I heard that criticism about the GDPR being burdensome on small businesses. I think organizations like the EU Data Protection Supervisor and the Information Commissioner's Office of the U.K. have really focused on small businesses and innovators to help them with their compliance.
I suppose there isn't such a strict category line that we can draw between a small business and a medium-sized business in terms of the harms that they could create. I'll just remind you that Cambridge Analytica was a small business.
Therefore, I think what is more appropriately in context is the sensitivity and the amount of data that's being processed, whether it's two people working in their garage or a small political consultancy. There are many larger companies that aren't processing sensitive personal data. I think the point is to be able to delineate the potential harms and risks that a business is creating for Canadians and to make sure that those risks are properly mitigated.