Under not a legal obligation but under the policy documents of the Treasury Board; this is something that's not legally required but is more internal. The sanctions could be imposed by the Treasury Board itself...or removal of delegation or these types of things, but there is certainly in this policy the sense that my office should be notified and that a PIA should be done in high-risk situations where the tools can have an impact on privacy.
The fact that there's a judicial authorization regime doesn't remove the need to do a PIA, but it's an important element that would certainly be looked at and considered in a PIA as a mitigation measure.