Privacy rights overlooked in bankruptcies and insolvencies

Eight years after the federal government introduced legislation that applies to the collection, use and disclosure of personal information in the course of any private sector commercial activity, corporate lawyers pay little heed to privacy rights in bankruptcy and insolvency proceedings.

“Candidly, we on the insolvency side pay lip service to privacy,” acknowledged Kenneth Kraft, a partner with the financial services group at Heenan Blaikie, specializing in insolvency and finance. “It’s not something that we give much thought to.”

But that is likely to change. The recent uproar that led popular social-networking website Facebook to back down from changing its terms of service, which would have given the company exclusive rights to all user content even if a user decided to delete their account, highlighted growing consumer awareness over privacy rights. Coupled with the economic downturn that is widely expected to see a flood of bankruptcies and insolvencies, and privacy experts expect that there will be increased focus on what will be done with the personal information in the hands of bankrupt entities.

“Privacy is an important consideration in a bankruptcy and insolvency situation because the laws applicable to personal information continue to apply to the assets of the bankrupt company,” noted Mike Fekete, a partner in the Business Law Department practicing in the Technology Business Group at Osler. “As a result, the receiver and trustee in bankruptcy needs to be sensitive to restrictions on dispositions of assets which include personal information.”

The Bankruptcy and Insolvency Act (Act) is silent on the issue of privacy. However Canadian business and private sector organizations, including trustees in bankruptcy, receivers, agents and consultants in insolvency matters, are subject to privacy protection legislation governing both customer and employee information thanks to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) or by provincial legislation that is “substantially similar” to the federal statute as is the case in Alberta, British Columbia and Quebec.

Implemented in three stages, from January 1, 2001 to January 1, 2004, PIPEDA spells out detailed rules governing the management of personal information in the course of commercial activities. Under PIPEDA, informed consent by individuals is required for the collection, use and disclosure of their information. The purposes for which an organization collects, uses or discloses personal information must be reasonable and appropriate in the circumstances. Further, personal information can only be used for the purposes for which it was collected. If an organization will be using the information for another purpose, informed consent must be obtained again. Oversight of PIPEDA rests with the Privacy Commissioner of Canada, whose office investigates complaints and negotiates solutions with the parties involved.

“The view has generally been that you have got two competing federal regimes: the Act where the underlying job is to maximize value, and PIPEDA, which is a much more recent concept,” said Kraft. “Can privacy issues in any way impede maximizing value for creditors or recoveries in a situation whereby definition everyone is going to be losing money anyways? The two worlds really don’t speak to each other.”

While Canadian courts have yet to provide guidance that addressed the issue of which regime would “ultimately trump,” Kraft suspects that privacy rights will “lose out” as the individual’s right to protect the privacy of their information “has to bend in some situations.” Kraft notes that a Model of Receivership Order in Ontario contains a provision that entitles receivers to disclose personal information to prospective purchasers under the terms of appropriate confidentiality orders. Prospective buyers, however, are required to maintain confidentiality and to destroy or return to the receiver all information if the prospective purchaser does not complete the sale.

“The Courts try to achieve a balance by allowing the receiver to receive information that may otherwise be subject to privacy laws but it does put an obligation to maintain that privacy,” said Kraft.

He also points out that under s. 7(3)(c) of PIPEDA, disclosure without knowledge or consent can be executed to comply with a subpoena or warrant issued or an order made by a court.

Such orders have been approved by the courts in at least two insolvency proceedings – in the Bowring Gift Shops and The Bombay Furniture Company of Canada Inc., said Jeffrey Kaufman, a senior partner specializing in commercial litigation and privacy law at Fasken Martineau, who was involved in both cases.

“In Canada basically what the courts have done in the Bankruptcy and Insolvency Act context is agree on a court order on how personal information will be collected, used and disclosed in the context of those proceedings, and only for that transaction itself,” explained Kaufman.

But such orders have yet to address the issue of what happens when the key asset of the bankrupt entity is a customer database whose privacy policy failed to obtain informed consent from consumers, adds Kaufman. Eight years ago a case in the U.S. that pitted privacy concerns and the rights of creditors to realize value in an e-commerce insolvency had a chilling effect, even in Canada, on prospective purchases of customer data from insolvent estates., a Boston-based e-commerce retailer of educational toys that went on-line in 1998, amassed a large customer list. In its posted on-line policy, Toysmart pledged to maintain its customer privacy, stating that personal information would never shared with a third party. When it filed for Chapter 11 bankruptcy protection, it attempted to sell its customer database. But because the company’s privacy policy did not address the issue of sale of data, the database was destroyed.

“There haven’t been that many insolvencies where the main assets are customer information,” said Kaufman. “My guess is that because of Toysmart, if such a situation arises out of this present economic climate, the buyers and lawyers will try to figure out a way that they don’t ascribe much value to the personal information.

“But that can’t always be the case. In Toysmart, the customer database was the only asset. So the lesson to be learned from is that it may not be a valuable asset if you do not have appropriate consent. Obtaining informed consent makes it a valuable asset.”

Leave a Reply

Your email address will not be published.