Privacy law has gained traction all over the world in the last few decades due to the digitalization of global society. In 2022, 100 trillion gigabytes of data were produced and consumed, and this amount is expected to double by 2025, according to the Financial Times. Global Data projected a market size of data and analytics by 2027 of US$ 184.53 billion, which means that data is a tradable asset, as information allows businesses to predict and influence consumer behaviour. In this context, merger and acquisition transactions (“M&A”) usually involve the transfer of critical information as assets of the businesses being sold, and they are directly affected by privacy laws.

Compared to Canada, other jurisdictions enacted more stringent laws than the current Canadian legislation, especially the Personal Information Protection and Electronic Documents Act (“PIPEDA”), requiring Canada to update its standards in order to continue to allow data mobility across borders because countries may impose limitations on data transfer to jurisdictions without a similar level protection. It is noteworthy that the EU Commission just recently renewed the “adequacy status” of Canada based on PIPEDA, but subject to close monitoring of future legislative developments. In this context, Bill C-27 proposes three new Canadian statutes: the Consumer Privacy Protection Act (“CPPA”), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. The focus of this article is the CPPA, which will substitute PIPEDA. The newly proposed law is a general privacy law, but it will also impact M&A transactions if it becomes law.

Sharing information in M&A negotiations under PIPEDA

M&A usually involves the transfer of important information as assets of the businesses being sold. These include clients’ lists/books of business, users of a digital platform, lists of employees, lists of service providers and so on. In this sense, regulation needs to take into consideration the interests of those individuals who have their personal information collected daily by the various sources of technology. The central idea is that the business should seek informed consent from the individual to collect, use, disclose or transfer their personal information or rely on specific rules where consent is not required. Privacy laws have the difficult task of balancing individual protections and business efficiency.

M&A relates to the acquisition, sale and combination of businesses that may adopt different forms of agreements, depending on the objectives of the parties (share purchases, asset purchases, amalgamation, joint ventures and other legal arrangements). Under PIPEDA, M&A is captured by the definition of “business transactions”, which is not altered by Bill C-27. Under PIPEDA, sharing personal information in the context of a business transaction is an exception to the consent requirement. The seller of a business is not required to seek the consent of the individual for sharing their personal information to a prospective buyer under section 7.2 provided that the parties comply with the following requirements:

• Parties have entered into an agreement by which the receiving party is required to:
  • Only use and disclose personal information in connection with the transaction;
  • Protect personal information with security safeguards appropriate to the sensitivity of the information received; and
  • Return personal information in case the transaction does not proceed.
• Personal information is necessary to:
  • decide whether or not to proceed with the transaction; and
  • if the choice is to proceed, to complete the transaction.
• Comply with the agreements.

In theory, PIPEDA protects individuals from unauthorized use of their information in this context, as the sharing of information is allowed for the limited purpose of evaluating a prospective transaction. PIPEDA also requires that such data be protected with appropriate safeguards.

However, the current legal framework may not create enough incentives for companies to comply with these obligations, as the penalties are significantly lower than those provided in the laws of other jurisdictions, and the administrative regulatory authority lacks sufficient enforcement power. For these reasons, Parliament is proposing changes in these rules.

Sharing information in M&A negotiations under CPPA

CPPA will create additional requirements for disclosing information to a prospective acquirer of a business. The first additional requirement is the de-identification of the personal information being shared by the seller to the buyer.

The defined term “de-identification” was added in the CPPA, as there is no equivalent definition under PIPEDA. The CPPA expressly states that “de-identification” and “anonymization” are different creatures. Even under the current framework, the Office of the Privacy Commissioner of Canada clarified that de-identified personal information was not anonymous information and, thus, subject to PIPEDA. The CPPA (as does PIPEDA) will not apply to anonymized information, which means that there is no need to fulfill all the obligations of the privacy law if the information is anonymized. For these reasons, the anonymization procedure should make it more difficult to re-identify a person than de-identification.

The requirement for anonymization under CPPA will be increased. Under PIPEDA, as decided in Gordon v. Canada (Health), the test to determine whether the information is about an identifiable individual was the “serious possibility” test, in the sense that it is possible to identify an individual based on the information alone or in combination with other information that is available. If the CPPA becomes law, the express definition of anonymization will impose a permanent and irreversible modification, ensuring that re-identification is impossible, which technically may be unachievable in some cases. The essential difference is that anonymization is irreversible and permanent (Section 2(1), CPPA).

Regardless of such discussion about new definitions, in the context of an M&A transaction, mere de-identification of the personal information will suffice to allow parties to share information without the disclosing party being obliged to seek the individuals’ consent, provided the other requirements are equally met. This offers greater protection to individuals against unauthorized use of their personal information than what is provided in PIPEDA.

However, Subsection 22(2) of the CPPA contains an exception to the de-identification requirement if it would prevent the parties from achieving the intended objectives of the transaction, provided that the disclosing party has taken into consideration the risks of disclosure to affected individuals. It is not clear when the exception will apply nor what factors should be considered in order to fall into this exception, but it will be very fact-dependent and must be assessed on a case-by-case basis.

Also, under CPPA, the party receiving personal information in the M&A negotiation needs to agree to have “proportionate” safeguards, which is a change in the wording of PIPEDA that used the term “appropriate safeguards”. It appears that it is not a change in law as the current principle 7 (Safeguards), s. 4.7.2 of PIPEDA explains that the appropriate safeguard will vary, requiring higher levels of security as the information becomes more sensitive. Thus, the change in wording better reflects the explanation of Principle 4.7.2 of PIPEDA. However, one may question whether the law is changing or not in this regard, as “appropriate” and “proportionate” have different meanings. In the Cambridge Dictionary, “appropriate” is defined as “suitable or right for a particular situation or occasion”, while, regarding the meaning of “proportionate”, it explains that “[i]f two amounts are proportionate, they change at the same rate so that the relationship between them does not change”.

If the transaction does not proceed, the CPPA also requires the prospective buyer to eliminate or return the information they received. The CPPA substitutes the word “destroy” used by PIPEDA for “dispose”. This is not a change in law, as the CPPA preferred to create an express definition for “dispose”, while PIPEDA was silent. PIPEDA was less consistent with defined terms as compared to CPPA, which helps to make the statute more precise. Under Section 2(1) of the CPPA “dispose means to permanently and irreversibly delete personal information or to anonymize it.”

Thus, if the parties decide not to proceed with a prospective business transaction, then the receiving party must return or “dispose” the personal information by either deleting or anonymizing it.

Due Diligence, Reps and Warranties and Indemnities

The risk of huge fines if organizations are in breach of the data privacy legislation will be a big motivation to comply with the law and encourage prospective buyers to emphasize their due diligence on data privacy. Similar to the General Data Protection Regulation (GDPR) in Europe, CPPA will impose a penalty that is based on the revenues of the business. The monetary administrative penalty can reach up to $10,000,000 or 3% of the organization’s gross global revenue in the preceding financial year, whichever is higher (subsection 95(4) of CPPA). Moreover, the business is subject to criminal liability and fines not exceeding the higher of $20,000,000 and 4% of the organization’s gross global revenue in the previous year, pursuant to the contraventions provided in section 128 of CPPA (a big increase from PIPEDA, which is limited to $100,000). Also, the violation of the CPPA is a cause of action, allowing the data subjects to sue for damages under section 107 of the CPPA.

The new rules will increase the exposure to financial liabilities when a company acquires another that is not compliant with privacy laws. In terms of indemnities for liabilities arising from data breaches, it is noteworthy that a breach can start before and continue after the closing of a transaction, being discovered only later when the business is under the control of the buyer. Responsibility under the law will fall on the buyer. This was the case in Report of Findings #2022-005, where Marriott International, Inc. bought Starwood Hotels.

Thus, the proposed law is expected to promote the negotiation of specific representations and warranties, as well as indemnification clauses, in the purchase agreement regarding compliance with data protection laws and incidents involving data breaches. It will also encourage prospective sellers to abide by the legislation to avoid losing value in the eyes of a prospective buyer.

Conclusion

Bill C-27 still has a long road to go before it becomes law (it remains at the Committee stage of the parliamentary process, for now), but the rapid changes in data processing technologies will require the law to keep up to date with developments in other jurisdictions.

In terms of M&A transactions, the law will impact how the parties negotiate the terms of purchase and sale agreements to reflect potential liabilities for non-compliance with the new legislation. However, some parts of the law will be further clarified by interpretation from administrative authorities and case law.