Thank you.
I want to ask you about breach notification. The threshold is pretty high, it's “a real risk of significant harm”. Do you think that is the right threshold? We've had some witnesses suggesting a two-step system where the Privacy Commissioner is informed of all breaches and then there is a decision about when an individual is notified about a breach. Do you think that the way it is structured now under Bill S-4 it's leaving these decisions to industry itself? Is that the right approach?