There has been no shortage of criticism of the Personal Information Protection and Electronic Documents Act (PIPEDA). Some say it is simply weird by incorporating an external standard (in this case the Canadian Standards Association Model Code for the Protection of Personal Information). Some say it is hard to follow because it is full of principles rather than rules. Others think it is unmanageable. Others say it is toothless.

One thing that most agree on is that there is an important aspect provision that was simply forgotten: there is nothing in the law that would allow the disclosure of a customer list either as a prelude to or in the course of a business acquisition. Theoretically, you can't disclose a customer list as part of due diligence, nor can you provide details of key employees (if the company in question is a federal work, undertaking or business) unless you have the consent of the individuals concerned.

One exception to the consent rule is that you can disclose personal information without consent if the disclosure is:

"7(3)(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;"

Some clever insolvency practitioners have taken advantage of paragraph 7(3)(c) in PIPEDA and the huge discretion given to judges under the Companies' Creditors Arrangement Act (CCCA) to deal with this problem when the anticipated acquisition is related to the court supervised sale of a business under the CCAA. A recent order of the Quebec Superior Court in Re Strategy First Inc. includes a reference to PIPEDA and gives the court's blessing to due diligence disclosure and post-closing disclosure of personal information:

"[44] ORDERS that, pursuant to subparagraph 7(3)(c) of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5, the Petitioner is permitted in the course of these proceedings to disclose personal information of identifiable individuals in its possession or control to stakeholders or prospective investors, financiers, buyers or strategic partners and to their advisers (individually, a 'Third Party'), to the extent desirable or required to negotiate and complete the Restructuring or the preparation and implementation of the Plan or a transaction in furtherance thereof, provided that the Persons to whom such personal information is disclosed enter into confidentiality agreements with the Petitioner binding them to maintain and protect the privacy of such information and to limit the use of such information to the extent necessary to complete the transaction or Restructuring then under negotiation. Upon the completion of the use of personal information for the limited purpose set out herein, the personal information shall be returned to the Petitioner or destroyed. In the event that a Third Party acquires personal information as part of the Restructuring or the preparation and implementation of the Plan or a transaction in furtherance thereof, such Third Party shall be entitled to continue to use the personal information in a manner which is in all material respects identical to the prior use of such personal information by the Petitioner;"

One additional aspect of interest is that the Order requires acquirors to use the personal information in the manner in which it was used by the original custodian.

Ok, one more interesting thing: The order was made by the Quebec court. Presumably, it was dealing with a Quebec company that is not a federal work, undertaking or business. But ... PIPEDA doesn't apply in Quebec to such companies, but I guess it doesn't hurt to throw it in.

Labels: information breaches, privacy