It would be to the extent that we are adding sufficient triggers based on the types of information.
These questions were raised as part of law 25. Clearly, the question was, what do we do with a company that...? Let's say a convenience store in La Tuque has some personal information. What do we do with this? The fact is that the convenience store in La Tuque potentially will have non-sensitive personal information. As such, it should not potentially need to have a privacy officer. That makes sense.
However, let's say we have a growing company with 20 people building a very interesting AI model with biometric data or health information. Then I think it would make sense to potentially have some obligation.
Again, this needs to be proportional. I want to give my opinion. I don't think that the number of employees makes sense. Even the revenue is not a good threshold, from my perspective.