I think that this would be one approach, yes, but my plea is for some more detailed legal analysis on this. I think one of the dilemmas here is that the Chief Electoral Officer knows political parties and knows the regulations on political parties, but he is not necessarily resourced and adept at dealing with privacy issues. The Privacy Commissioner has those skills and resources but doesn't have the legislative mandate to do that, so it falls between the cracks. The other institution that is responsible here is the CRTC, of course.
I think there will have to be some very careful legislative and constitutional analysis on this question. In the meantime, I don't see any reason why there couldn't be a code of practice agreed to, under the auspices of the Privacy Commissioner and the CEO, perhaps jointly, that would have the effect of establishing a more level playing field, establishing more transparency, and preparing for the day when legislative rules come in.