I think it's been done already by the Federal Court. I think there's a legal test, a real and substantial connection to Canada. I think many of the companies meet it. It's fairly clear, and that test would have to be met.
We would be levying a sanction for their behaviour involving the personal information of Canadians. I don't think there is a problem of enforcing it. Other countries enforce things against companies headquartered elsewhere. It depends on how your laws are written, but one of the many good things about PIPEDA—the only thing I’m raising here is the lack of enforcement powers—is that PIPEDA is written in a such a neutral way that as long as you have a connection with Canada, it doesn't matter where you are headquartered. It doesn't matter where your servers are, etc. I think that can be dealt with in a rewrite of the law.