That's right. The overall structure of the consumer privacy protection act makes significant improvements to the existing Personal Information Protection and Electronic Documents Act in the treatment of both personal information generally and sensitive information. Some of what would be wrapped up in requiring express consent at this point will be further contemplated. For instance, what are the obligations for the general protection of personal information? What sorts of privacy programs do you need in place to ensure that you've done things like having effective controls? Have you left yourself vulnerable to cyber-risks or other aspects, for instance? Those are the sorts of things that will get covered in a privacy program.
There will also be further considerations about what it takes, and when you are allowed, to make a disclosure. When am I allowed to move financial data, for instance, from one payment process to another, and what are the guardrails around that?
There will be, as contemplated in the act, a very high standard set for the treatment of personal information writ large, including in a number of the instances that would get wrapped up in what it currently contemplates and tries to do through sensitive information. By making it sensitive, we are requiring its express consent, therefore taking away the flexibility of the context-specific reading that the Privacy Commissioner has asked for. It also suggests that all of the other things that will come later that protect that information won't be doing anything, when in fact they very much will.
I don't know if my colleagues want to weigh in.