I think it's really due to the legislative history of the statute. It arose at a time when there was a need to put legislation in place quickly. Europe had just passed its first data protection directive, and there were concerns about cross-border flows of data. We're in a similar situation again.
It was clear that we needed legislation. There wasn't a lot of comfort with legislation. It was decided that if it were built around the CSA model code, there would be a greater acceptance of it, both here and south of the border, in terms of the obligations it imposed on businesses.
The normative core is the CSA model code, which is in the schedule. In the legislation itself, all the exceptions and modifications are found, as are the enforcement powers and so on. For an ordinary individual who is trying to work his or her way through the statute, it's not intuitive. It's not easy to find. As amendments get made, the interaction between the two documents becomes even more complicated.
I think it's in large part due to that history that we have the legislation we have. I think we're mature enough now in our evolution in terms of our data protection that we can walk away from that and fix the statute.