Disclosure of Personal Information in Connection with Business Transactions

Subject to certain limited exceptions, federal and provincial privacy legislation in Canada requires the consent of the relevant individual prior to disclosing the individual’s personal information. This may leave organizations wondering what their options are for disclosing personal information in the context of a commercial transaction to ensure that the organization doesn’t fall offside in terms of the legislative requirements.

Some organizations may attempt to rely on provisions in the organization’s privacy policy or other pre-existing agreements that allow for disclosure in connection with a commercial transaction. Alternatively, organizations may opt to obtain express consent from each individual at the time the transaction arises or when due diligence requests are made. However, this can create a significant hurdle for some organizations. In particular, for organizations with a large number of customers, contractors and employees, obtaining the required consent from these individuals may not be feasible.

If an organization has not or cannot obtain prior consent, it may be able to rely on one or more “business transaction” exceptions, which allow the organization to disclose personal information to a third party without obtaining consent, if certain conditions are met. Under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), transactions where the exemption is available include: the purchase or sale of an organization or its assets; the merger or amalgamation of two or more organizations; the provision of loans or other financing; the creation of a charge or security interest on the assets of an organization, the lease or licence of any assets of an organization; or any other prescribed arrangement. Organizations should note that the business transaction exemption is not available where the purpose of the transaction is the acquisition or disposal of the personal information itself.

Prior to using and disclosing the personal information, the parties must enter into an agreement where each party agrees to:

  1. use and disclose the personal information solely for purposes related to the transaction;
  2. protect the personal information with appropriate safeguards; and
  3. return or destroy the personal information if the transaction does not proceed.

The business transaction exemption is only available in circumstances where the disclosure is necessary to determine whether to proceed with the transaction and, if the determination is made to proceed, to complete it. The parties should reflect this mutual purpose in the previously referenced agreement, and the disclosing organization should assess any personal information requests made by the third party to confirm that disclosure is truly necessary, as mandated by the exemption requirements.

One common error that organizations often make is to add contractual clauses related to personal information disclosure to a purchase or other definitive agreement that only comes into effect upon closing of the transaction. This is inadequate, as the exemption requires that the parties enter into the agreement prior to disclosing any information, such as in a data room or otherwise during the due diligence phase of the transaction. Instead, the parties must include the required contractual clauses in a non-disclosure agreement, letter of intent or other pre-diligence contract. This will ensure that no personal information is disclosed prior to the requirements of the exemption being met.

Provincial legislation, including the Personal Information Protection Act (British Columbia) and the Personal Information Protection Act (Alberta), each contain similar exemptions in the context of business transactions. Additionally, changes to Quebec’s private sector privacy act that will come into force on September 22, 2023, will create a similar business transaction exception to bring the legislation in line with the exceptions found in other Canadian jurisdictions.