I think on the aspect of risk, it's a bit of both. Currently, PIPEDA is principles-based—there are some rules, but rules are few. CPPA would certainly keep principles but adopt many more rules. I think an effective system has both principles and rules that are at a sufficient level of generality that they can still be relevant even if the technology or the business context changes over time.
I think where I would disagree with my colleague Mr. Fraser is that PIPEDA lacked the rules that would ensure protection. I'm not suggesting a prescriptive statute, but I'm suggesting a statute that has both principles and actual rules stated at the right level of generality.