Thank you, Mr. Chair.
Bill S-4 can force private sector organizations to report any losses or breaches of personal information. The test proposed for this mandatory reporting is subjective since it enables the organizations themselves to determine whether it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.
In your view, can we ask organizations to determine themselves what constitutes significant harm? Would that assessment not be too subjective? What do you think about that?