On June 18th the Digital Privacy Act (Bill S-4) received Royal Assent. This new law provides long overdue amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). The Digital Privacy Act amends a wide range of PIPEDA provisions from consent to the expansion of the Commissioner’s powers. Easily overlooked in the sweeping amendments are important changes to the consent rules surrounding prospective business transactions. In short, the new rules allow companies to share personal information in prospective business transactions without first obtaining the consent of the persons whom the information is about.
In PIPEDA’s pre-amendment form, personal information could only be used for the purpose which it was collected for. If companies wanted to use Personal Information for any other purposes, they had to get the consent of the individual to whom the information was about. While there were limited exceptions to this general consent rule, none specifically applied to mergers or acquisitions. Consequently, if an acquisition or merger was to take place, the Personal Information held by each company could not be shared with the other unless there was express consent. This complicated due-diligence reviews, and could sometimes even stonewall deals. Over the years, companies learned to place pre-emptive consent clauses in their privacy policies to allow the sharing of Personal Information during due-diligence and subsequent transfer when the deal closed.
The Digital Privacy Act has simplified the process by eliminating the need for pre-emptive clauses or seeking consent from clients in certain business transactions, provided the parties ensure the data is safe and returned to the original party when no longer needed. There are two changes that specifically streamline the process in M&A situations. First, section 7 of PIPEDA has been amended to add 7.2 – 7.4. These sections exempt companies from needing to attain client consent when sharing Personal Information in a business transaction. Second, subsection 2(1) of PIPEDA has been amended to include a definition of a “business transaction”:
- the purchase, sale or other acquisition or disposition of an organization or a part of an organization, or any of its assets;
- the merger or amalgamation of two or more organizations;
- the making of a loan or provision of other financing to an organization or a part of an organization;
- the creating of a charge on, or the taking of a security interest in or a security on, any assets or securities of an organization;
- the lease or licensing of any of an organization’s assets; and
- any other prescribed arrangement between two or more organizations to conduct a business activity.
While these changes seem small they are a welcome improvement to PIPEDA, they streamline the M&A process and remove one of the many challenges businesses encounter on the way to a successful deal.
The author would like to thank Andrew Bigioni, articling student, for his assistance in preparing this legal update.