We are proposing today a hybrid model, one that looks a lot like what was in Bill C-12. In order for it to be two steps, you would have to have a reporting of material breaches of security safeguards, as it was worded in that bill, that affect personal information, as a first step, only to the Privacy Commissioner. Then, as in Alberta, it's better to leave the decision about whether to notify individuals with an impartial third party, the Privacy Commissioner, rather than again leaving it up to the company, which is what this bill.... It places a lot of responsibility on companies, actually. If they make a call badly, it's just preferable to leave it in the hands of an impartial third party.
That would be what we propose, that two-step approach.