Yes. I'd echo those sentiments. I don't think there's a problem, in my experience, that it would be solving. That's similar to the CBA's submission. If you were to go that route, of course, there would be a lot of things to consider in terms of how the office currently operates versus how it would have to operate under that kind of model.
I suppose I would be coming back to the questions of “To what end?” and “What's the purpose of this?” In my experience, and my feelings are the same as those expressed by Ms. Reynolds, if you're even at the point of being investigated by the Privacy Commissioner, you're not, typically, looking to pick fights or end up at a place where you're feeling like you need to do something that you can't do for business purposes, etc. You're seeking to find a way to work with the regulator in a way that meets your obligations, as you may accept them at the end of that process, under the act. Maybe you agree to make certain changes. We do have the new mechanism of the compliance agreements. It's very new and untested. We may see that this addresses part of what you're getting at.
In terms of the stick, as I addressed in my opening remarks, I think the stick is already there. In serious cases, complainants are going straight to court and suing organizations for privacy breaches in any event, so I don't see how changing the commissioner model would add anything to that.