We've had a lot of success with PIPEDA and with the model that we have with the Office of the Privacy Commissioner. It was established as an ombudsman model and was very much an education-first, collaborative organization that worked with businesses and individuals that had concerns or complaints and tried to find collaborative ways to discuss and get to solutions.
As we watch technology change—and technology is specifically referenced in the purpose statement for PIPEDA—it's very clear that data is now regularly called the new oil. It is flowing internationally and is critically important. It is collected in ways that we didn't even foresee in 2000, when this was first enacted, and that creates pressures in terms of how an organization treats its data. It also creates real concern for individuals about how their data is handled and whether they even know what was collected and how it's being used.
When we look at the model we have for the Privacy Commissioner—and as you said, in 2015 we increased the tools that he had available to him with the introduction of compliance agreements—and as we move into any kind of thinking around the next review of the act, the question will really be around balancing whether we want an ombudsman model with the same types of powers, or whether we move to a different type of model.
The nature of the mandate could be very different. If you give order-making powers but still want to be able to have open conversations with business, saying, “Come in and talk to us early on and we'll work with you on how you go about designing new products and services,” then having greater order-making power in the same organization could cause some concerns about what the core mandate priorities are. A holistic review of the Office of the Privacy Commissioner and PIPEDA would need to be undertaken before we would decide to give new powers.
That being said, lots of organizations have stronger powers, and they are able to balance those stronger powers with a really effective regime of working with businesses and individuals. There is pressure to ensure that the Privacy Commissioner is seen to be a best practice, both domestically and internationally.