Debt portfolio transactions necessarily involve the transfer of personal information. Names, addresses, account balances, payment histories, and default dates are all part of the data that moves from seller to buyer during a portfolio sale. In Canada, this transfer is governed primarily by the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal private-sector privacy statute.1 Sellers and buyers in the secondary debt market need to understand how PIPEDA applies to these transactions to maintain compliance and avoid regulatory risk.

This article examines the key privacy considerations that arise when personal information is disclosed and transferred as part of a Canadian debt portfolio sale.

PIPEDA and the Transfer of Personal Information

PIPEDA establishes rules for how private-sector organizations collect, use, and disclose personal information in the course of commercial activities. Its ten fair information principles, drawn from the Canadian Standards Association's Model Code, require organizations to obtain consent for the collection, use, and disclosure of personal information, to limit collection to what is necessary, and to protect the information with appropriate safeguards.

In the context of a portfolio sale, the most relevant provisions are those governing disclosure. PIPEDA generally requires consent before an organization discloses personal information. However, the Act includes several exceptions that are directly relevant to business transactions involving the sale of receivables.

Section 7.2 of PIPEDA addresses the disclosure of personal information in connection with prospective business transactions. This provision allows an organization to disclose personal information without the individual's knowledge or consent if the disclosure is necessary to determine whether to proceed with the transaction and the information is necessary for that purpose. The disclosing organization must enter into an agreement with the receiving party requiring that the information be used solely for purposes related to the transaction and be protected by appropriate safeguards.

At the due diligence stage, this means a seller can share a data tape with a prospective buyer who has signed a non-disclosure agreement, without needing to contact each individual debtor for permission. At closing, the full transfer of account data is similarly permitted, provided the purchase and sale agreement includes appropriate data protection covenants.

If the transaction does not proceed, the prospective buyer must return or destroy the personal information it received. This obligation should be explicitly stated in the NDA or letter of intent.

One important limit applies here. Section 7.2(4) provides that the business transaction exception does not apply where the primary purpose or result of the transaction is the purchase, sale, or lease of personal information itself. A debt portfolio sale is a sale of receivables, not a sale of personal information, and the distinction matters. The personal information is incidental to the accounts being transferred, not the object of the transaction. Sellers and buyers should structure their agreements to reflect this reality: the purchase price relates to the receivables, the data tape supports the transfer, and the personal information is handled as a necessary component of the business asset, not as a standalone commodity.

After the transaction closes, one of the parties must notify affected individuals within a reasonable time that the transaction was completed and that their personal information was disclosed under s. 7.2. This post-close notice requirement under s. 7.2(2) is frequently overlooked in portfolio sales. The buyer typically handles this through its initial collection contact or account-transfer notice, but the obligation should be addressed explicitly in the purchase and sale agreement to ensure it is not missed.

Beyond PIPEDA's statutory provisions, most consumer credit agreements provide an independent legal basis for disclosing borrower information during a portfolio sale. Standard credit agreement language typically includes clauses that authorize the creditor to assign or sell the account and to disclose personal information to the purchaser, assignee, or any party involved in the transaction.

These contractual consent clauses serve two functions. First, they establish that the borrower consented at the time of account origination to the potential transfer of their information in connection with an assignment or sale. Second, they reinforce the creditor's position under PIPEDA by demonstrating that meaningful consent was obtained.

Sellers should review their standard credit agreements before entering the market to confirm that adequate assignment and disclosure language is present. Where the agreements are silent on assignment or disclosure, the seller may need to rely more heavily on PIPEDA's business transaction provisions. Those provisions are generally sufficient, but explicit contractual consent provides additional certainty and reduces the risk of a challenge from a debtor or a provincial privacy commissioner.

For portfolios that include accounts originated by a third party, such as accounts the seller previously acquired from another creditor, the seller should verify that each prior agreement in the chain of title contained appropriate consent language. A gap in the consent chain does not necessarily prevent the sale, but it increases the compliance risk and may require additional analysis.

Data Minimization and Security Obligations

PIPEDA's principle of limiting collection requires organizations to collect only the personal information that is necessary for the identified purposes. This principle extends to disclosure: a seller should share only the information the buyer needs to evaluate and service the accounts.

In practice, data minimization means the data tape should include account-level information that is directly relevant to the transaction: debtor name, address, account number, original balance, charge-off balance, charge-off date, last payment date, payment history, and account status. It should not include information that serves no purpose in the buyer's evaluation or servicing, such as medical information, social insurance numbers (unless required for specific tax reporting obligations), or detailed personal notes unrelated to the account.

Both parties also bear security obligations under PIPEDA. The seller must protect the data tape during distribution, typically by using encrypted file transfer methods and restricting access to authorized personnel at qualified buyers who have signed confidentiality agreements. The buyer, upon receiving the data, must implement safeguards appropriate to the sensitivity of the information, including access controls, encryption at rest, and secure storage.

The purchase and sale agreement should include representations from the buyer regarding its data security practices and ongoing compliance obligations. Many institutional sellers require buyers to demonstrate that they maintain a formal privacy and data security program, including documented policies, employee training, and incident response procedures.

In the event of a data breach involving the transferred personal information, PIPEDA's mandatory breach notification provisions apply. The party that experiences the breach must report it to the Privacy Commissioner of Canada and notify affected individuals if there is a real risk of significant harm. Both parties should address breach notification responsibilities in the purchase and sale agreement to avoid confusion about obligations after closing.

Provincial Privacy Legislation Overlap

Three provinces have enacted their own private-sector privacy legislation, which complicates the Canadian privacy environment: Quebec (the Act Respecting the Protection of Personal Information in the Private Sector, recently modernized as Law 25), Alberta (the Personal Information Protection Act), and British Columbia (the Personal Information Protection Act). The federal government has deemed each of these statutes "substantially similar" to PIPEDA, which means the provincial law applies to commercial activities within those provinces instead of PIPEDA.

For debt portfolio sales, this creates a layered compliance environment. A portfolio that includes accounts with debtors in Ontario, Quebec, and Alberta may be subject to PIPEDA for the Ontario accounts, Quebec's privacy law for the Quebec accounts, and PIPA for the Alberta accounts. Each statute has its own rules for consent, disclosure, and breach notification, and the differences, while sometimes subtle, are real.

Quebec's Law 25 deserves particular attention. Its 2023 and 2024 amendments introduced significantly enhanced requirements, including mandatory privacy impact assessments for certain types of information sharing, stricter rules around cross-border transfers, and increased administrative penalties for non-compliance. Sellers with accounts involving Quebec residents should evaluate whether a privacy impact assessment is required before sharing data with a prospective buyer, particularly if the buyer stores or processes data outside of Quebec.

Alberta and British Columbia's statutes are more closely aligned with PIPEDA in their treatment of business transactions, but each has specific provisions that may differ in detail. For example, Alberta's PIPA includes its own business transaction exception that is similar to PIPEDA's but has distinct conditions regarding the use and retention of information when a transaction does not close.

For portfolio sellers, the takeaway is direct: compliance planning should begin early in the transaction process. Sellers who know which privacy statutes apply to their portfolio, and who structure data handling accordingly, move through the sale process faster and reduce the risk of regulatory complications after closing.