Demystifying the Canadian Business Transaction Exemption

This article was provided by Stikeman Elliott LLP

The tightening of privacy and data protection compliance obligations in Canada and the United States, has led to increasingly comprehensive “data security and privacy” representations and warranties in purchase agreements, as well as to a “privacy covenant” (also sometimes dubbed “transferred personal information”) in transactions involving the exchange of personal information about Canadian data subjects. This privacy covenant reflects the requirements imposed by Canada’s 4 private sector privacy laws^[1] according to which parties to a business transaction may exchange personal information for the purposes of conducting due diligence and concluding a transaction without the consent of the relevant data subjects (the “Business Transaction Exemption” or “BTE”). The parties, however, must first agree to certain undertakings both pre- and post-closing. The paragraphs that follow review these undertakings and discuss the appropriate use of the BTE.

The undertakings

Although each of Canada’s Private Sector Privacy Laws is slightly different when it comes to the BTE, they all impose similar pre- and post-closing duties on parties to a business transaction^[2].

Pre-closing

Taking PIPEDA as an example, the BTE allows parties to use and disclose personal information without the consent of the relevant data subjects, provided: 1. the parties have entered into an agreement to: (i) use and disclose the personal information solely for the purposes related to the transaction; (ii) protect the personal information with measures appropriate to its sensitivity; and (iii) destroy or return the personal information to the party that disclosed it if the transaction does not proceed; and 2. the personal information is necessary (i) to proceed with the transaction; and (ii) if the decision is made to proceed with the transaction, to close it.

Post-closing

Again, according to PIPEDA, once a business transaction closes, the parties may continue to use and disclose the personal information without the consent of the relevant data subjects, provided 1. the parties have entered into an agreement to: (i) use and disclose the personal information under their control for the same purposes for which it was originally collected, used, and disclosed; (ii) protect the personal information with measures appropriate to its sensitivity; and (iii) give effect to any data subject’s withdrawal of consent; 2. the personal information is necessary to carry on the business or activities that were the object of the transaction; and 3. one of the parties informs the relevant data subjects within a reasonable time that the transaction was completed and the personal information disclosed.

Documenting the BTE undertakings

Logically, the BTE pre-closing undertakings should appear in a pre-transaction non-disclosure agreement, not a purchase agreement. First, the undertakings are similar to those agreed to by the parties to protect confidential information – except for the carve out for information that is already public as this exception does not always apply to personal information in Canada. Second, language whereby the parties agree to protect personal information for the purposes of evaluating and concluding a transaction is non-sensical in a purchase agreement. By the time the parties have agreed to the terms of the transaction and reflected these in a formal agreement, the personal information has already been used and disclosed.

While in most M&A transactions it will be necessary for the parties to rely on the pre-closing BTE for the purposes of conducting due diligence and integration planning, the BTE post-closing undertakings are generally only relevant in the context of an asset deal. In a share transaction, personal information, like any asset, remains with the same entity. Only the ownership structure changes. As such, once the share transaction has closed, the personal information has not been communicated to or used by a third party. The BTE post-closing undertakings are therefore not required in a share purchase agreement but should generally be included in asset purchase agreements involving the sale of Canadian businesses.

Conclusion

The BTE exemption allows for the use and disclosure of personal information by parties to a business transaction without the consent of the appropriate data subjects provided the parties agree to certain undertakings. For the BTE to be effective, however, the relevant pre- and, if applicable, post-closing undertakings must be agreed to at the appropriate stage in a transaction and reflect the nature of the transaction.

Danielle Miller Olofsson is a senior associate in the Corporate Group. Her practice focuses on all matters relating to privacy, data protection, and cyber security. Danielle advises clients on compliance requirements and cyber security best practices. She frequently acts as a breach coach to clients that have been the object of cyberattacks and other malevolent activities affecting their data and personal information. Having practiced law in Europe, Danielle is also called to advise on the increasingly complex requirements surrounding international data transfers and multi-jurisdictional data incidents.

***

Trevor Rowles is counsel in the Corporate Group in the Montréal office and has overall responsibility for the firm’s national M&A knowledge management program. In his corporate practice, Trevor advises clients on a wide range of complex M&A and corporate matters, including contract, transactional, governance and drafting issues, and has developed significant expertise in advising private equity investors and their portfolio companies as well as structuring and implementing transactions for private and public companies. Trevor also supports the firm’s M&A practice group across all offices and is frequently called upon to assist with novel or complex transaction issues.