Mr. Chair, the only thing I would point out to the committee is that, as Mr. Hyer points out, this eliminates a risk-based threshold and essentially replaces it with a requirement to notify individuals if the organization believes that some unauthorized person has accessed the information.
I would make two points. One is that the Privacy Commissioner testified before this committee and has long advocated for a risk-based approach, recognizing that we don't want to tell individuals about data breaches that don't actually pose a risk of harm. You want them to be told of those that they need to pay attention to, because part of the objective of notifying people is getting them to take action to mitigate or reduce the risk of harm, such as changing their PIN, calling their bank, and monitoring their credit card statements. If you create a system whereby individuals are constantly being notified of breaches where there isn't necessarily a risk of harm, you run the risk that they'll stop paying attention to them and they won't take the action that you want them to take.
The second point I would make is with respect to the California data breach law. The personal information covered by that law is much narrower than under PIPEDA. Under PIPEDA, the definition of “personal information” includes any “information about an identifiable individual”, so a lot of non-sensitive information is included, whereas the California law has a very specific subset of personal information, which is risky. It is highly sensitive information. Read together, it makes more sense that the California law applies to all data breaches and doesn't take this risk approach, because it already narrows what personal information it covers.