As somebody who practises privacy law on a daily basis and advises businesses, I think one thing that's notable—certainly it's been my experience and I've heard it anecdotally from others—is that the large banks, the large telcos, and the large Internet companies have squads of lawyers on staff. They have compliance people. They have international compliance people. In fact, their level of compliance is pretty high, although their risk threshold might be slightly different from that of a small or medium-sized business.
The level of awareness of the mechanics of how to actually comply with Canadian privacy law—how to get people's consent, how to manage all that, and how to protect information—is actually quite low in the very large portion of our economy. Here I refer to the SMEs across the board.
One thing I think is worth discussing—and I don't have a ready solution for it—is that although the Privacy Commissioner has done a lot of work with big banks, telcos, and Internet companies, how do you educate and reach those SMEs and incentivize them to protect Canadians' personal information better? I don't have an out-of-the-box solution for that.