I think there are all kinds of challenges, whether in terms of resources or the pressure on departments. They're in a better position to speak to that than I am.
The challenge is that privacy impact assessments are mandatory under the Treasury Board directive but not under the act. The directive makes distinctions, for example, between a new program and the update of a program, or between the assessment of a program and the assessment of the tool itself.
Given these distinctions, the department can say in good faith that it is of the opinion that an assessment isn't required, because the directive doesn't require it. And yet, perhaps it should be required. With technology becoming increasingly powerful, it could become even more important to reassure Canadians that we're doing all this in an even more proactive manner. So it would be preferable that it be a legal obligation.
Moreover, this is not an issue that concerns only Canada, obviously. My international colleagues, at the conference of the World Assembly for the Protection of Privacy, adopted a resolution on artificial intelligence in the area of employment. It calls on governments and parliamentarians to be aware of the need to set guidelines. If artificial intelligence technologies are used to recruit workers and assess their performance, that can have an impact on privacy. So we have to be transparent and take into account the notions of necessity and proportionality. These are fundamental questions.