Thanks very much.
Just to follow up on Mr. Schaan's points, the way we read CPC-7, it would establish very broad categories for sensitive information that go beyond what is currently contained in the EU's GDPR or found in the Privacy Commissioner's own bulletin on sensitive information.
It doesn't allow for a contextual analysis or what defines sensitivity in a given scenario. An example of that would be that the GDPR does not identify financial data as being universally sensitive; I think that was the nature of the question.
That's also aligned with findings of the OPC and Canadian courts, which have stated that not all financial information is sensitive, and that sensitivity depends on the circumstances.
In a case called Royal Bank of Canada v. Trang in 2016, the Supreme Court found that the degree of sensitivity of specific financial information is a contextual determination.
The sensitivity of financial information [in that case, the current balance of a mortgage] must be assessed in the context of the related financial information already in the public domain, the purpose served by making the related information public, and the nature of the relationship among the mortgagor, mortgagee, and directly affected third parties.
That case was cited, as well, by the Privacy Commissioner's updated guidance on the meaning of sensitive information, which was published in 2022. It illustrates scenarios in which there may be very valid and important reasons for the sharing of certain financial information under certain circumstances, but to declare all of it sensitive would not allow for that contextual understanding.