I would argue that we've come somewhat close, I think, to option number two in terms of simplifying and codifying an approach. This is exactly what PIPEDA does, recognizing that technology is evolving very rapidly and the legislative process will always be behind. PIPEDA takes the approach that sets out basic principles that all organizations must follow. That allows for a great deal of flexibility to users and ultimately to a privacy commissioner in determining what is required, what level of disclosure, what type of consent, and what sort of uses are within the reasonable expectation of consumers, etc.
I think we're very close to having the right approach.
With respect to more powers to privacy commissioners to enforce, I would say that for many businesses, certainly the larger and more reputable businesses, fines and those kinds of enforcement powers are almost beside the point. The real stick, and where the rubber really hits the road for such companies, is the type of publicity you described.
When there is a major privacy breach and the company's name is all over the headlines about being hacked or about doing something inappropriate with data, that really does a lot to damage the company's brand. It makes people question their trust in the company. It makes people think that maybe they should be using alternate providers. Regardless of what the laws might be, that is what most businesses are really focused on.
One of the problems with having more enforcement powers is that it changes the essential nature of the relationship between privacy commissioners and business. Right now we generally have a fairly cooperative, sort of ombudsman-type model. I think it works fairly well. That is more conducive to organizations proactively sharing information with privacy commissioners.
If we move to a regime where there are more sanctions to be applied, it becomes much more like litigation, and I don't think that's the environment we want for privacy in Canada.