My other question has to do with the mandatory breach reporting mechanism.
In your opening statement, you said you wanted to provide clear rules and create a minimal administrative burden on the private sector. I think everyone supports that. But the discretion to decide whether reporting poses significant harm to the individual is left to the organizations subject to PIPEDA, and that concerns me.
I know there are a number of big companies. We tend to think of the Internet giants, which have privacy protection officers, who are tasked with ensuring respect for people's privacy. The problem is that 98% of companies are small or medium-sized. How are you going to help them and support them? Will small and medium-sized businesses be given tools to guide them as they try to figure out whether a breach poses significant harm?