I think it's important to make clear that it's very hard to see any teeth in the existing legislation as it applies to the private sector, keeping in mind that I'm much more familiar with the framework for public institutions.
As things stand, it's very hard to assert the right to privacy, to be 100% sure that an individual will be notified if their personal information has been leaked or disclosed illegally. Many—