Mr. Chair, indeed I think the desire here is to make sure there are appropriate protections in place for information that is truly sensitive.
The challenge, of course, when putting out a list is that we've assured ourselves that every instance of the utilization of the categories in that list would always meet the test of requiring express consent. As noted, something like financial data, for instance, can actually be widely construed and may not always necessitate express consent in every single one of those instances.
I think the challenge for a commercial organization in possession of some of this personal information is that, if they're actually in receipt of this bill and trying to think about implementation, suddenly there's a whole bunch of potentially new interactions they may need to have to implement some of this.
Some of it is potentially going to get very much in the way of existing business processes. That's not to say that we don't want to rule out harmful business processes, but for some of these there may be a better way to make sure sensitive personal information is defined and understood at a broad level, and yet not remove those two things that I suggested were important. One was room for guidance, and the second was context in some situations. De facto calling it sensitive in every instance may not actually be accurate to what it does in a particular instance or situation.
I'll turn it over to Mr. Chhabra.