Lyndsay Wasser explains why privacy issues are gaining prominence in business transactions for Lexpert Magazine  

news & knowledge 

November 29, 2017


Any person who walks into a law firm to discuss a proposed merger or an acquisition may be startled to see a privacy lawyer at the table alongside the corporate team.

Indeed, a few years ago a privacy lawyer wouldn’t have been present, says Lyndsay Wasser, co-chair of McMillan LLP's privacy and data protection and cybersecurity groups. “Three years ago I don’t think most lawyers or most businesspeople even had this on their radar.” But now they must, and they do.

A potential buyer has the right to ask any question and look at any material that will help it accurately value the business and decide whether to greenlight a deal; but today, that must be balanced against privacy compliance. When the transaction involves a business-to-consumer company –– an online retailer, a dating site, a messaging app, or any company that collects its customers’ information –– the buyer must start by ensuring the target company has been onside with applicable privacy laws.

“You do that by asking for disclosure of things like their privacy policies and any documents related to their internal privacy-compliance program,” says Wasser. “You also want to have disclosure of any allegations of improper handling of personal information, or complaints, and anything to do with outsourcing of information. You want to look at outsourcing and contracts with service providers with whom the company shares personal information to make sure they have all the appropriate privacy provisions.”

Assuming the deal goes ahead, she says, the buyer should be asking for a representation and warranty that the organization is in compliance with privacy laws as well as with its own privacy policies, which should have been disclosed in due diligence, and any privacy and data-protection provisions in contracts with other parties.

That’s key, because the buyer’s obligation to respect the customers’ privacy doesn’t end after the deal closes, says Wasser, a Certified Information Privacy Professional in Canada.

“The privacy legislation has specific provisions in it that say you can only transfer information without consent of the individual –– and we’re talking about personal information –– to the extent it’s going to be used for the same purposes it was used for before the transaction happened. The purchaser can’t now use that information for a completely unrelated purpose that the individuals never agreed to without going back and getting their consent.”

*This article originally appeared in Lexpert titled “Privacy protections in the data room” on Nov.13, 2017.