Some of the challenges with duty to notify have been addressed by some of the other guests here in terms of notification fatigue. Our detailed submission sets out our views on notification of loss. We say if a duty to notify is to be directly or indirectly included in PIPEDA, it should be a balanced approach.
Bill 200 is a bill I assisted with drafting in Manitoba. It's intended to be substantially similar to PIPEDA, modelled after the Alberta law. It has a duty to notify. It reflects the similar language we've put in our submission in terms of a balanced approach. For example, we say that a duty to notify might be included where the information is about an identifiable individual or the information is not identifiable by virtue of being protected through, for instance, encryption, or the organization has received notice that the protection has been breached, that the encryption technology has been breached, and that the information falls into certain specified categories of sensitive information.
If you say duty to notify every time, you're going to end up with notification fatigue. It's going to be ineffective. The status quo and the reality are that some organizations simply choose not to notify, and that may not be friendly from a privacy perspective.