My recommendations are to give stronger enforcement powers to my office as the regulator, which means in practice at least three things: the authority to make binding orders; the authority to impose penalties to make sure that these orders are actually implemented; and equally important, perhaps more important, the authority to proactively inspect the practices of companies to make sure that they actually follow the law. That's an important mechanical step.
Beyond that, we need to reform the principles of the private sector law and the public sector law, but now we're talking about the private sector law. I don't have a problem with the fact that the current PIPEDA is principles-based. It's part of the architecture that allows it to endure over time, regardless of technologies. But this principles-based legislation also needs to ensure that it is rights-based and defines privacy not as a series of important mechanical steps like consent, but defines the right at the proper level, which is the right to be free from unjustified surveillance by corporations and government. That's the right that's at play, and that's the right that needs to be enacted, I believe, so that citizens can engage in the digital economy, can make searches and can develop as persons in such a way that they can do that without being subject to constant surveillance.