Modernization of the legal framework regarding personal information protection: What you need to know in connection with commercial transactions
When acquiring a business, the buyer and its advisers generally carry out due diligence and request the seller to disclose a great deal of information about the business it is selling and its activities.
Some of that information often contains “personal information” i.e., information which relates to a natural person and allows that person to be identified. Such information may include information regarding the company’s employees, suppliers or customers.
Until recently, the target company had to obtain the consent of the person concerned by the personal information before disclosing any document containing such information to a buyer or its advisers. Otherwise, before making any disclosure, the seller had to conduct a comprehensive analysis of the information to be disclosed, identify any personal information contained therein, and take all necessary steps to avoid the disclosure of such information (redaction, anonymization, etc.).
The new legislation that comes into effect on September 22, 2022, will allow companies, in the context of a commercial transaction, to disclose personal information to the other party without the consent of the persons concerned by such information when it is deemed to be “necessary” for the conclusion of the transaction. Hence, all the conditions detailed below would have to be met for such exception to apply.
This new exception is set forth in An Act to modernize legislative provisions as regards the protection of personal information, which notably amends the Act respecting the protection of personal information in the private sector (“PPIPS”).
Exception to obtaining consent for commercial transactions
The new section 18.4 of the PPIPS sets out the conditions that will need to be met in order to benefit from this new exception:
- A prior agreement will have to be made between the parties to the transaction, including the person carrying on the business. This agreement will have to include the following undertakings from the party to whom the personal information is disclosed:
i) to use the information only for concluding the commercial transaction;
ii) not to communicate the information without the consent of the person concerned, unless authorized to do so by the PPIPS;
iii) to take the measures required to protect the confidentiality of the information; and
iv) to destroy the information if the commercial transaction is not concluded or if using the information is no longer necessary for concluding the commercial transaction.
- The disclosure of personal information must be “necessary” for concluding a commercial transaction.
Personal information will generally be considered “necessary” if its disclosure is required for the conclusion of the commercial transaction (the purpose being legitimate, significant and real) and if the resulting infringement of privacy is minimized (the proportionality test).
If any of the above conditions is missing, the consent of the person concerned will be required before any disclosure.
Once the transaction has been completed, if the buyer wishes to continue using or disclosing the personal information obtained as part of the commercial transaction, the buyer will have to notify within a reasonable time the person or persons concerned that he holds such information about them.
The buyer will also have to comply with all the PPIPS requirements on the use, disclosure and security of such information.
Although this article refers to the sale and acquisition of a business, we note that the new PPIPS exception also applies to the following commercial transactions:
- the alienation or leasing of all or part of a business or its assets;
- changes to the legal structure of a business by merger or otherwise; and
- the obtaining of a loan or any other form of financing by a business or a security taken to guarantee any of its obligations.
Takeaways for your next commercial transaction
Whether you are a seller or a buyer, make sure, as soon as possible in the purchase-sale process, that all the terms and conditions required for this exemption have been met and that they comply with the PPIPS requirements. Parties should keep in mind that a confidentiality and nondisclosure agreement is generally one of the first documents signed by parties entering into a commercial transaction.
Non-compliance with the PPIPS may lead to administrative monetary penalties or fines of varying amounts, depending on the nature of the offence. It should also be noted that executives, directors or any representatives of a business may also be liable for penalties in the event of non-compliance with the PPIPS.
FYI: several other areas directly related to businesses are also impacted by the new rules regarding the protection of personal information. For further information, we invite you to consult our articles on Protection of personal information: main takeaways one year later… and Protection of personal information: Three-year phased implementation after Bill 64 receives assent for more information on this subject.