Compliance with Privacy Laws in Business Transactions
| Author | Nancy J. Carroll |
| Pages | 403-419 |
Compliance
with
Privacy
Laws
in
Business
Transactions
Nancy
J.
Carroll
A.
INTRODUCTION
As
comprehensive privacy legislation
now
applies
to the
private sector
generally
in
Canada,
compliance with privacy laws needs
to be
consid-
ered
in any
business transaction involving
the
disclosure
or
transfer
of
personal information. Privacy laws must
be
taken into account when
a
company sells
its
assets
to
another company
and one of
these assets
is
detailed personal
information
on
customers.
In
both asset
and
share
purchase
transactions,
if the
vendor discloses personal
information
to
potential purchasers during
due
diligence, privacy laws will apply. Pri-
vacy
laws also need
to be
considered
in
securitization transactions
where personal
information
may be
transferred
from
the
company that
originally
collected
the
personal
information
to the
trust
to
which cus-
tomer
receivables
are
sold.
Outsourcing transactions,
by
which
a
company
may
arrange
for a
third-party service provider
to
perform
certain business
functions
such
as
customer services, raise significant privacy
law
concerns.
A
company must
ensure
that
it is
complying with privacy laws
when
it
gives
its
service
providers
access
to
personal information collected
by the
company.
A
com-
pany must also
ensure
that service providers comply
with
privacy laws
in
their
use of
personal
information originally collected
by the
company.
Nancy
J.
Carroll, B.A. (Hons.), M.A., J.D.,
is a
partner
of
McCarthy
Tetrault
LLP.
403
404
NANCY
J.
CARROLL
Privacy laws must
be
complied with
in all
transactions that involve
the
sharing
of
personal
information,
both within
and
outside corporate
groups,
for any
purposes, including joint marketing programs, cus-
tomer billing
services,
and
data processing. Similarly,
any
disclosure
of
personal information
in the
context
of
joint ventures, co-branding,
and
other business arrangements, with both related
and
non-related parties,
must comply with privacy laws.
B.
APPLICATION
OF
PRIVACY LAWS
1)
Federal
Privacy
Law
As
of
January
1,
2004,
all
businesses
operating
in
Canada
are
required
to
comply with
the
federal
Personal
Information
Protection
and
Electronic
Doc-
uments
Act
(PIPEDA)
or
substantially similar provincial legislation
that
regulates
the
collection, use,
and
disclosure
of
personal
information.1
This
marks
the
completion
of the
three-year phase-in period
for
PIPED
A.
Banks,
telecommunications companies,
and
other
federal
works
and
undertakings have been
subject
to
PIPED
A
since January
1,
2001.
Busi-
nesses
that disclose personal information outside
of any
particular
province
of
Canada
for
consideration have also been subject
to
PIPED
A
since January
1,
2001. Personal health information
has
been covered
by
the
requirements
of
PIPED
A
since January
1,
2002.
As of
January
1,
2004,
PIPED
A
also applies
to all
provincially-regulated businesses engaged
in
the
collection, use,
or
disclosure
of
personal information within provin-
cial
boundaries.
The
application
of
PIPEDA
to
provincially-regulated
businesses
is
subject
to the
federal
government's right
to
exempt
from
compliance with
PIPEDA
organizations operating
in
provinces that have
passed "substantially similar" privacy
legislation.2
2)
Provincial
Privacy
Laws
Quebec
has had
private
sector
privacy
legislation
in
place
since
1993.3
The
Quebec
privacy
legislation
sets
out
detailed
provisions
that
give
effect
to the
information
privacy
rights
set out in the
Quebec
Civil
Code.
1
Personal
Information
Protection
and
Electronic
Documents Act, S.C. 2000,
c. 5, s. 30.
2
Ibid.,
s.
26(2)(b).
3 An Act
Respecting
the
Protection
of
Personal
Information
in the
Private
Sector,
R.S.Q.,
c.
P-39.1.
To continue reading
Request your trial