M&A meets privacy law: A guide to compliance and risk mitigation

The article was originally published on the OBA Business Law Section’s articles page.

In today's digital age, privacy and cybersecurity are critical considerations in mergers and acquisitions (M&A) transactions. As Canadian businesses increasingly rely on data and technology, the risks associated with non-compliance with privacy laws have grown exponentially. Among all privacy considerations in a transaction, perhaps none is more consequential than the risk of a data breach. A breach can trigger regulatory notification and public disclosure requirements, fuel class actions, damage reputation, and result in regulatory fines. And it’s not just personal information at stake—among other things, data breaches can also compromise confidential business information, divulge intellectual property and other sensitive data, and even disrupt critical operations.

This article explores the current legal and regulatory landscape and addresses key considerations regarding privacy and data security in the context of M&A, highlighting the importance of due diligence, legal considerations, and best practices for Canadian lawyers and businesses – both pre- and post-closing. The importance of promptly addressing identified risks to ensure compliance and safeguard the business is also considered.

Legal and Regulatory Landscape

Evolution Toward Stricter Privacy Laws

Canadian privacy laws are undergoing significant reform, underscoring the importance of privacy due diligence in the transactional context. With Quebec leading the charge, ongoing overhauls to Canada’s privacy framework are introducing stricter compliance obligations and the prospect of significant financial penalties. Under Quebec’s Act to modernize legislative provisions as regards the protection of personal information (Law 25), organizations may face administrative monetary penalties of up to $10 million or 2% of worldwide turnover—whichever is greater—for certain violations. For more serious offences, penal fines can reach $25 million or 4% of worldwide turnover.

The Province of Alberta has also taken steps toward modernizing its private sector privacy law, the Personal Information Protection Act (PIPA). Following a comprehensive legislative review and public consultation process, the Standing Committee on Resource Stewardship submitted its final report to the Alberta Legislative Assembly. The report includes several recommendations aimed at aligning PIPA with global privacy standards and ensuring it continues to be recognized as “substantially similar” to federal law—a status that may prove to be critical should federal privacy reform efforts eventually proceed.

At the federal level, however, progress has stalled. Bill C-27, the Digital Charter Implementation Act, 2022, died on the order paper following the prorogation of Parliament on January 6, 2025. It remains to be seen whether privacy reform will be a legislative priority for the new Liberal federal government.

Growing Regulatory Scrutiny

Privacy and cybersecurity have become central concerns in transactional due diligence—particularly in the face of growing regulatory scrutiny. A clear example is PIPEDA Findings #2022-005 launch, published by the Office of the Privacy Commissioner of Canada (OPC) on September 29, 2022. This case involved a major data breach at Marriott International, Inc., a global hotel chain, in 2018, stemming from existing vulnerabilities in Starwood Hotels, a hospitality company Marriott acquired.

The breach originated in 2014, affected the acquired company’s customer database, and went undetected for four years—two of which were post-acquisition. Ultimately, up to 339 million records were stolen. The OPC’s investigation emphasized that Marriott, as purchaser, was responsible for the acquired entity’s network and data, including pre-existing vulnerabilities. The OPC found that, when acquiring systems or databases that handle personal information, organizations should ensure appropriate security safeguards, early—ideally before taking control, and certainly before integrating data into existing systems. Organizations should also perform various forms of testing to identify and, where needed, enhance those safeguards.  This case serves as a cautionary tale: regulators expect organizations to thoroughly investigate the privacy posture of acquisition targets. Failure to do so can result not only in reputational and operational consequences but also cross-jurisdictional regulatory penalties. In today’s environment, privacy is not a box to check—it is a material risk that must be proactively assessed and addressed.

Privacy Considerations in M&A

Before considering the implications of how evolving privacy and data protections laws impact M&A and how such impacts can be addressed through diligence, it is helpful to first consider how information can be effectively shared leading up to a deal.

Reliance on the Business Transaction Exemption

Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial legislation in Alberta, British Columbia and Quebec, regulate how personal information is collected, used, and disclosed. Importantly, there is a "business transaction" exemption under PIPEDA which allows parties to a potential transaction to share personal information with one another without first obtaining consents, to the extent such information is necessary to evaluate a potential deal, and provided that specific safeguards are met.

Pre-Closing Obligations

Under the business transaction exemption, parties to a potential deal must enter into an agreement that includes commitments to:

• Use and disclose personal information solely for transaction-related purposes;
• Protect personal information with appropriate security measures; and
• Return or destroy personal information if the transaction does not proceed.

Post-Closing Considerations

After a transaction has closed, the purchaser must:

• Use personal information only for its originally collected purposes;
• Implement strong security measures to protect the data; and
• Ensure compliance with any applicable withdrawal of consent by individuals.

A common pitfall in M&A is that that these matters are frequently addressed via covenants in a purchase agreement; in other words, the obligations are not addressed until a transaction’s governing agreement is signed, despite that PIPEDA requires safeguards to be in place before any personal information is shared. To ensure compliance with PIPEDA, parties should negotiate and enter into a non-disclosure agreement prior to the sharing of any information dealing up to the negotiation of a deal.

Conducting Fulsome Privacy and Data Security Due Diligence

Once deal negotiations are underway, to mitigate a potential purchaser’s risks associated with privacy and cybersecurity breaches, purchasers should develop a robust due diligence strategy which incorporates both a comprehensive privacy assessment as well as appropriate data security review– such as network testing, security audits, and risk assessments. The findings of these investigations are essential in order to ensure proper protection and security of the assets being acquired.

Purchasers should request the following information from target companies:

• Copies of all applicable privacy and/or data security policies, including retention and destruction policies,  breach response plans and backup procedures;
• Details on the types of personal information collected, used, or disclosed by the target in the course of its business operations (outside of customary employee information and business/client contact information);
• Records of individual consent mechanisms and practices, including how consent is obtained, recorded, and managed across various processing activities;
• Privacy impact assessments (PIAs) or other risk assessments conducted in relation to new technologies, products, services, or data uses;
• Access controls ensuring that employees and independent contractors can only access personal information necessary for their roles, along with safeguards such as confidentiality agreements and regular privacy and security training;
• Third-party vendor agreements and data-sharing arrangements;
• Cross provincial or national border transfers of personal information;
• Records of privacy and cybersecurity audits, both internal and external;
• Information about past data breaches and remediation measures;
• Copies of cybersecurity insurance policies and past claims history; and
• Copies of policies for administering individual’s rights, including procedures for responding to access, correction, deletion, and other privacy rights requests.

Addressing and Mitigating Identified Risks

If a privacy or cybersecurity issue is discovered during the due diligence phase, how should a purchaser respond? This largely depends on the nature and extent of the identified concern and the purchaser’s risk appetite. Options include:

1. Renegotiate the deal terms

In most cases, privacy or cybersecurity deficiencies or breaches are not dealbreakers but may be addressed through some form of renegotiation of the deal terms. In addition to the privacy or cyber issues introducing new risks into the deal, there may also be a direct impact on cost, including remediation expenses, legal costs, and–although harder to quantify–reputational damage. These exposures can be dealt with in a variety of ways, including:

• Purchase Price Adjustment – The parties could renegotiate the purchase price of the business, reducing the valuation to account for estimated costs to remediate the identified risk, including costs related to breach response, regulatory fines, business disruption, and customer attrition.
• Holdbacks or Escrows – The agreement could be updated to contemplate either a holdback of the purchase price or an indemnity escrow, where funds are reserved for a fixed period of time post-closing and may be drawn down if any privacy and cybersecurity related liabilities arise.
• Additional Indemnities – The agreement could be revised to include a specific indemnity in favour of the purchaser, whereby the sellers would have indemnification obligations in connection with the identified issue (for example, remediation costs, penalties or litigation costs tied to pre-closing breach).
• Enhanced Representations and Warranties – In light of the identified deficiencies, in addition to any of the above-noted options, the purchaser may also require the seller to give more robust reps and warranties on privacy and data security matters, e.g., reps regarding known or suspected security breaches, compliance with data protection laws (PIPEDA, GDPR, etc.), and security controls and audit results. The purchaser would then be able to make a claim and seek recourse against the sellers in the event of a breach of any such rep.

2. Require Pre-Closing Remediation by the Sellers

In the event that it is difficult to assess the costs associated with an incident, or if the purchaser simply does not wish to assume responsibility for remediation efforts, the parties may opt to delay closing in order that the seller can effectively complete a formal incident response process, contain and remediate the breach, and subsequently confirm that all systems are secure and compliance and that there are no ongoing issues. Completing these remedial steps may entail engaging a cybersecurity firm to conduct an audit validate remediation steps, conduct vulnerability scans or penetration tests and make recommendations for subsequent actions.

3. Terminate the Deal

If the breach is egregious or indicates systemic security failures, the buyer may determine that the reputational, legal, or operational risks outweigh the value of the deal and may opt to walk away. If the issues are identified before the agreement is signed, this sort of voluntary withdrawal may be without significant complications. However, if the issues are identified post deal signing during an interim period, consideration will need to be given to the agreement’s termination provisions to see if the purchaser has any basis upon which to exit the deal.

Develop a Post-Closing Integration Plan

If any cyber or data privacy issues identified during diligence remain unresolved at closing, it is critical that the purchaser promptly address these risks. Regardless of whether issues were found, best post-closing practice is to isolate the acquired company’s systems from the purchaser’s and delay integration until a comprehensive risk assessment has been completed. Steps include:

• Conducting post-closing privacy and security assessments;
• Updating privacy policies, consent frameworks, data processing and retention policies to comply with laws and purchaser’s standard;
• Providing privacy and cybersecurity training for employees, particularly those handling sensitive data;
• Reviewing incident response plan and conduct a tabletop exercise;
• Updating policies and security measures to align with the purchaser’s standards;
• Performing penetration testing and vulnerability assessments;
• Ensuring compliance with all relevant privacy laws and industry standards; and
• Securing cyber insurance coverage.

Implementing a well-developed post-closing plan will mitigate any inherited risks in the target’s privacy and cybersecurity posture, and will help identify and address gaps before they escalate into data breaches, regulatory violations, or operational disruptions.

Conclusion

Acquiring a company can expose a purchaser to liability for past data breaches. Conducting thorough privacy and cybersecurity due diligence—and swiftly implementing post-closing improvements—can protect businesses from legal, financial, and reputational harm. By proactively addressing privacy risks, parties can ensure successful transactions while minimizing exposure to regulatory penalties and security threats.