I think both laws need to be changed: the public sector law and the private sector law.
Certainly, laws and regulations can never evolve as quickly as technology—which, as you say, is evolving extremely rapidly. We do, however, have a law for the public sector that dates back to the 1980s and a law for the private sector that dates back to the early 2000s. There is therefore no doubt that these laws were passed before this evolution took place. Both need to be amended in several ways.
I was referring to the criteria of necessity and proportionality, for example, which are not currently found in the Public Sector Privacy Act. That is a significant shortcoming, and the act must be modernized to address it. In addition, the government must be required to prepare privacy impact assessments and reports when there are privacy breaches.
A shortcoming is found in both acts: They do not grant my office the authority to issue orders and impose fines. That sets us apart from many comparable organizations internationally, and makes it more difficult for us to enlist the co-operation of institutions, since they are not exposed to that financial risk in the end.