Article by Gary T. Clarke; Barbara B. Johnston & Birch K. MillerOriginally published in May 2006
Two recent decisions by a Canadian privacy commissioner have highlighted the importance of privacy in common business transactions, such as mergers and acquisitions.
BUSINESS TRANSACTION AGREEMENTS
The Personal Information Protection Acts of B.C. and Alberta, for example, both provide that personal information can be disclosed without the consent of individuals if the parties have entered into an agreement in which collection, use, and disclosure of that information is restricted to purposes that relate to the business transaction. The personal information must also be necessary for the parties to determine whether to proceed with the transaction and, if so, it must be necessary to carry out the transaction.
In one case (the Melrose Report), the Alberta Privacy Commissioner investigated a complaint that customers’ personal information had been disclosed without their consent during the course of a purchase and sale transaction. Personal information included customer IDs, names, telephone numbers, addresses, names of primary and secondary contacts, credit information, deposit information, account information, automatic payment methods, and identifying information such as social insurance numbers and driver's licence numbers.
Although disclosure was found to be in compliance with the legislation, it was noted that all business transaction agreements should specifically address the anticipated use of any transferred personal information. Boilerplate language will not be sufficient to satisfy the requirements of privacy legislation. In other words, the parties should undertake only to use personal information for the same purposes for which it was originally collected.
In a more recent case (the Builders’ Report), the Alberta Privacy Commissioner indicated that legal counsel must thoroughly consider privacy issues in the course of a business transaction. In this case, the prospective purchaser requested employee-related information from the vendors, including a list of employee names, a list of employment agreements, and details of employee benefits plans. Although the prospective purchaser did not request the employees’ home addresses or social insurance numbers, that information was also provided.
The purchaser forwarded the information to its lawyer, who attached the information as a schedule to the purchase and sale agreement and posted it on a public website (SEDAR : system for electronic document and analysis retrieval).
The parties had been diligent by entering into a confidentiality agreement, which provided for the personal information to be used only for evaluation purposes. However, the personal information was not necessary for concluding the transaction. It would only be reasonable to collect, use, or disclose home addresses and social insurance numbers after an individual became an employee of the purchasing organization.
The Privacy Commissioner found that some personal information might be necessary for the purposes of a transaction involving the acquisition of shares or assets of an organization, such as:
- names and titles of employees;
- descriptions of positions and functions;
- descriptions of an individual’s place in the acquired organization’s management structure, and, in some cases, salary levels;
- outstanding employee litigation; and
- whether the employee belongs to the organization’s benefit plan, stock purchase plan, pension plan or collective bargaining unit.
The personal information was not used or disclosed for the sole purpose of managing the employment relationship and was therefore not permissible under the legislation.
The law firm was found to have shown a lack of attention to the impact of privacy law on the collection, use, and disclosure of personal information. Law firms require a "heightened awareness and knowledge of privacy laws" in order to recognize the implications of transferring personal information.
Our recommendations to ensure compliance with privacy legislation are:
- conduct comprehensive in-house privacy training with all lawyers and staff;
- ensure that lawyers develop professional awareness and knowledge of privacy law by supporting participation in privacy law seminars and courses and encouraging ongoing education;
- communicate these findings to all lawyers and staff;
- review processes when representing clients on business transactions where personal information may be collected, used or disclosed and address any gaps that are identified;
- address, by way of an agreement, the anticipated use of personal information. The agreement must be in place before the exchange of information commences, and boilerplate language is not sufficient;
- review the processes and controls employed when material contracts or other filings are posted on SEDAR and address any gaps that are identified;
- consider what information is reasonable to satisfy the original purpose;
- destroy, erase or render anonymous information that is no longer required for an identified purpose or legal requirement; and
- destroy the information or return it to the disclosing party, if a business transaction does not proceed or is not completed.
In conclusion, it is important that privacy laws are respected in mergers and acquisitions. Counsel, including outside counsel, must take steps to ensure that personal privacy is protected in every business transaction.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.