Canada: U.S. And Canadian Privacy Considerations For Mergers And Acquisitions

Last Updated: June 4 2013

The exchange of information about individuals, including customers, employees and security holders, is often an integral part of merger and acquisition transactions. Compliance with privacy law is and will continue to be a considerationin merger and acquisition transactions in light of evolving privacy regulation and enforcement regarding personal information. This article provides an overview of U.S. and Canadian privacy considerations for mergers and acquisitions.

U.S. and Canadian Privacy Law Overview

The law relating to privacy differs significantly as between the U.S. and Canada.

A.  U.S. privacy law

The United States has various federal and state privacy laws that apply to certain types of information, entities and circumstances. There are also federal and state privacy guidance and industry standards that are considered best practices. For example, the U.S. Federal Trade Commission ("FTC") final privacy report on consumer privacy describes best practices and applies to commercial entities which collect or use consumer data that can be "reasonably linked" to a specific consumer, computer or device with certain exceptions. (See: Federal Trade Commission, FTC Report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (March 2012)). While the U.S. federal and state privacy laws, guidance, cases and industry standards generally address the collection, use and disclosure of personal information, the requirements are specific to the types of personal information and entities and circumstances involved. Particular U.S. federal and state privacy laws, guidance, cases and industry standards may also have provisions regarding transactions (including  mergers and acquisitions) and related provisions (see, e.g., the Health Insurance Portability and Accountability Act (Pub. L. No. 104-191), as amended by the Health Information Technology for Economic and Clinical Health Act (enacted under Title XIII of the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5) (collectively, "HIPPA") and the Gramm-­Leach-Bliley Act (15 U.S.C. 6801-6809) (the "GLB Act")).

i.     U.S. federal privacy laws

As to U.S. federal privacy laws that could be involved in mergers and acquisitions, the FTC enforces privacy under section 5 of the Federal Trade Commission Act (15 U.S.C. 45), which prohibits "....unfair or deceptive acts or practices in or affecting commerce...." and applies to persons or entities, with certain exceptions. In addition, the U.S. Department of Health & Human Services' Office for Civil Rights and state attorneys general enforce HIPPA, which applies to the use or disclosure of protected health information (i.e., individually identifiable health information, with certain exclusions) by health plans, health-care providers and health-care clearinghouses (i.e., covered entities) as well as by persons and entities that provide certain services to, for or on behalf of covered entities (i.e., business associates).Also, various state and federal regulators, including the FTC, enforce the GLB Act, which applies to financial institutions and covers non-public personal information (i.e., personally identifiable information provided by a consumer to a financial institution, resulting from any transaction with or service performed for the consumer orotherwise obtained by the financial institution). Moreover, the FTC, state attorneys general and certain other regulatorsenforce the Children's Online Privacy Protection Act (15 U.S.C. 6501 et seq.), which applies to an operator of a website or online service, including a mobile application, directed to children under age 13 or having actual knowledge that it is collecting or maintaining personal information from children under age 13.

ii.       U.S. state privacy laws

There are different U.S. state privacy laws that could be involved in mergers and acquisitions. These state privacy laws cover personal information, commonly meaning name plus (1) social security number, (2) driver's license number or state identification card number or (3) financial account or credit or debit card information. For instance, state breach notification laws cover the notification that is required for a breach involving personal information and generally apply to persons and entities that own or license or maintain (but do not own) the personal information of residents of a particular state (see, e.g., Cal. Civ. Code Section 1798.82). Note that there is also breach notification for covered entities and business associates regarding protected health information under HIPPA. Moreover, state security procedures laws cover the obligation to maintain reasonable security procedures and practices to protect personal information and often apply to persons and entities that own or license personal information of residents of a particular state. Of note, the Massachusetts security procedures law (201 CMR 17.00 et seq.), which applies to persons and entities regardless of whether they are located in the U.S. (including Massachusetts) and regardless of whether they also must comply with HIPPA or the GLB Act, requires such persons and entities to develop, implement and maintain a comprehensive written information security program. Furthermore, state social security number laws cover restrictions on the use of social security numbers and generally apply to persons and entities (see, e.g., Cal. Civ. Code Section 1798.85).

B.  Canadian privacy law

In Canada, there is a patchwork of general private-sector privacy statutes consisting of federal legislation, the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 ("PIPEDA"), and provincial legislation in the provinces of British Columbia, the Personal Information Protection Act, S.B.C. 2003, c. 63 (the "BC PIPA"), Alberta, the Personal Information Protection Act, S.A. 2003, c. P-6.5 (the "Alberta PIPA"), and Quebec, An Act Respecting the Protection of Personal Information in the Private Sector, R.S.Q., c. P-39.1 (the "Quebec Act"). PIPEDA is enforced by the Office of the Privacy Commissioner of Canada which may investigate privacy-related complaints, make findings, conduct audits and take other steps permitted under the legislation. Alberta and British Columbia also have independent Offices of the Information and Privacy Commissioner and the Quebec Act is enforced by the Commission d'accès à l'information du Québec.

Other provinces, such as Ontario, do not have comprehensive privacy legislation that applies to private-sector entities. Instead, Ontario has enacted the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A ("PHIPA"). In general terms, PHIPA has more limited application and primarily applies to the collection, use and disclosure of personal health information by a health information custodian, such as a hospital or physician. The provinces of New Brunswick, Newfoundland and Labrador, Manitoba and Saskatchewan have also promulgated health information protection legislation.

Because the health information protection statutes are more narrowly focused, the broader private-sector statutes of Alberta, British Columbia, Quebec and the federal jurisdiction more frequently arise in the context of commercial transactions. These privacy statutes govern the collection, use and disclosure of "personal information", which is broadly defined as information about an identifiable individual (but, in some cases, excluding employment contact information). The general rule under these Canadian privacy statutes is that personal information must not, with limited exceptions, be collected, used or disclosed unless consent is obtained from the individual to whom the personal information pertains.

PIPEDA applies to the collection, use and disclosure of personal information in the course of commercial activity within a province except where there is privacy legislation in that province that has been determined by the Governor in Council to be substantially similar to PIPEDA. The Alberta, British Columbia and Quebec statutes have been held to be substantially similar to PIPEDA (as have the Ontario PHIPA and the New Brunswick Personal Health information Privacy and Access Act, S.N.B. 2009, c. P-7.05, with respect to the collection, use and disclosure of health information only). As such, where applicable, provincial privacy legislation will apply to the collection, use and disclosure of personal information in the context of commercial transactions within those provinces.

Both the Alberta PIPA and BC PIPA include exceptions to the consent rule that specifically deal with the handling of personal information in the context of a "business transaction". In general terms, these statutes provide that personal information may be collected, used or disclosed without consent if the information is "necessary" for parties to decide whether to proceed with a "business transaction" or whether to finalize the deal. In order to take advantage of the business transaction exemption, the parties to the transaction must have entered into an agreement, which among other things, must include provisions that the collection, use and disclosure of the information must be restricted to the purposes of the transaction and that, if the transaction is completed, the acquiring entity (the "Acquirer") may only use the information for the same purposes for which the information was initially collected. "Business transaction" is defined in section 20(1) of the BC PIPA as the purchase, sale, lease, merger or amalgamation or any other type of acquisition, disposal or financing of an organization or a portion of an organization or of any of the business or assets of an organization. The definition in section 22(1)(a) of the Alberta PIPA also refers to "the taking of a security interest in respect of, an organization or a portion of an organization or any business or activity or business asset of an organization and includes a prospective transaction of such a nature". Note, however, that the Alberta PIPA business transaction exemption will not apply where the primary objective or result of the transaction is the sale, disposal or disclosure of personal information itself. The BC PIPA contains a similar exclusion.

Neither PIPEDA nor the Quebec Act contains a "business transaction" exemption. Accordingly, parties to a transaction ought to make an assessment as to whether the legislation is applicable to a particular collection, use or disclosure of personal information, and if so, whether either or both parties must obtain consent before collecting, using and disclosing that information in the context of the transaction.

Where transactions have a cross-border element, PIPEDA will continue to apply to the collection, use and disclosure that takes place across provincial or national borders. However, the reach of PIPEDA has certain constitutional limitations. Even in the absence of substantially similar provincial privacy legislation, PIPEDA will not generally apply to the collection, use and disclosure by provincially regulated entities of the personal information of such entities' employees. This limitation may give entities more freedom to collect and disclose employee personal information during the course of a transaction. That said, some caution is required since the law in this area is still developing. There is at least one decision of the Alberta Privacy Commissioner that suggests that "employee information" may lose its character as such and become general "personal information" and certain sensitive personal information may not constitute "business transaction information" when used or disclosed in a business transaction (see: Builders Energy Services Ltd., P2005-IR-005, July 12, 2005 (Alberta Information and Privacy Commissioner)). Using the same reasoning, it may remain an open question whether PIPEDA may apply not only to personal information about clients, customers and suppliers, but also to employees in those provinces where the entity being acquired (the "Target") has employees (other than B.C., Alberta and Quebec where the provincial statutes apply).

In addition to the privacy statutes, there is a growing body of common law in which privacy rights have been recognized. For example, the Ontario Court of Appeal recently recognized a new and independent cause of action in tort for invasion of privacy in the case of Jones v. Tsige (2012), 108 O.R. (3d) 241 (C.A.).

Given the patchwork of Canadian law applicable to a merger or acquisition, the parties will need to consider the objective of the transaction, what kind of personal information will be collected, used or disclosed as part of the transaction, what personal information will transfer to the Acquirer at closing and what uses the Acquirer will make of that information post-closing.

Due Diligence/Representations and Warranties

In general, an acquisition transaction will generally involve a due diligence phase where the Acquirer will investigate the Target. The parties will simultaneously or thereafter commence preparing the merger or acquisition agreement. As part of that merger or acquisition agreement, the Target will generally make representations and warranties about the status of its business, and the parties will make various covenants to each other.

As part of due diligence, the Acquirer should assess whether the Target is compliant with applicable privacy requirements (including privacy law, guidance, cases and industry standards) as well as the Target's policies (including website or mobile application privacy policies). The merger or acquisition agreement may contain representations and warranties specific to privacy compliance in addition to a general representation and warranty to the effect that the Target is in compliance with all applicable laws. Specific privacy representations and warranties could be to the effect that the Target (1) complies with all applicable privacy law, guidance, cases and industry standards and (2) complies with its own privacy policy.

The Target should involve persons at the Target with responsibility for or knowledge of its privacy compliance (for example, a privacy officer) in the transaction. Privacy counsel also should be involved and co-ordinate with such persons to ensure that the representations and warranties of the Target are accurate, and if acting for the Acquirer, that the due diligence in respect of these matters is adequate. Whether, when and the extent to which privacy counsel are engaged by the Target varies depending upon the direction provided by the Target and its advisers.

There are clear advantages to retaining privacy counsel at the outset. In Canada, the "business transaction" exception available in two of its privacy statutes only applies if the parties have entered into a non-disclosure or confidentiality agreement ("NDA") that sets out specific parameters around the collection, use and disclosure of personal information in the context of the business transaction. By comparison, an NDA relating to a U.S. Target in a non-regulated industry typically defines confidential information broadly (including corporate information) and does not specifically state how personal information will be handled. In either case, privacy counsel can make recommendations in an effort to ensure that both the applicable legal requirements and that the parties' intentions are met.

A.  Compliance with laws and other requirements

Another significant risk in privacy counsel not being engaged at the outset of the transaction is that the Target could make representations and warranties about its privacy compliance that are not true. This risk is also a factor if privacy counsel is engaged at the outset but limited to reviewing and commenting on the merger or acquisition agreement with scant information about the actual privacy compliance of the Target. A merger or acquisition agreement commonly provides that an entity must indemnify the other parties to the agreement for losses relating to the breach or inaccuracy of representations and warranties that the entity makes. Where non-compliance is found, covenants or closing conditions could be added to the merger or acquisition agreement regarding remediation.

A representation and warranty by the Target that it complies with all applicable privacy law, guidance, cases and industry standards could have application worldwide where there is no qualifying language. Factors such as the location in which the Target is based, where the Target conducts business, the industry in which the Target conducts business, the locations in which the individuals whose information is collected, used or disclosed reside, and the types of such information, must be considered. Different countries have different privacy laws, guidance, cases and industry standards as well as different privacy regulators and enforcement. Just as U.S. privacy counsel would be in a position to assess and assist with U.S. privacy compliance, Canadian privacy counsel would be in a position to assess and assist with Canadian privacy compliance.

If the Target has minimal awareness of its privacy compliance obligations and of its non-compliance, it would not be in a position to represent and warrant that it complies with all applicable privacy law, guidance, cases and industry standards. If the Acquirer requires such a representation, the Target will generally wish to add knowledge and materiality qualifiers to the representation. In addition, exceptions could be made to the representation and warranty in an accompanying disclosure schedule.

B.  Compliance with privacy policies

The Target can anticipate that the Acquirer will usually request copies of privacy policies, and that the Target represent and warrant that it is in compliance with such policies. If the Target is representing and warranting that it complies with its own privacy policy, the Target will first need to confirm that it actually has a privacy policy.

An operator of a commercial website or an online service (including a mobile application) that collects personally identifiable information about any California resident through the Internet must have and conspicuously post or make available a privacy policy that complies with the California Online Privacy Protection Act, which the California Attorney General enforces (see: California Bus. and Prof. Code Sections 22575 and 22577(b) and Press Release, State of California Department of Justice, Office of the Attorney General, Attorney General Kamala D. Harris Files Suit Against Delta Airlines for Failure to Comply with California Privacy Law (Dec. 6, 2012)).

All Canadian entities are required to implement privacy policies and provide training on and comply with such policies. Many entities will have both an outward-facing privacy policy (applicable to its clients, customers and the public in general), as well as an employee privacy policy that is applicable internally only.

Whether in the U.S. or Canada, there may be different versions of a privacy policy from the Target. Among other things, a privacy policy describes the types of information that the privacy policy applies to and whether this information can be shared with third parties. The Acquirer should determine whether any covered types of information to be transferred in the transaction can be shared with third parties under the privacy policy. When a privacy policy is prepared or updated, a transaction may not be contemplated and such disclosure to an Acquirer may not be provided for in the privacy policy.

i.     Risk of enforcement

There is a risk of enforcement by the FTC regarding the specific privacy policy language regarding restrictions on sharing information with third parties as the contemplated transfer of personal information in the transaction could be in violation of the Federal Trade Commission Act. The FTC could already be aware of the merger or acquisition in the antitrust context. Also, state attorneys general also could take action (see: Tiffany Kary, Borders to Sell Intellectual Property to Barnes & Noble, Business Week (Sept. 26, 2011) and Matt Richtel, in Settlement with F.T.C.,The New York Times (July 22, 2000)). The transaction could be significantly impacted particularly where customer information, including as part of a database, is a key asset in the transaction. The structure of the transaction (for example, whether an asset, stock or merger transaction) also has importance.

A.   Borders Group

The FTC has weighed in on contemplated asset transactions in the bankruptcy context, most recently regarding the Borders Group and XY. A letter requested from the FTC in a bankruptcy proceeding regarding the contemplated sale of certain consumer personal information in the possession of Borders described the FTC's concerns that any sale or transfer of the personal information of Borders' customers would contravene Borders' express promise not to disclose such information and could constitute a deceptive or unfair practice.

Borders collected consumer personal information under at least three privacy policies. The first policy stated in relevant part: "Borders, Inc., Walden Book Company, Inc., and their related companies believe that your personal information – including your purchase history, phone number(s), and credit card data – belongs to you. We collect this type of information to serve you better when you provide it to us, but we do not rent or sell your information to third parties. From time to time, we may ask if you are interested in receiving information from third parties whose services or information we think would be of value to you. In those instances, we will only disclose your email address or other personal information to third parties if you expressly consent to such disclosure. (Emphasis in original)." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Michael St. Patrick Baxter and Yaron Dori (Sept. 14, 2011)). Borders' second privacy policy contained the same privacy language as the first privacy policy, with no substantive changes.

The third privacy policy contained the same language restricting the sale or rental of personal information and also included the following language: "Circumstances may arise where for strategic or other business reasons, Borders decides to sell, buy, merge or otherwise reorganize its own or other businesses. Such a transaction may involve the disclosure of personal or other information to prospective or actual purchasers, or receiving it from sellers. It is Borders' practice to seek appropriate protection for information in these types of transactions. In the event that Borders or all of its assets are acquired in such a transaction, customer information would be one of the transferred assets." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Michael St. Patrick Baxter and Yaron Dori (Sept. 14, 2011)). The FTC viewed this language " applying to business transactions that would allow Borders to continue operating as a going concern and not to the dissolution of the company and piecemeal sale of assets in bankruptcy." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Michael St. Patrick Baxter and Yaron Dori (Sept. 14, 2011)).

According to the FTC, "[i]n light of the promises Borders made to its customers, [the FTC] believe[s] it would be appropriate for Borders to obtain express consent from its customers, specifying the potential purchaser, before it transfers the data. The consent process would allow customers to make their own determination as to whether a transfer of their information would be acceptable to them. For consumers who did not consent, their data would be purged." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Michael St. Patrick Baxter and Yaron Dori (Sept. 14, 2011)).

The FTC continued: "....[i]f the bankruptcy court declines to require consent to the transfer in light of other considerations, the Toysmart settlement is an appropriate model to apply here. As in Toysmart, [the FTC's] concerns about the transfer of customer information inconsistent with privacy promises would be greatly diminished if all the following conditions were met:

  • Borders agrees not to sell the customer information as a standalone asset;
  • The buyer is engaged in substantially the same lines of business as Borders;
  • The buyer expressly agrees to be bound by and adhere to the terms of Borders' privacy policy; and
  • The buyer agrees to obtain affirmative consent from consumers for any material changes to the policy that affect information collected under the Borders' policy." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Michael St. Patrick Baxter and Yaron Dori (Sept. 14, 2011)).

After the federal bankruptcy court approved the sale of Borders assets, including its customer list, acquirer Barnes & Noble sent a letter to Borders' customers notifying them of this approval and of the customer information to be transferred. Borders' customers could opt-out of having their customer data transferred to Barnes & Noble by a specified deadline and Barnes & Noble would ensure that their data that Barnes & Noble received from Borders would be disposed of in a secure and confidential manner. If Borders' customers did not opt-out, their information would be covered under the Barnes & Noble privacy policy (see: and Federal Trade Commission, For Your Information (Oct. 6, 2011)).

B.    XY

In a letter from the FTC to initial individual stakeholders in XY Corporation who were seeking to establish ownership and obtain possession of sensitive personal information from subscribers to the defunct XY gay male youth-oriented magazine and website through a bankruptcy proceeding, the FTC said: ".... the XY privacy policy is simple, explicit, and clear. Subscribers and members were told that their personal information would not be sold, shared, or given away to 'anybody.' This includes the names, addresses, profile information, and credit card information submitted by subscribers. It also includes unpublished articles that were submitted, for which permission to publish had not yet been secured. Therefore, any sale or transfer of the data to a new company, new owner, or other third party would directly contravene the privacy representations and could constitute a deceptive practice by the original company or its principals. Such practice also could be unfair. In addition, the receipt of such data by a third party, knowing that such receipt violated the privacy policy, could be unfair" (see: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Peter Larson, et al. (July 1, 2010)).

The FTC continued:  "...the continued use of the XY [personal information], even by the existing owner, would not necessarily be consistent with the original purpose for which the data was provided. Indeed, due to the nature of the information, the passage of time, and the closure of the magazine and website in 2007 and 2009, respectively, the continued use of the data may pose privacy risks not reasonably contemplated by subscribers when they provided the data, and not consistent with their course of dealing with the company." (See: letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Peter Larson, et al. (July 1, 2010)).

Since the FTC believed that any sale, transfer or use of the XY personal information raises serious privacy issues and could violate the Federal Trade Commission Act as well as to avoid the possibility of this information falling into the wrong hands, the FTC asked that it be destroyed (along with any credit card data still being retained) as soon as possible (See: Letter from David C. Vladeck, Federal Trade Commission Bureau of Consumer Protection, to Peter Larson, et al. (July 1, 2010)). After receiving a copy of the FTC's letter to XY, the court overseeing bankruptcy proceedings involving XY ordered the destruction of the information. (See: remarks of David C. Vladeck, Director, Federal Trade Commission Bureau of Consumer Protection, International Association of Privacy Professionals Practical Privacy Series, Washington, DC (Dec. 7, 2010).

C.   Covenants

In addition to the representations and warranties dealing with privacy law issues, consideration will need to be given as to whether the covenants in the merger or acquisition agreement give rise to any privacy law concerns. For example, it is relatively common to include a covenant that the Target will disclose or provide to the Acquirer all books and records of the business upon completion of the transaction. Many of those books and records may contain personal information.

In Canada, the parties should consider whether they must obtain the consent of the individuals to whom the personal information pertains before collecting or disclosing that information. In some circumstances, it is possible that express or implied consent has already been obtained through the use of agreements, privacy notices or privacy policies to customers or employees dealing with the disclosure of personal information in the context of a transaction. If the scope of the consents is limited, the Target may request that the Acquirer covenant to use or disclose the personal information collected in the transaction only for the purposes for which it was disclosed to the Target in the first place. If the Acquirer has alternative plans for the personal information, privacy counsel can advise on whether there are risks and, if so, the potential exposure.

Ongoing Privacy Compliance

Entities engaged in a merger or acquisition transaction will have privacy compliance obligations before, during and after the merger or acquisition. Following the closing of the transaction, the Acquirer may be limited in the uses and disclosures that it can make of the information transferred to it as part of the transaction.

Depending on the business, a chief privacy officer or other person with responsibility for privacy matters may be engaged to manage ongoing compliance issues. Privacy counsel in appropriate countries may also be engaged to assist both with the entity's ongoing privacy compliance requirements and with any mergers and acquisitions. By monitoring compliance issues with appropriate guidance, such entities will be in a position to identify and address the various privacy compliance issues that can arise at any time.


Privacy compliance issues can impact an entity's brand and reputation and its bottom line. Given the heightened sensitivity to exposure and liability around privacy breaches and compliance with privacy law requirements, it is always prudent to take into consideration privacy law requirements when considering a potential merger or acquisition. For example, a past privacy breach or incident will have an impact on certain aspects of the merger or acquisition transaction, including representations and warranties to be made in the merger or acquisition agreement, whether or not the breach or incident was reported to any affected individuals, authorities or others in a particular country. For the Acquirer, due diligence about the privacy compliance and breaches or incidents of the Target may be key.

In all cases, privacy policies should be reviewed and assessed, including those related to websites and mobile applications. Consideration should be given to whether the policies contain provisions about sharing information with third parties, particularly in light of the regulation and enforcement risk in the U.S. If the policies do not refer to the sharing of personal information as part of a merger or acquisition transaction in Canada, consideration will need to be given as to whether consent is required to collect, use and disclose personal information in the context of a transaction. Any covenants relating to personal information in the merger or acquisition agreement may be modified accordingly.

Following the closing of the transaction, in the ever-changing world of privacy law, entities, chief privacy officers or other persons with responsibility for privacy matters and, as necessary, privacy counsel should continue to work together to monitor and address legal and business developments.

Article by Melissa J. Krasnow, Partner, Dorsey & Whitney LLP, and Andrea York, Partner, Blake, Cassels & Graydon LLP

Melissa J. Krasnow is a corporate Partner with Dorsey & Whitney LLP. Her practice encompasses privacy, electronic and mobile commerce, social media, Internet, anti-money laundering and corporate governance and compliance law, as well as domestic and cross-border mergers and acquisitions. She is a Certified Information Privacy Professional/US (CIPP/US) who serves on the Certification Advisory Board for the CIPP/US program and the Canadian Advisory Board of the International Association of Privacy Professionals.

Andrea York is a Partner in the Privacy and Employment & Labour groups at Blake, Cassels & Graydon LLP and is Co-chair of the Firm's Privacy group. Her practice focuses on providing key advice to employers in a broad range of privacy and employment law contexts, including those that arise in M&A transactions, litigation and in the area of compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
26 Oct 2018, Other, Vancouver, Canada

Cybersecurity, including data privacy and security obligations, has become a critical chapter in every company’s risk management playbook.

30 Oct 2018, Other, Toronto, Canada

Please join us for discussions on recent updates and legal developments in pension and employee benefits as well as employment law issues.

12 Nov 2018, Other, Toronto, Canada

Stories aren’t falsehoods. Stories are the root of all effective human communications: they motivate, animate and clarify. If you aren’t telling stories, you probably aren’t getting your point across.

Similar Articles
Relevancy Powered by MondaqAI
Lawson Lundell LLP
McMillan LLP
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Lawson Lundell LLP
McMillan LLP
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions