Our understanding of the program is that, when it was first inaugurated in 2013, the view at the time was that the protections in place to avoid the collection of personal information and simply focus on the evidence of non-compliance under a court order would not, under the decision tree, necessitate a privacy impact assessment. However, in 2020, as we were going through a modernization exercise with respect to implementing a risk-based approach to our enforcement activities and a periodic review of our directives, we felt that it was prudent to engage in new privacy impact assessments to cover not just a specific tool but also the activities we undertake so that it takes into account the context in which different tools are used.
On February 8th, 2024. See this statement in context.