I would say there are at least two important solutions. One is to make sure the regulator has the right powers, and in that basket would fall binding orders, penalties and proactive inspection powers that I've discussed in this committee before and can expand on if we have more time.
But I will move to another part of the solution, which I think is to ensure that we have rights-based legislation. Facebook and Cambridge Analytica demonstrated the link between privacy protection and the exercise of other fundamental rights, in this case democracy. But there's also a link between privacy protection and other fundamental rights: equality, for instance, in the employment context; freedom to go on the Internet to develop as a person and look for issues of interest without the fear of being monitored by corporations. A clear link was demonstrated in Cambridge Analytica, but it's just one example of the clear link between privacy protection and the exercise of fundamental rights.
I think this shows that, in addition to giving powers to the regulator, the new legislation has to be framed as perhaps principles-based, as PIPEDA is, but also rights-based, and recognize that privacy protection is linked to the exercise of other fundamental rights. We're all at risk if privacy is not protected. We would not only lose our privacy, but other rights would also be at risk.