Thank you for that question.
I think Professor Deibert has referred to this, but I'll elaborate.
We had yesterday an RCMP witness say, to paraphrase, that they don't actually think about doing a privacy impact assessment just because they're using a new technology. They consider whether the technology permits a new kind of invasion.
This sounds kind of logical until you break it down because that formulation of the nature of the search ignores the reality of an ODIT, which allows all the invasions all at once on a device that we— not they—own.
Did they do wiretaps before? Of course. Did those wiretaps allow access to the contents of every form of communication written and oral, professional and private, retrospectively and prospectively, including data that's not actually on the device itself but in the cloud? Of course not. Is it the same level of invasion? No. Did police install covert cameras in homes and places of business with warrants in the past? Of course. Did a single camera have the ability to move with an investigative subject from work to home, from bedroom to bathroom, 24 hours a day? Of course not. Is it the same level of invasion? No.
An ODIT can do more. It can record live audio. It can track locations. It collects device identifiers. It tracks Internet searches. It follows application use.
Should a PIA have been required? Of course. Even that, as Professor Deibert says, is not enough when we're talking about the enormity of the invasion.