Yes. To be fair, it is an objective test. If you look, for example, at proposed subsection 10.1(1), it says:
An organization shall report to the Commissioner....if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.
That is an objective standard. The problem is that we're letting the industry itself make that determination when there is a huge incentive for the industry not to disclose, so either you need much stronger incentives for disclosure or you need a third party, like the Privacy Commissioner, to make that determination, to be able to review it, to have the resources with maybe one or two more bodies in the office to review these much more standard breach notifications and at least determine which ones need to be sent to individuals.