The introduction of privacy legislation in Canada necessitates changes in the way that purchasers and their legal counsel approach business transactions and the focus of due diligence inquiries is moving from "what can we get?" to "what do we need?". However, privacy legislation should not be perceived as a bar to obtaining timely and useful information on a prospective target. Creative strategies for dealing with privacy-related matters, such as those outline below, can assist the purchaser in meeting its objectives and protecting its interests, while ensuring that the parties remain compliant with privacy legislation.
Part One of this Article, which dealt with conducting due diligence on privacy matters in connection with mergers and acquisitions, was published in the Fall 2007 issue of this Mergers & Acquisitions Brief. As discussed in Part One, once the due diligence inquiries have been undertaken, the purchaser and its advisors will be in a position to determine what strategies (if any) should be employed to deal with particular privacy issues which have been identified as a result of this process. The following is a list of strategies which may be employed. The first five strategies depend upon the particular circumstances of the transaction, and the last two are general strategies which may apply in every circumstance.
1. Narrowing of Information Requests and Deliveries.
It goes without saying that information being requested and delivered in connection with the diligence process (and which often makes its way into the acquisition agreement for any particular transaction in the form of representations and warranties) must be limited to information that is reasonably required for a specific purpose, and should not be more than that. It is in the best interests of the purchaser, the target and their respective advisors to ensure that information which is shared pursuant to an exemption in the Alberta or British Columbia privacy legislation (if applicable) meets the applicable requirements and limitations set forth therein. Therefore, careful consideration needs to be given to what information is actually required by the prospective purchaser and its advisors in order to make an informed decision about the risks associated with the target.
2. Aggregation or Anonymization of Information.
Wherever possible, it is appropriate for the parties to a transaction and their advisors to ensure that information which is shared be made anonymous or aggregated. It is particularly important to employ such a strategy in circumstances where the Personal Information Protection and Electronic Documents Act (Canada) applies, and obtaining consent to disclosure is not realistic. While anonymous or aggregated information loses the characteristics of "personal information", it can often be effectively used to evaluate risks associated with a prospective acquisition. Often the information of primary importance to the purchaser can be aggregated or made anonymous and still satisfy the particular needs of the purchaser.
3. Specific Consents.
Consideration should always be given to obtaining consents from particular individuals when the delivery of such individuals' personal information as part of the transaction is a significant priority (such as the case of key employees or those employees with claims against the target). However, the willingness or ability of the target to obtain such consents may often be tempered by the commercial sensitivity of the transaction and the willingness of the target (or the purchaser as the case may be) to have the transaction disclosed to third parties or to its employees generally. If commercial sensitivity is an issue, the use of a confidentiality agreement to accompany such consent may be appropriate.
4. Closing Obligation to Deliver Information.
It may be appropriate to deliver certain information (such as details of employment, etc. of employees forming part of a transaction) only on the closing of a transaction. In such circumstances, a specific clause in the acquisition agreement should spell out such an obligation.
5. Representations and Warranties.
The drafting of appropriate representations and warranties in the acquisition agreement will provide the purchaser with a mechanism for dealing with particular issues which might arise out of the due diligence process, and will also give the purchaser some additional comfort regarding the personal information handling practices of the target when a more thorough review of those practices through the due diligence process is inappropriate or unachievable.
6. Client Education.
It is incumbent upon counsel for the purchaser to ensure that the purchaser has a thorough understanding of the significant liabilities associated with failure to meet privacy compliance requirements and the intersectionality of those liabilities with the business model of the target and the purchaser. If the purchaser understands why a certain type of information is required, and what use it should be put to, it will be in a better position to evaluate the issues and come to an agreement with the vendor(s) of the target on what strategies should be implemented to deal with privacy issues which arise out of the due diligence process.
7. Risk Evaluation/Acceptance.
It is largely for the well-advised purchaser to undertake a risk assessment based on any particular issue which might have arisen as a result of the diligence inquiry process, and to determine how the issue is affected by applicable privacy legislation. For example, the risk to a purchaser arising from the lack of consent for the individuals in a target's customer contact database is significantly lessened in circumstances where the majority of such contacts are business contacts, but may be increased somewhat where the primary mode of communication is by email and the contacts are located in jurisdictions covered by Canadian federal privacy legislation.