It's principles-based, because it needs to be technology neutral. It has to be legislation that will stand the test of time. It's 20 years old, and the Privacy Act in the public sector is even older, so we need this legislation to keep up with fast-moving technology. We're talking about principles, but we also need in legislation some specific obligations, so that organizations and Canadians know their rights.
For instance, we take the safety of travellers in airplanes very seriously. We have predeparture safety checks all the time to make sure that this is done, and done proactively, not after the fact. I see privacy impact assessments as being the same thing. By making sure that on the front end you're looking at privacy, you're treating it as a fundamental right, and you're mitigating those risks not only after the fact.