Privacy legislation of general application has been in effect at both the federal level and at the provincial level in both British Columbia and Alberta since 2004 (similar legislation already existed in Quebec, and Nova Scotia enacted legislation in 2006). However, corporate clients and their advisors are often woefully unaware of the effect of such legislation on their operations, and this is particularly evident when it comes to the effect which privacy legislation has on mergers and acquisitions.

One of the first significant steps to completing a transaction of any significance is the undertaking of due diligence inquiries, as it is vitally important for a purchaser to carefully examine the business and activities of a target so that the risks associated with the transaction are understood and dealt with in an appropriate manner. In the context of privacy law, the due diligence process is intended to provide the purchaser with an understanding of the rights and obligations of the target with respect to the personal information which that target has collected, retained, used and disclosed as a part of its ongoing business operations.

After analyzing the nature and scope of privacy obligations imposed on the target under applicable privacy laws, and whether (and to what extent) the target has met those privacy obligations, the purchaser can then determine whether it is appropriate to, or on what basis, it can complete a contemplated transaction. For example, the purchaser can discover if there is a significant failure on the part of the target to live up to its privacy obligations (and therefore a significant risk to the business or assets of the target as a result of such failure), or the purchaser can identify and implement (if necessary) strategies to protect itself and the target from a failure to satisfy privacy obligations.

The scope of diligence inquiries that should be made in order to determine the level of compliance with privacy requirements by the target should be seriously considered at the outset of the transaction. There are a number of practical considerations which arise when determining the scope of privacy diligence inquiries that should be made prior to embarking on a transaction. Some of the key considerations which the purchaser and its advisors should evaluate are:

  • whether the transaction falls into an exemption in the privacy legislation;
  • what the proposed structure of the transaction is;
  • what the business model of the target is; and
  • the cost of diligence versus the certainty of the results.

Once the purchaser and its advisors have considered such key issues, they can then determine appropriate lines of inquiry to undertake in the diligence process. Some of the more significant lines of inquiry to follow would be:

  • whether there are currently or have been any prior complaints made under the target's privacy policy or to the applicable privacy commissioner;
  • whether the target is in compliance with the legislation's general requirements of the applicable privacy legislation;
  • whether the organization has a privacy policy and if so, its contents; and
  • what the specific information handling practices of the target are, and whether they are appropriate given the nature of the target's business.

Upon undertaking these lines of inquiry and evaluating the results against the requirements of applicable legislation and generally accepted good information handling practices, the purchaser, with the assistance of advisors, will be in a position to evaluate risk and develop strategies in order to minimize any significant risks. Part Two of this article will provide an overview of some of those strategies.