Thank you for the question.
First of all, on notification, from our comments, NAID Canada's position would clearly be that notification is not only important as a protection for the individual whose information may have been breached, but I think we all know that as much as teeth or enforcement can be put into this, it may be one of the most serious deterrents to casually treating the information as well. If notification is hanging out there as an obligation, I think you're going to see organizations that handle personal information be much more concerned about that real thing happening.
As far as the transborder issue is concerned, it has cropped up. It originally cropped up when the European Union adopted data protection directives and then directives about sharing that data with the U.S., which was lagging behind at that time. It has also arisen between Canada and the U.S. with regard to the Patriot Act being passed in the U.S., and various things like that.
I would just say that it is fairly common-sense. As far as NAID Canada is concerned, the common-sense approach would certainly be that personal information belonging to a jurisdiction's citizens should not be allowed to be shared or to enter into an environment where those same protections aren't allowed for in the other jurisdiction.