Right. Your last comment, Mrs. Gallant, highlights what was mentioned in this committee in the mobility study as being a culture of “I agree”. It's a culture of clicking “yes” to the policies, because you want to use the technology. I think this is part of making sure that Canadians can use and participate in this digital technology, but not at the cost of their privacy rights.
In the Tim Hortons incident, what came out was that there was a concern in terms of the purposes. There was no legitimate need for all of this information. It was very intrusive in the sense that it kept doing it, even when the app was not in use, and it was doing it very frequently. There was a concern about the consent. Users had not been informed as to how extensive it was going to be, and they didn't understand that it would result in their location information being used in such an excessive way. There were also concerns about the contract clause with the provider being too flexible in terms of how they could use it and in terms of the privacy accountability regime.
I think those are all areas where the Privacy Commissioner, with a proactive audit mandate, could have engaged and had discussions, saying, “Make sure that there is privacy by design here and make sure that there's a privacy impact assessment that's meaningful.”
There's a role for the OPC. There's also a role for legislation in mandating these types of accountability processes.