Let me just point out to the committee how what is proposed is different from having the organization do an assessment of two thresholds in making that determination. As Madam Borg pointed out, the NDP amendment does create a two-step process, so an organization would first determine whether or not a breach posed a possible risk of harm and that would go to the Privacy Commissioner. Then the Privacy Commissioner would look at the data breach and determine whether or not notification to individuals was warranted.
The standard applied by the Privacy Commissioner would likely result in an appreciable risk of harm. The organization is accountable for telling the Privacy Commissioner, which creates an accountability on the part of the Privacy Commissioner to do a risk assessment and determine whether or not individuals will be notified. Bill S-4 places the accountability for both of those things on the organization itself.
Madam Borg's second point was that the amendment gives the Privacy Commissioner the power to order a company to notify individuals, whereas under PIPEDA currently and under Bill S-4, the Privacy Commissioner doesn't have the ability to make those orders.