Personal Information in Mergers – Where is Consent?
It's time to rethink two of the business exceptions to PIPEDA’s consent requirements: the consent exceptions for prospective and completed business transactions.
In its most recent Annual Report to Parliament, the Office of the Privacy Commissioner (OPC) highlights three recent consent-related investigations under the Personal Information Protection and Electronic Documents Act (PIPEDA). This reflects the role of consent that is “the cornerstone of PIPEDA.” However, there are exceptions to PIPEDA’s consent requirements, two of which are the focus of this post: the consent exceptions for prospective and completed business transactions.
Business Transaction Exceptions
These exceptions, at sub-sections 7.2(1) and section 7.2(2) of PIPEDA respectively, allow organizations to “use and disclose personal information without the knowledge or consent of the individual.” This use and disclosure is limited to what is necessary for the transaction or the relevant business activities and the organizations must enter into an agreement regarding the use and security of the information. For completed transactions, the organizations must inform the individual about the disclosure of their information, and the acquiring organization must agree to give effect to any withdrawal of consent applications made under Schedule 1, 4.3.8 of PIPEDA. According to the definition of business transactions in 2(1), these provisions apply to acquisitions, divestitures, mergers, licensing, and certain financial arrangements. Both of the exceptions outlined above also remain unchanged at section 22 of Bill C-27, PIPEDA’s proposed replacement.
These provisions shield mergers and acquisitions that involve personal information from the need to secure consent from the individuals whose information is being transferred. While individuals must be notified and can withdraw consent, the transfer still takes place without consent and these exceptions are therefore a departure from the important role of consent in PIPEDA. While other exceptions to consent exist for situations such as legal proceedings, investigations, journalism, and cases where collection is clearly in the interest of the individual, those exceptions generally serve individuals or the public interest where the business transaction exceptions enable private transactions.
Although it does not appear to have received attention to date, prioritizing mergers and acquisitions over the principle of consent in PIPEDA merits scrutiny. Consumers or other individuals might choose to share their information with a given company based on its track record on privacy and security or its interpretation and implementation of PIPEDA requirements. They might also consider broader values such as the company's ethics or whether a company is local to their area. Making these choices is one of the few ways that consumers can influence companies, especially with regard to their privacy and security policies. PIPEDA’s business transaction exemptions undermine this source of consumer agency and market discipline by circumventing the principle of consent.
Lack of Attention from the Office of the Privacy Commissioner (OPC)
PIPEDA does limit the above exceptions through sub-section 7.2(4), which stipulates that they do not apply to transactions whose “primary purpose or result is the purchase, sale or other acquisition or disposition, or lease, of personal information.” However, the OPC unfortunately does not appear to have ever applied 7.2(4) to scrutinize a business transaction. Its scope therefore remains unclear and this issue does not seem to be a priority for the OPC. Instead, the primary example of the OPC assessing a business transaction comes from their investigation into Marriott International Inc, regarding a security breach affecting a database the company had acquired through its purchase of Starwood Hotels. The OPC is therefore alive to the transfer of personal information between business entities but has not yet focused on the consent implications of these transactions.
Possible Attention Through the Competition Act
Given that this consent issue arises mostly in the context of mergers and acquisitions, the merger review process of the Competition Act is relevant. Two recent examples illustrate this intersection well:
-
the Rogers-Shaw merger that one committee submission identified as a “’big data’ deal” that would “put the personal data of 18.2 million Canadians…at stake,” and
-
RBC’s recent acquisition of HSBC Bank Canada, that resulted in the data of over 780,000 customers being transferred
These examples demonstrate the growing role that data is expected to play in competition policy, which is in turn reflected in the addition of consumer privacy as a factor for the Competition Bureau and Tribunal to consider assessing the competitive impact of a merger. The OPC itself actually recognized and drew attention to exactly this privacy issue in its submission to the 2021 consultation on the Competition Act which led to the 2022 amendments. However, while scrutinizing the competitive effects of data transfers is important, this process is not oriented towards the individuals whose information is being transferred without their consent.
Bringing in Consent
As data becomes increasingly important to businesses and as consumer information is treated as an asset that changes hands in business acquisitions, the privacy implications of mergers should receive more attention. Whereas the exceptions detailed above enable the tradability of personal information, if the principle of consent at the heart of PIPEDA’s privacy protections is to be preserved, this should be reconsidered. Legislative reform could reassess whether private transactions should trump the principle of consent, but in the meantime the OPC could make greater use of the tool available to it through subsection 7.2(4).