Industry committee  As was pointed out, CPC-9 is a very broad set of proposed amendments that would, as we understand it, have the effect of making three important changes. First, it would limit the imposition of cost awards against the OPC. Second, it appears to remove the private right of action that would allow folks who have been impacted by a transgression of law to be compensated for their loss.

Industry committee  I believe we may have received an email from the Canadian Bankers Association. There may have been dialogues at various points as well. I don't know the timing of the meetings compared to the letters you're referring to.

Industry committee  No, there was no meeting around that date.

Industry committee  We would agree that, as defined here, “significant impact means an impact that meets the prescribed criteria.” The government would need to undertake a regulatory process following this to set those criteria.

Industry committee  I understand that the modifications being proposed through this subamendment would add to the definition of sensitive information, as follows: Sensitive, in relation to information, includes any information about an individual for which the individual generally has a high expectation of privacy, which may include but is not limited to: Then it provides the list of items, (a) to (i).

Industry committee  I think it's really important to point out that the testimony being referenced speaks to the interest of having an example provided in the definition. I want to make it clear that what we're reacting to in front of us with the amendment does not provide examples. It doesn't say “may include”, for example.

Industry committee  I'll add to that. Having had the opportunity to speak to some of the experts in the open banking or consumer-driven banking space in recent days, I'm comfortable sharing that when considering specific issues related to consent, authorization and authentication—which are each different steps in the value chain that all need to be appropriately managed for different purposes within the consumer-driven banking system—insisting that all financial data become sensitive information changes the calibration of the work that's under way there.

Industry committee  As I mentioned earlier, there are 17 instances where sensitive information is specifically mentioned, including in proposed subsection 15(5), which talks about the form of consent. It appears under “Retention and Disposal of Personal Information”, in proposed subsection 53(2). It also appears under “Security Safeguards”, in proposed subsection 57(1), and again in proposed paragraph 58(8)(a).

Industry committee  Just briefly, to echo what Mr. Schaan said and amplify it a bit, you can think about this in terms of the impacts that it will have on commerce on a day-to-day basis. You can also think about it in the context of interoperability of systems. A big discussion at this committee over several different meetings was about the degree to which Canadian businesses are incentivized, the degree to which the competition framework drives innovation and the delivery of new and effective services, and the degree to which our systems are able to attract investment.

Industry committee  Thank you for that. The commissioner has been clear about the interest in having a context-based definition as the foundation for any definition that the committee chooses to adopt. I also think it's worth pointing out that the commissioner issued guidance on this issue several times, including most recently in 2022.

Industry committee  I would agree that the way it's formulated is intended to rely on the context-based assessment that would be undertaken. When you say something would “generally” be considered sensitive, you're giving an indication of direction. You're setting a policy framework parameter that allows for interpretation to occur effectively.

Industry committee  Your reference to subsection 15(5) is what we're looking at too, and it says: the reasonable expectations of the individual and the sensitivity of the personal information Both of those have to be considered in that scenario in order to be considered, so when you say “and the sensitivity”, and by definition you construct a bill that says that this information is always sensitive, you obviate the ability to take advantage of implied consent.

Industry committee  In other words, the test for appropriate use of implied consent requires two subordinate tests to be met: reasonable expectations and the sensitivity of the information. If we're automatically raising some personal information to the level of sensitive information at all times, it doesn't allow for this contextual analysis to occur.

Industry committee  I'm happy to add to that on behalf of Mr. Schaan. Sensitive information is referenced in the bill in the definitions section, in proposed subsection 2(2); under “Privacy management program”, in proposed subsection 9(2); under the “Appropriate Purposes”—

Industry committee  It's under, starting with the definitions, proposed subsection 2(2); under “Privacy management program”, in proposed subsection 9(2); in the “Appropriate Purposes” area, in proposed subsection 12(2); under “Consent”, in proposed subsection 15(5); under “Prospective business transaction”, in proposed subparagraph 22(1)(b)(ii); under “Completed business transaction”, in proposed subparagraph 22(3)(a)(ii); under “Retention and Disposal of Personal Information”, in proposed subsection 53(2); under “Security Safeguards”, in proposed subsection 57(1)—