With respect to the two aspects, monetary penalities and data security breach notification, the concern with putting some boundaries on the obligation to report security breaches is that they're, unfortunately, so common and of so many different varieties that, if there were an automatic mandatory obligation to report every security breach, consumers would quickly become overwhelmed and even more distrustful of what corporations are doing with their data. There can be all kinds of issues or problems. Some middle ground was sought where only the more serious ones that really posed a risk to consumers or individuals would have to be reported.
There are different ways that you can do that. You can leave it to the corporation to determine the seriousness of the breach and whether or not they should be reporting it. Or you can have an obligation that corporations report breaches to the Privacy Commissioner and then decide, in consultation with the Privacy Commissioner, what steps should be taken to notify consumers. There can be a range of different types of notification or different types of responses.
I'm somewhat sympathetic to the concern about overwhelming consumers with information about breaches, but at the same time, I think there are ways to do it that won't leave the decision-making entirely in the hands of companies to determine when a breach presents a serious risk of harm.
The concept of serious risk of harm is a difficult one as well, just because it may not always be easy to assess what amounts to a serious risk of harm for individuals. I think that's going go be a difficult threshold.
As for administrative penalties, I think that would be an important weapon in the arsenal of the Privacy Commissioner. Not only does the administrative penalty impose a sanction on companies, which can be important in signalling that there has been a lapse in behaviour that is problematic and needs to be addressed, but it also has a more public shaming dimension as well. I think one of the concerns that's frequently been expressed about PIPEDA is that the commissioner has taken a very soft approach to dealing with corporations and doesn't name names, particularly in the context of most complaints, and so on, so that there's not enough information provided.