Would you consider that the recourse in those breaches that were followed through was somehow not sufficient? What I'm driving at is that PIPEDA already includes prohibitions against this kind of release of personal information. It is inherent in the act now that organizations that have personal information are required to protect it, and how they go about protecting it—whether they destroy it when they're finished with it, and so on and so forth—is their responsibility, but you're suggesting we have to lead them by the hand and tell them what they actually have to do with it. Why do you think the current responsibilities of these organizations are not sufficient?
On February 8th, 2007. See this statement in context.