Okay. Merci.
Mr. Vincent asks a very important question, which I want to be sure we have an answer to.
The industry supports a risk-based approach to notification. Who makes the determination of the risk? Is it the company alone, is it the company in conjunction with the Privacy Commissioner, or is it the Privacy Commissioner who institutes it? In other words, who decides that the breach is material?
This is what Mr. Vincent was asking, so let's get a clear answer.