The first point I would make is that we can devise a breach notification regime in any number of ways. The one that you have in front of you is a good compromise. It's reasonable. Is there a better system conceivable? Probably. What I would ask you to do is to adopt that regime because the main point is we need mandatory breach notification.
Is it appropriate to leave organizations with the duty or the discretion to notify or not? In practical terms, we see that in Alberta, which has a similar scheme, but also federally with the voluntary breach notification that we've enforced for the past few years, organizations by and large do not under-report. They over-report. They want to report borderline cases because they don't want to be seen as under-reporting. Moreover, in Bill S-4, there will be penalties for those who under-report. Again, is this the best regime possible? Maybe, maybe not. I think it's reasonable overall and should be adopted.