I think a combination of the two. You need the principle in place under PIPEDA, and I agree with Mr. Kardash that PIPEDA has been very successful in setting in place a very broad, principled framework that the privacy commissioner has applied in a flexible manner, in a sort of co-regulatory manner, in the sense that the guidelines are issued and companies attempt to implement them, and there's discussion with industry and sometimes with other stakeholders on how to develop and apply those.
I think that's the proper mechanism, but the principle itself needs to be embedded in the statute, and then there needs to be a potential, at least, for a penalty for serious cases of non-compliance, clear cases of non-compliance, not borderline cases or something like that. Then, within that context, I think you can develop a co-regulatory framework where the principles get applied in a flexible manner. I think that's the way to go.