No, not really. In fact, I've had colleagues who have suggested it may be too weak a threshold.
To give you an example of that theory, organizations intentionally take steps to comply with privacy law. They develop privacy policies, procedures, a whole infrastructure. If ultimately the commissioner concludes that it's not compliant, is that intentional breach, they've intended to do that?
It's very easy to say...and quite frankly I think there has to be an intentional element if you're talking about a fine. You don't fine somebody for negligence unless it's gross negligence.