That's why I asked the question. For most countries in the world that have comprehensive data protection law, there's an agency similar to the Privacy Commissioner of Canada that the Privacy Commissioner can talk to and have discussions with. If there's any complaint by a Canadian, then there's a process in that other country for that complaint to be investigated.
The problem that we have in Canada is that so much of our information flows over the border to the United States. There isn't an equivalent institution in the U.S. The U.S. has a privacy act that predates our Privacy Act and is from 1974. It's similarly dated. That is administered not through one privacy commissioner, but through a variety of different regulatory agencies.
Your question also relates to the so-called Safe Harbour agreement that was invalidated by the European court. It's now been replaced by a thing called the Privacy Shield, which is mainly for commercial data.
That's all by way of saying that you've asked a very, very good question.
I come back to what I was saying about privacy impact assessments. If they're done properly on both sides of the border, PIAs can go a long way toward ensure that the principles in the Privacy Act are in fact complied with wherever that data goes. There have been some good examples of that. I give the example of the enhanced driver's licence processes, for example. There were PIAs done in Canada and in the relevant institutions in the United States that were reviewed by the Privacy Commissioners in Canada. I don't know whether Gary had something to do with that in his day.
PIAs do play a strong role in alerting the Canadian Privacy Commissioner to any issues that might exist on the other side of the border.