I don't know that we were touching on the GDPR in our brief, but we were suggesting that it is challenging. Obtaining consent in the world in which we're operating today is indeed a challenge. We have touchpoints every day where individuals and organizations are asking us if we've read the privacy policy. We're dealing with small screens. There are enormous barriers out there to enabling consent in every interaction we have.
The point we're making is that you can retain consent at the core of your privacy framework and at the same time provide greater responsibility and accountability for organizations to utilize personal information where there is maybe a reasonable expectation on the part of the consumer that the information may be used for an additional purpose—in other words, an expanded use of implied consent, if you will. I think the CRTC was here a few days ago talking to you about the anti-spam law. A very robust aspect of that law is built on implied consent as well as express consent. There's a strong element of implied consent where there's an existing customer relationship.
Charles was talking about the fact that organizations may have a legitimate need to use the information for a new purpose that will not put the consumer at risk. It may indeed benefit the customer. In those kinds of instances, going back to consent, is that where we want to be in the environment in which we're operating today, the digital environment? We would suggest that it isn't, and that in different contexts, different industries, you may have different codes and different frameworks that will be established to allow organizations to move forward in the way that I've suggested. Those would be self-regulatory codes, and we think they have a place in what we're describing—that is, a consent-based regime still, but one that imposes great accountability on organizations.