Getting Privacy Due Diligence Right

September 14, 2018 | Imran Ahmad

Increasingly, a key asset that organizations hold is the sensitive data they collect, use and retain about their customers, employees and suppliers. It is, therefore, no surprise that data security and privacy compliance have become a top-of-mind consideration for organizations not only in the context of day-to-day operations, but also in connection with transactions.

While the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) has been in place since 2000, the amendments made in 2015 through the enactment of the Digital Privacy Act were significant. Among other things, the Digital Privacy Act introduced an exemption that allows organizations to use personal information without the consent of the applicable individuals in the context of business transactions – commonly referred to as the “business transaction exemption”. Simply put, business transactions that require personal information can proceed without obtaining explicit consent from each individual.

The Genesis of the Business Transaction Exemption

Prior to the enactment of the business transaction exemption, businesses often had to jump through hoops that were unreasonable from a commercial standpoint in order to obtain consent from each individual. In the 2012 Ontario Superior Court decision Re Southlake Regional Health Centre Employees’ Credit Union Ltd., 2012 ONSC 2530, the Court expressed the need for the inclusion of a business transaction exemption under PIPEDA. Southlake Credit Union sought an exemption from the requirement to disclose the personal information of identifiable individuals to Energy Credit Union. The only information that would be disclosed was that which was necessary to complete the proposed transaction. While the Court ultimately granted the exemption, it also urged legislative changes that would permit such exemptions in the future so as to avoid unnecessary court applications.

What Business Transactions Are Exempt?

Broadly speaking, business transactions generally include the sale of a business, a merger, the making of a loan or the lease of a company’s assets. It is important to note that the exemptions for business transactions do not apply to a transaction that primarily involves the sale or lease of personal information.

There are four requirements that must be met to rely on the business transaction exemption:

  • There must be an agreement, in writing, to limit the use and disclosure of personal information to that essential to the proposed transaction;
  • Appropriate safeguards must be implemented to ensure the protection of the personal information;
  • All personal information must be returned or destroyed if the transaction does not proceed; and
  • In the event the transaction does proceed, reasonable notice must be provided to each individual whose personal information was subject to the exemption.

Roadmap to Compliance

To rely on the business transaction exemption, organizations should ensure that the following steps are implemented:

Understand the Privacy Implications of the Transaction. It is important for organizations to understand, within the context of the transaction, what personal information is affected and how and where it is kept. For example, in transactions where personal information is a key component of the organization’s assets, privacy concerns will play a more integral role in the overall structure of the deal. Therefore, understanding the nature and scope of both your business and the business of other parties to the transaction is essential to understanding and quantifying privacy concerns and obligations.

Establish a Privacy Strategy Team. Organizations should establish a privacy strategy team that can oversee all privacy and cybersecurity related matters. By working with other parties to the transaction, the Privacy Strategy Team can ensure that all employee contacts, confidentiality and non-disclosure agreements, employee policies and training, access to hardware and software, and all other issues are considered during the due diligence process.

Tailor Due Diligence Process. When organizations are pursuing a new business transaction, it is imperative that they thoroughly research the history and current practices of other businesses involved in the transaction to identify and control any potential liabilities.

Limit Use, Disclosure and Retention of Personal Information. While conducting due diligence, buyers should also seek to limit their use, disclosure and retention of personal information. The following actions can help to temper an organization’s use of personal information:

  • Keep detailed records for every new use of personal information;
  • Establish maximum and minimum retention periods for using personal information;
  • Dispose of personal information when appropriate and possible;
  • Carefully dispose of personal information to avoid privacy breaches; and
  • Check all hardware before disposal to ensure no personal information remains.

Use of Representations and Warranties. When structuring any business transaction, organizations should consider all future developments. In order to help protect against any future issues that may arise, organizations should consider including representations and warranties in the agreement. Possible representations and warranties may include:

  • Measures to ensure compliance with all applicable laws, policies and procedures;
  • Creating training procedures for all employees with regards to privacy, data security, responding to data breaches and compliance with Canada’s Anti-Spam Law (“CASL”);
  • Coordinating adequate data security and cybersecurity mechanisms and controls; and
  • Disclosure of any recent privacy, data security, cybersecurity or CASL breaches.

Post-Closing Considerations. Where relying on the business transaction exemption, following the closing of the business transaction, the organization must take appropriate steps if they wish to continue using the personal information of individuals. In the post-closing phase, the organization must: (i) show that the personal information is required in order to carry on their business; and (ii) notify all individuals, within a reasonable time period, that the transaction has been completed and that their personal information has been disclosed.

Key Takeaways

It is safe to say that digital assets, especially those relating to personal information, will continue to be a major consideration in business transactions. The 2015 amendments to PIPEDA introduced the business transaction exemption to facilitate the necessary exchange of personal information between parties to a transaction. It is important for buyers to spend time planning the due diligence process to ensure that they comply with the requirements of the business transaction exemption and to ensure that the risk associated with the personal information (or the digital assets of other parties to the transaction) is mitigated.


This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.