Thank you, Mr. Chair.
Thank you to both of the witnesses. It's been very interesting.
I don't know if I fully understand Brian's comments that the Privacy Act should have the same duty of notification provisions as PIPEDA. One of the big flaws of PIPEDA is that it doesn't have the duty of notification, and when our committee studied it we recommended unanimously to the government that it should have duty of notification. But when the government reacted to our report, tabled in Parliament, they said clearly the government is not interested in putting duty of notification into PIPEDA. So I don't think we're any closer to having that duty put into statute at all, which is really worrisome to me, because a lot of Canadians would be horrified to know or would want to know if their personal information was compromised in the private sector or the public sector.
The PIPEDA report was just tabled in Parliament today by the Privacy Commissioner. You might want to get a copy of that. It talks about the TJX case, where personal information and 94 million debit card and credit card numbers were compromised in that one violation alone. There were 94 million--they weren't all Canadians--people from around the world, I guess. This is worrisome to me, and I think the Privacy Act should have a rigid duty of notification.
The cross-border sharing of information is of great concern to us. I want to thank you for bringing your input into this, and specifically citing the Maher Arar case as a graphic illustration of what can go wrong and has gone wrong.
Is there anything more you can tell us about the Canadian Bar Association's views on this? Or would you like to speak a little more on the subject of how we might prevent another Maher Arar incident?