Let's pull that apart.
Obviously they should do a PIA. I can't imagine anyone here disagreeing that they should do a privacy impact assessment. I take your point. It's well stated. There should be an obligation in law that these organizations, when they're using a new tool with impacts upon privacy, do a PIA.
Let's talk about appropriate use, though. In the CBC report, I saw an indication from agencies and departments that they use this tool separate to judicial authorization in some cases, and in other cases only on government-owned devices and in cases involving employees suspected of harassment.
Both of those instances, at a high level, sound quite reasonable to me. Are there other instances that you're aware of that we ought to be concerned about?