Thank you.
You state in your report that “Personal information is available...in unprecedented amounts, and the state's appetite for it is voracious.” It's a very strong statement, so I think with the issue of Bill C-30 there's a concern. But the appetite of private companies for our personal information is equally voracious. I'm concerned about the protocols around how that privacy information is collected, and I see it from your audits of Google and Staples.
But I'm looking at Bill C-12 and the issue of security breaches and the provisions that exist right now—or the lack of provisions—and then the very loosey-goosey provisions the government is bringing in. If someone's data has been compromised, right now under this bill they say if there's significant harm they're obliged to tell the consumer. Significant harm seems to me to be an extremely high bar to set, given that a company is not going to really want to tell consumers that somebody was peeking at their data; they're going to quit the account.
How do you feel Canadians should be protected? Should the breaches be reported to you so that you can set the bar? Should we allow private industry to decide whether or not there's been significant harm? How do we ensure a balance? Is this something that should be reported back to you so you can make that declaration?