Bill S-4 would require organizations in the private sector to report any loss or breach of personal information. But the criterion on which that mandatory reporting is based is subjective. In fact, the bill allows organizations to determine, themselves, if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.
Why didn't the government choose a more objective criterion as the basis for that determination, such as the one proposed in Bill C-475, An Act to amend the Personal Information Protection and Electronic Documents Act (order-making power), which was introduced by my colleague?