I just would add one additional contextual point that I think may be helpful in terms of the discussion of data breach writ large. When we think of private sector privacy law, we often tend to think of the capacities of large telecommunication companies or financial institutions, but I think it's valuable for the committee to bear in mind with this legislation that small and medium-sized enterprises are also required to abide by PIPEDA.
An additional reason for this, beyond those that my colleague has explained, is that by having a single threshold, you do not force individual small and medium-sized firms, which may not have the same capacity or access to legal advice, etc., to have to sort of arbitrate or adjudicate among different standards, but rather just have a single, clear standard they are able to follow. I think that's another explanation for the single threshold.