At the beginning of my mandate, there was a lot of emphasis on public and national security issues, and on measures that followed the events of September 11.
The Snowden phenomenon highlighted certain government practices. It's not all perfect, but we have made progress on those issues. Legislation has been passed to raise the bar on which departments [Technical difficulty—Editor] for national security purposes. Most importantly, independent oversight bodies have been established and are now in place within the public service and within Parliament. As I mentioned, not everything is perfect, but significant progress has been made.
In recent years, with Facebook, Cambridge Analytica and all the rest, there has been a lot of focus on what some call surveillance capitalism, where companies collect, process and disclose a lot of information about their consumers to provide services, but also to make money, of course. That is where we are at now, which is why it is extremely important that these issues be properly regulated through Bill C‑11 or its successor.
I have to say that recently we are seeing more and more public‑private partnerships. Clearview AI and the RCMP are just one example among many. This leads me to suggest that you think seriously about the relationship between the public sector and the private sector in terms of sharing personal information, and the idea of the same legislation governing both sectors, which we think would be extremely desirable. If two laws are used, it would be best if they had very similar principles, because data has no geographic borders and no boundaries between the public and private sectors. It is important that similar rules govern both sectors.
I would add that, to maintain the confidence of the public and consumers, it is essential that [Technical difficulty—Editor] result in penalties that are proportionate to the magnitude of the impact of the privacy breach on privacy. Order powers and consequent fines are therefore crucial. The reason for recommending substantial fines is not to be punitive. Rather, it is to ensure that the consequences for people whose privacy has been breached are proportionate to the consequences for the companies involved, so that, over time, imposing such a regime will result in governments, departments and companies properly protecting the personal information of the public and consumers.