Sure, thanks.
I actually wouldn't call it a subjective test. I think it still is an objective test; the problem is that it's left up to industry to apply that test, and there is not enough oversight or incentive to ensure they are doing it properly.
One solution is to have the Privacy Commissioner be able to review the breaches and determine which breaches require, for example, notification of individuals. This is the model that is being proposed by PIAC, I believe, and it's certainly one that would get around the problem of the industry itself determining whether or not a breach meets the threshold for reporting to the Privacy Commissioner and/or to individuals if you go with a different standard.
I think it is a problem. I guess you can call it a subjective standard, but the problem is that industry is making its own determination, and if you're going to go with that kind of model, then it's all the more important that you have strong incentives in place for industry to comply. Otherwise they won't. It's simply not in their interests, and that's what we're seeing. If you study any aspect of PIPEDA compliance right now, non-compliance is just a cost of doing business right now. That's a fact.
I'm disappointed that the Privacy Commissioner is not really acknowledging that and calling for order-making powers. It's something that's very disappointing to me. As I said already, I had to take the Privacy Commissioner to court in order to get her to exercise her jurisdiction at that time, and it seems that for some reason there is not the appetite that there should be in that office for order-making powers and more effective enforcement of this legislation.