The recommendations are all important, and I presented others in my brief, particularly on the issue of proactive audits. If I had to pick just one, I'd choose the obligation to carry out a risk assessment, which I think should become a legal requirement.
There's also another point, which is less often discussed. In the current bill, organizations would have very wide latitude in defining the purposes for which they can use personal information. As I did when I was commissioner, Commissioner Dufresne recommended that the purposes for which information can be used be explicit and precise. These words are important. At present, companies can define these purposes pretty much as they please. Forcing them to define these purposes a little more narrowly would be one way of ensuring a better balance. Moreover, such a provision would be in line with European legislation.