My concern with the security breach disclosure provisions, which I think quite clearly are long overdue—we've been passed by by so many other countries and jurisdictions on this—is frankly that we had it better in the earlier iterations of this bill, in Bill C-12 and Bill C-29, which, as I'm sure you know, created a two-step process.
The first step is notification to the Privacy Commissioner of a material breach, and that, of course, didn't include the necessity of the real risk of significant harm. It was more a matter of the breach itself.
Then you get into the secondary question of under what circumstances you go down the much more challenging avenue of having to disclose this breach to everyone who's affected, recognizing that there may be circumstances in which that's appropriate and others in which it's not.
What we've done here, by removing that and creating a higher threshold for all disclosures, I think means that systemic breaches don't get disclosed. It means that, many times, important material breaches simply don't get disclosed, and organizations that have underlying problems don't have to fess up at all.
I think we recognize that in some circumstances we have the incentives for organizations not to disclose because of the costs and the embarrassment factor. We also want to ensure that we don't have so many disclosures that consumers are receiving notifications on a daily basis, and they simply tune all of that out.
There is a balance to be struck, but I think we did a much better job, the government did a much better job, of striking that balance, particularly for things like systemic breaches within an organization, by saying, “Surely that's the sort of thing that we would want the Privacy Commissioner's office to know about”, and yet we've effectively removed that in this bill. It's hard to understand why.