Maybe just to recap a bit of the discussion we had at the last meeting, this committee has made the determination, through earlier amendments, that the preamble of the bill highlights the fundamental right to privacy, which is the interpretive lens that then gets applied to all the subsequent obligations and responsibilities in the act.
It then imposes a number of obligations related to the treatment of personal information. We had a good discussion at the meeting on Monday about how personal information needs to be broadly understood to be about someone and not just an identification of someone because “about someone” brings in this construct. Then, there are amendments made to ensure that inferred information is part of that understanding of personal information, which will become important when we then come to the obligations and the responsibilities of commercial actors when using personal information.
The conversation we had on Monday about “sensitive” is that there are a number of things that happen that are tied into the bill about the obligations that are applied to sensitive. One is that we have already determined children's information, the personal information related to those under the age of 18, is all sensitive, which means it requires a duty of care and a higher standard of protection by commercial actors. More importantly, when we get to later provisions of the bill, sensitive information necessitates an express consent by an individual for that information's continued treatment, disclosure and collection.
Our concern about having an exhaustive list was that, one, exhaustive lists don't necessarily allow for a principles-based approach to the interpretation of the obligation, which allows it to be a bit more contextual and dynamic, in the sense of understanding how information might come and go from whether it is always sensitive or not. Two, the categories need to be really well considered. If they're overbroad, you're going to apply sensitive information classifications to categories of information for which express consent will now be required, and that might undo very reasonable privacy protecting practices that are currently the practice of business entities.
We had this conversation about financial data in particular, which is a category that potentially possesses a huge ream of potential areas. If all financial data is considered sensitive and requires express consent, then suddenly we're going to be maybe in a world of consent fatigue because people are going to have to be expressly consenting to the use of their financial data all the time because it's deemed sensitive.
The thought about the NDP amendment that's now potentially being proposed is that we just want to make sure, for this additional categorization, with the wording “due to the context of its use or disclosure, an individual has a high reasonable expectation of privacy”, that we've understood the boundaries of that. Any information for which there would then be a high degree or a high expectation of privacy would now be subject to express consent. We would raise that for the committee's consideration.
I'll turn to Mr. Chhabra. I think he wants to supplement.