Mergers and business acquisitions are among the many different types of business transactions that require the disclosure and use of personal information between the prospective parties.

The types of personal information that may be necessary to disclose for due diligence, valuation and integration planning purposes may include customer information, employee information — including employment agreements — obligations or liabilities owed to individual third parties, and other human resource records, including dispute resolution files.

Normally, the initial stages of any M&A discussion between the parties will begin with, and will be governed by, some sort of commencement agreement.

That may be as simple as a confidentiality or non-disclosure agreement, or it may take the form of an exclusivity agreement, a terms sheet or a binding memorandum of understanding.

Regardless of form, the kick-off agreement for an M&A transaction will usually have three features that are directly related to the necessary disclosure of personal information in an M&A transaction: to recognise the proprietary and confidential nature of all provided information; that such information can only be used for the sole purpose of the transaction; and that, if the transaction does not proceed, all such information must, without qualification, either be destroyed or returned to the disclosing party.

Those preliminary engagement norms for M&A transactions are well addressed by the Personal Information Protection Act 2016, which came into force on January 1, to ensure that any personal information that is necessary for an M&A transaction can, based on certain conditions, be shared between the parties without the consent of the subject individuals.

In that regard, section 46 of Pipa provides that an organisation may, both leading up to the transaction and for its completion, use personal information for the purposes of a business transaction without the consent of the individuals, where the parties have an agreement that restricts such use for the purposes of the transaction and otherwise only for the purpose for which it was originally collected, and if the transaction does not proceed, all such information must either be destroyed or returned to the disclosing party.

Therefore, any contractual qualification to Pipa’s required agreement provisions — eg, that may allow disclosed personal information to not be destroyed or returned, and to be held by the recipient for reasons other than for the business transaction — may not permit any personal information to be shared with the other party to the transaction.

Pipa also provides an additional disclosure condition whereby the disclosing party must determine that such a disclosure is necessary for the proposed M&A transaction to be considered, proceeded with, or to be completed. Such determinations can be internally documented by either an executive of the disclosing party or by its privacy officer.

Should the disclosing party to the M&A transaction wish to secure the consent of any subject individuals for any purpose beyond the M&A transaction, Pipa provides that “…nothing in this section (restricts) a party to a business transaction from obtaining the consent of a person to (use) personal information… for purposes beyond the purposes for which the party obtained the personal information”.

It is interesting to note that the business transaction allowances in Pipa do not apply where the primary purpose, objective or result of the proposed transaction is “the purchase, sale, lease, transfer, disposal or disclosure of personal information”. However, even though Pipa only applies to “every organisation that uses personal information in Bermuda”, the words “purchase”, “sale”, and “lease” are not included in Pipa’s definition of “use”.

Parties to an M&A transaction must also consider whether any personal information that is being disclosed for the purpose of that transaction is being transferred to an overseas third party.

If so, then at least one of the export allowance options of section 15 of Pipa must be met before any such export from Bermuda is permitted. That is also true where the due diligence “data room” is located outside of Bermuda.

Those engaging in M&A transactions should ensure that their preliminary engagement agreements include the above noted provisions to allow the disclosure of personal information for the proposed transaction.

Standard form M&A engagement agreements, including NDAs, may need to be reviewed and updated to reflect Pipa’s grounds to allow such transactional use and possibly export from Bermuda.

Further, all merged or amalgamated entities that use personal information in Bermuda should ensure that the data protection policies and procedures for the combined organisation are revised for consistency, particularly with regard to the combined organisation’s compliance “measures and policies” and privacy notices.

The implications of Pipa for the use of personal information will have to be considered at each step along all M&A transactions.

• Duncan Card is a partner at Appleby who specialises in IT and outsourcing contracts, privacy law and cybersecurity compliance in Bermuda. Karim Creary is an associate in the firm’s corporate practice. A copy of this column can be obtained on the Appleby website at www.applebyglobal.com. This column should not be used as a substitute for professional legal advice. Before proceeding with any matters discussed here, persons are advised to consult with a lawyer