The entire regime is overseen by the Privacy Commissioner, who has considerable capacity, such as the power to make orders and recommend AMPs and the ability to enter into consent agreements to modify the behaviour of those who potentially violate the privacy of Canadians. All of this is interpreted within the broad category of a fundamental right to privacy, which was inserted in the preamble and at the outset of the bill.
The personal information use cases that we've talked about today would be governed by strict obligations for the use of personal information, notwithstanding that it's not sensitive. A company would need to be plain-language clear at the point of collection about what the uses of the information were and what the individual could likely expect for the ongoing transfer of that information. They'd need to have a privacy program in place that would include the safety and security of the information in their disclosures.
Those obligations would pass on to a disclosed entity. If a disclosed entity is a payment processor in this particular use case, notwithstanding the fact that this doesn't obviate the accountability of the original collector, they are required to continue to ensure the trust and security of the information in their possession, notwithstanding that it was transferred to them without express consent.
Each step in that value chain is still governed by an overall approach that ensures that the continued privacy of Canadians remains fundamental in the overall transaction and in the collection, use and disclosure of information.