In previous meetings, we have heard that there are some loopholes in this legislation regarding data portability, specifically as it relates to the transfer of data abroad.
I have a hard time understanding that interpretation of the legislation in the context of proposed section 20, which is “De-identification of personal information”, and proposed section 19, which is “Transfer to service provider”, where an organization may transfer an individual's personal information to a service provider without that individual's knowledge or consent.
Am I misunderstanding the legislation here? What is your understanding of what I just stated?