry standards as well as different privacy regulators and enforcement. Just as U.S. privacy counsel would be in a position to assess and assist with U.S. privacy compliance, Canadian privacy counsel would be in a position to assess and assist with Canadian privacy compliance.
If the Target has minimal awareness of its privacy compliance obligations and of its non-compliance, it would not be in a position to represent and warrant that it complies with all applicable privacy law, guidance, cases and industry standards. If the Acquirer requires such a representation, the Target will generally wish to add knowledge and materiality qualifiers to the representation. In addition, exceptions could be made to the representation and warranty in an accompanying disclosure schedule.
B. Compliance with privacy policies
The Target can anticipate that the Acquirer will usually request copies of privacy policies, and that the Target represent and warrant that it is in compliance with such policies. If the Target is representing and warranting that it complies with its own privacy policy, the Target will first need to confirm that it actually has a privacy policy.
An operator of a commercial website or an online service (including a mobile application) that collects personally identifiable information about any California resident through the Internet must have and conspicuously post or make available a privacy policy that complies with the California Online Privacy Protection Act, which the California Attorney General enforces (see: California Bus. and Prof. Code Sections 22575 and 22577(b) and Press Release, State of California Department of Justice, Office of the Attorney General, Attorney General Kamala D. Harris Files Suit Against Delta Airlines for Failure to Comply with California Privacy Law (Dec. 6, 2012)).
All Canadian entities are required to implement privacy policies and provide training on and comply with such policies. Many entities will have both an outward-facing privacy policy (applicable to its clients, customers and the public in general), as well as an employee privacy policy that is applicable internally only.
Whether in the U.S. or Canada, there may be different versions of a privacy policy from the Target. Among other things, a privacy policy describes the types of information that the privacy policy applies to and whether this information can be shared with third parties. The Acquirer should determine whether any covered types of information to be transferred in the transaction can be shared with third parties under the privacy policy. When a privacy policy is prepared or updated, a transaction may not be contemplated and such disclosure to an Acquirer may not be provided for in the privacy policy.
i. Risk of enforcement
There is a risk of enforcement by the FTC regarding the specific privacy policy language regarding restrictions on sharing information with third parties as the contemplated transfer of personal information in the transaction could be in violation of the Federal Trade Commission Act. The FTC could already be aware of the merger or acquisition in the antitrust context. Also, state attorneys general also could take action (see: Tiffany Kary, Borders to Sell Intellectual Property to Barnes & Noble, Business Week (Sept. 26, 2011) and Matt Richtel, Toysmart.com in Settlement with F.T.C.,The New York Times (July 22, 2000)). The transaction could be significantly impacted particularly where customer information, including as part of a database, is a key asset in the transaction. The structure of the transaction (for example, whether an asset, stock or merger transaction) also has importance.
A. Borders Group
The FTC has weighed in on contemplated asset transactions in the bankruptcy context, most recently regarding the Borders Group and XY. A letter requested from the FTC in a bankruptcy proceeding regarding the contemplated sale of certain consumer personal information in the possession of Borders described the FTC's concerns that any sale or transfer of the personal information of Borders' customers would contravene Borders' express promise not to disclose such information and could constitute a deceptive or unfair practice.
Borders collected consumer personal information under at least three privacy policies. The first policy stated in relevant part: "Borders, Inc., Walden Book Company, Inc., and their related companies believe that your personal information – including your purchase history, phone number(s), and credit card data – belongs to you. We collect this type of information to serve you better when you provide it to us, but we do not rent or sell your information to third parties. From time to time, we may ask if you are interested in receiving information from third parties whose services or information we think would be of value to you. In those instances, we will only disclose your email address or other personal information to third parties if you expressly consent to such disclosure. (Emphasis in original)." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Michael St. Patrick Baxter and Yaron Dori (Sept. 14, 2011)). Borders' second privacy policy contained the same privacy language as the first privacy policy, with no substantive changes.
The third privacy policy contained the same language restricting the sale or rental of personal information and also included the following language: "Circumstances may arise where for strategic or other business reasons, Borders decides to sell, buy, merge or otherwise reorganize its own or other businesses. Such a transaction may involve the disclosure of personal or other information to prospective or actual purchasers, or receiving it from sellers. It is Borders' practice to seek appropriate protection for information in these types of transactions. In the event that Borders or all of its assets are acquired in such a transaction, customer information would be one of the transferred assets." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Michael St. Patrick Baxter and Yaron Dori (Sept. 14, 2011)). The FTC viewed this language "....as applying to business transactions that would allow Borders to continue operating as a going concern and not to the dissolution of the company and piecemeal sale of assets in bankruptcy." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Michael St. Patrick Baxter and Yaron Dori (Sept. 14, 2011)).
According to the FTC, "[i]n light of the promises Borders made to its customers, [the FTC] believe[s] it would be appropriate for Borders to obtain express consent from its customers, specifying the potential purchaser, before it transfers the data. The consent process would allow customers to make their own determination as to whether a transfer of their information would be acceptable to them. For consumers who did not consent, their data would be purged." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Michael St. Patrick Baxter and Yaron Dori (Sept. 14, 2011)).
The FTC continued: "....[i]f the bankruptcy court declines to require consent to the transfer in light of other considerations, the Toysmart settlement is an appropriate model to apply here. As in Toysmart, [the FTC's] concerns about the transfer of customer information inconsistent with privacy promises would be greatly diminished if all the following conditions were met:
- Borders agrees not to sell the customer information as a standalone asset;
- The buyer is engaged in substantially the same lines of business as Borders;
- The buyer expressly agrees to be bound by and adhere to the terms of Borders' privacy policy; and
- The buyer agrees to obtain affirmative consent from consumers for any material changes to the policy that affect information collected under the Borders' policy." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Michael St. Patrick Baxter and Yaron Dori (Sept. 14, 2011)).
After the federal bankruptcy court approved the sale of Borders assets, including its customer list, acquirer Barnes & Noble sent a letter to Borders' customers notifying them of this approval and of the customer information to be transferred. Borders' customers could opt-out of having their customer data transferred to Barnes & Noble by a specified deadline and Barnes & Noble would ensure that their data that Barnes & Noble received from Borders would be disposed of in a secure and confidential manner. If Borders' customers did not opt-out, their information would be covered under the Barnes & Noble privacy policy (see: http://www.barnesandnoble.com/container/stores.asp?PID=39742 and Federal Trade Commission, For Your Information (Oct. 6, 2011)).
B. XY
In a letter from the FTC to initial individual stakeholders in XY Corporation who were seeking to establish ownership and obtain possession of sensitive personal information from subscribers to the defunct XY gay male youth-oriented magazine and website through a bankruptcy proceeding, the FTC said: ".... the XY privacy policy is simple, explicit, and clear. Subscribers and members were told that their personal information would not be sold, shared, or given away to 'anybody.' This includes the names, addresses, profile information, and credit card information submitted by subscribers. It also includes unpublished articles that were submitted, for which permission to publish had not yet been secured. Therefore, any sale or transfer of the data to a new company, new owner, or other third party would directly contravene the privacy representations and could constitute a deceptive practice by the original company or its principals. Such practice also could be unfair. In addition, the receipt of such data by a third party, knowing that such receipt violated the privacy policy, could be unfair" (see: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Peter Larson, et al. (July 1, 2010)).
The FTC continued: "...the continued use of the XY [personal information], even by the existing owner, would not necessarily be consistent with the original purpose for which the data was provided. Indeed, due to the nature of the information, the passage of time, and the closure of the magazine and website in 2007 and 2009, respectively, the continued use of the data may pose privacy risks not reasonably contemplated by subscribers when they provided the data, and not consistent with their course of dealing with the company." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Peter Larson, et al. (July 1, 2010)).
Since the FTC believed that any sale, transfer or use of the XY personal information raises serious privacy issues and could violate the Federal Trade Commission Act as well as to avoid the possibility of this information falling into the wrong hands, the FTC asked that it be destroyed (along with any credit card data still being retained) as soon as possible (See: Letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Peter Larson, et al. (July 1, 2010)). After receiving a copy of the FTC's letter to XY, the court overseeing bankruptcy proceedings involving XY ordered the destruction of the information. (See: remarks of David C. Vladeck, Director, Federal Trade Commission Bureau of Consumer Protection, International Association of Privacy Professionals Practical Privacy Series, Washington, DC (Dec. 7, 2010).
C. Covenants
In addition to the representations and warranties dealing with privacy law issues, consideration will need to be given as to whether the covenants in the merger or acquisition agreement give rise to any privacy law concerns. For example, it is relatively common to include a covenant that the Target will disclose or provide to the Acquirer all books and records of the business upon completion of the transaction. Many of those books and records may contain personal information.
In Canada, the parties should consider whether they must obtain the consent of the individuals to whom the personal information pertains before collecting or disclosing that information. In some circumstances, it is possible that express or implied consent has already been obtained through the use of agreements, privacy notices or privacy policies to customers or employees dealing with the disclosure of personal information in the context of a transaction. If the scope of the consents is limited, the Target may request that the Acquirer covenant to use or disclose the personal information collected in the transaction only for the purposes for which it was disclosed to the Target in the first place. If the Acquirer has alternative plans for the personal information, privacy counsel can advise on whether there are risks and, if so, the potential exposure.
Ongoing Privacy Compliance
Entities engaged in a merger or acquisition transaction will have privacy compliance obligations before, during and after the merger or acquisition. Following the closing of the transaction, the Acquirer may be limited in the uses and disclosures that it can make of the information transferred to it as part of the transaction.
Depending on the business, a chief privacy officer or other person with responsibility for privacy matters may be engaged to manage ongoing compliance issues. Privacy counsel in appropriate countries may also be engaged to assist both with the entity's ongoing privacy compliance requirements and with any mergers and acquisitions. By monitoring compliance issues with appropriate guidance, such entities will be in a position to identify and address the various privacy compliance issues that can arise at any time.
Conclusion
Privacy compliance issues can impact an entity's brand and reputation and its bottom line. Given the heightened sensitivity to exposure and liability around privacy breaches and compliance with privacy law requirements, it is always prudent to take into consideration privacy law requirements when considering a potential merger or acquisition. For example, a past privacy breach or incident will have an impact on certain aspects of the merger or acquisition transaction, including representations and warranties to be made in the merger or acquisition agreement, whether or not the breach or incident was reported to any affected individuals, authorities or others in a particular country. For the Acquirer, due diligence about the privacy compliance and breaches or incidents of the Target may be key.
In all cases, privacy policies should be reviewed and assessed, including those related to websites and mobile applications. Consideration should be given to whether the policies contain provisions about sharing information with third parties, particularly in light of the regulation and enforcement risk in the U.S. If the policies do not refer to the sharing of personal information as part of a merger or acquisition transaction in Canada, consideration will need to be given as to whether consent is required to collect, use and disclose personal information in the context of a transaction. Any covenants relating to personal information in the merger or acquisition agreement may be modified accordingly.
Following the closing of the transaction, in the ever-changing world of privacy law, entities, chief privacy officers or other persons with responsibility for privacy matters and, as necessary, privacy counsel should continue to work together to monitor and address legal and business developments.
Melissa J. Krasnow is a corporate Partner with Dorsey & Whitney LLP. Her practice encompasses privacy, electronic and mobile commerce, social media, Internet, anti-money laundering and corporate governance and compliance law, as well as domestic and cross-border mergers and acquisitions. She is a Certified Information Privacy Professional/US (CIPP/US) who serves on the Certification Advisory Board for the CIPP/US program and the Canadian Advisory Board of the International Association of Privacy Professionals.
Andrea York is a Partner in the Privacy and Employment & Labour groups at Blake, Cassels & Graydon LLP and is Co-chair of the Firm's Privacy group. Her practice focuses on providing key advice to employers in a broad range of privacy and employment law contexts, including those that arise in M&A transactions, litigation and in the area of compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
