The disclosure of information regarding current employees in transaction documents and schedules and the conducting of employee-related due diligence in M&A deals in Canada have been historically hampered by uncertainty in privacy legislation. But help is at hand.

The collection, use and disclosure of personal information in Canada is largely regulated by the federal Personal Information Protection and Electronic Documents Act (2000, c. 5) (“PIPEDA”). Recently proposed amendments to PIPEDA recommend important revisions to the consent requirements of the legislation, particularly where personal information is disclosed in the course of a business transaction.

PIPEDA establishes rules which govern the collection, use and disclosure of personal information. PIPEDA defines the term “personal information” to mean “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization”. It does not exempt the usual data that prospective purchasers are generally interested in: location, date of hire, age, salary, benefits, incentive compensation, direct reports and status of leaves, disability, etc. So disclosing such details traceable to a specific individual in a data room, real or virtual, would be an arguable breach of PIPEDA. Some contend that consent from the employee to limited disclosure of such data to prospective purchasers should be implied, because it is reasonable. However, the practice of companies disclosing such information in an electronic, password protected data room is likely informed by the fact that the chance of complaint is small, rather than any legal argument of implied consent.

PIPEDA applies to the commercial activities of companies carrying on business in a province unless a province has enacted substantially similar legislation. The provinces of Alberta, British Columbia and Québec have done so. The commercial activities of companies in the remaining Canadian provinces and all federally regulated businesses2 are subject to PIPEDA.

Under PIPEDA, the knowledge and consent of an individual is generally required for the collection, use and disclosure of personal information. Individuals are entitled to know the purposes for which their information will be used or disclosed. PIPEDA in its current form, does not contain any provision that specifically permits an organization to disclose personal information to a prospective purchaser of the business without the consent of employees. This is in stark contrast to the legislation in Alberta and British Columbia where the legislation specifically addresses this issue and provides for disclosure of personal information in the course of business transactions without the need to obtain express employee consent.

The practical reality of PIPEDA’s current requirements is that organizations engaged in transactions where personal information needs to be disclosed must carefully consider how to deal with the information in order to facilitate its disclosure appropriately and legitimately. Customary approaches have included disclosing only what is necessary, obtaining express employee consent (which can be problematic particularly if the transaction is confidential or sensitive in nature), redacting employee names to the extent possible (which can reduce the value of the information), or relying on implied consent to the disclosure.

The absence of provisions permitting the ability for disclosure without consent in PIPEDA was the subject of a report authored by the Standing Committee on Access to Information, Privacy and Ethics3 under the requirements of section 29 of PIPEDA which requires Parliament to review the legislation every five years. The Committee recommended that PIPEDA “be amended to include a provision permitting organizations to collect, use and disclose personal information without consent, for the purposes of a business transaction”. The recommendation further suggested that any such amendment be modeled on the Alberta Personal Information Protection Act and in conjunction with other enhancements recommended by the Privacy Commissioner of Canada.

This recommendation has been adopted and forms part of recently proposed amendments to PIPEDA. Bill C-29, An Act to amend the Personal Information Protection and Electronic Documents Act, received first reading in the House of Commons on May 25, 2010.

The proposed amendments seek to facilitate the transfer of personal information during the course of the due diligence process in a business transaction. The proposed amendments specially define a “business transaction” to include the following:

  • the purchase, sale, acquisition or disposition of an organization or a portion of an organization or any of its assets;
  • the merger or amalgamation of two or more organizations;
  • the making of a loan or the provision of other financing to an organization or a portion of an organization;
  • the creating of a charge on, or the taking of a security interest in or a security on any assets or securities of an organization;
  • the lease or licensing of any of an organization’s assets; and
  • the arrangement between two or more organizations to conduct business activities other than the processing of personal information.

This broad definition will certainly help resolve any ambiguity as to the scope of PIPEDA and will narrow inquiries as to whether a particular transaction would constitute a “business transaction”.

The proposed amendments go on to provide that in the course of a business transaction, prospective parties to the transaction may “use and disclose personal information without the knowledge and consent of the individual” provided that the following occurs:

  1. that the parties have entered into an agreement that requires the organization that receives the personal information to use the information solely for the purpose of the transaction;
  2. that the parties agree to protect and safeguard the information in a manner appropriate to the sensitivity of the information; and
  3. if the transaction does not proceed, to destroy the information within a reasonable period of time.

Further, the personal information can only be disclosed where the information is necessary to determine whether to proceed with the transaction and if the determination is made to proceed with the transaction, to complete it.

The proposed amendments also contemplate what happens to the personal information upon successful completion of the transaction and requires that the parties whose information was disclosed without consent, be advised of that disclosure and the purpose of the disclosure post closing.

These amendments are a welcome and necessary change to current federal privacy legislation, which will have a significant impact on the ability of organizations to disclose information in the course of the due diligence process freely and to provide such information in transaction documents and schedules.