Certainly. There are sometimes discussions about that.
As for the cases you're referring to, sometimes a department tells us it's already doing what we recommend. In the case of the pandemic, we also carried out an assessment of proportionality and necessity, which is not mandatory under the Privacy Act, but which we feel should be. We put forward that analysis.
It's a dialogue. We are always given the reasons for refusal, and dialogue is established.
Some breaches are more serious than others. The really worrying situations are those where there has actually been a major breach or a major consequence, combined with a complete refusal to follow our recommendation. That can undermine trust.
I feel the power to issue orders is important. When an officer of Parliament makes a recommendation to an organization and the latter refuses to implement it, the situation is not satisfactory. I believe there must be sufficient justifications given. If we had the power to issue orders, this wouldn't be a problem. We'd issue them when necessary. With that said, in my opinion, they should only ever be used exceptionally.
The same applies to fines. In Bill C‑27, we would add the possibility of imposing significant financial penalties on organizations. I think this is very important, for the same reason again: to create incentives. The idea is not to use them often, but...