That's a very sophisticated question that I'll do my best to answer.
I think the federal and provincial privacy commissioners across the country, as well as privacy advocates, look at identity theft from an invasion-of-privacy perspective. But that's not really the criminal law perspective on the problem.
If you look at proposed section 402.2, it isn't merely having this information and using it in some deceptive way; it's using it in the commission of an offence, a pre-existing, independent, criminal offence that involves some element of deception. So that is in fact where there's a fairly clear demarcation between mere invasion of privacy or a violation on the civil side and where the criminal law can step in.
You referred earlier in your question to the definition of “personal information” under PIPEDA. I believe the definition is “information about an identifiable person”. I think there had been representations at one time that that's what the definition of “identity information” ought to be for Criminal Code purposes as well. But again, if you consider identity theft from the criminal law perspective as opposed to an invasion-of-privacy perspective, it really ought to be focused on the type of information that can identify a person, because it's the identification of a person that leads to various forms of deception and fraud.
PIPEDA, for instance, would cover a person's religious affiliation or their shopping preferences or their marital status. All of that information may be of a private nature, which privacy legislation should protect, but from a criminal law perspective those pieces of information are not useful in perpetrating an identity fraud. Although the definition of “identity information” is open-ended, it's really constrained by the notion of its applying only to information that can identify a person as opposed to information about a person, which I believe also serves to delineate the criminal law sphere from the privacy sphere.