Chair, thank you very much.
I guess it's just a minor point, because I think I didn't make it in my submission. I agree entirely with the comments of my colleagues about the need for a dual standard for breach notification, with more breach notification to the Privacy Commissioner and commissioner playing a greater role in determining which breaches need to be disclosed to individuals.
I would just go back to my earlier point. I think there are three fundamental areas of Canadian privacy that this legislation needs to protect. There need to be more hard limits on what companies can do with our personal information, particularly for children and vulnerable people. Second, consent needs to be real. That means express, opt-in consent, not negative option. Third, there need to be order-making powers and administrative monetary penalties for non-compliance.
Thank you.