The addition of compliance agreements is helpful, but it addresses a very specific scenario. What happens with a privacy complaint is that it goes to the commissioner, she does her report, and she issues a recommendation. It's a non-binding recommendation, so let's say the company agrees to comply. If it changes its mind a year later, you basically have to start from scratch and file another complaint. There is no mechanism to make that enforceable.
The compliance agreements help a lot in that context, but they don't help with one issue that we're concerned with, which is to put in place incentives for proactive compliance. For that to be in place, you need some type of potential damages to happen if you violate the principles of PIPEDA in a very clear and egregious way. We think that's needed for PIPEDA. Most other privacy and data protection commissioners around the world have those types of powers. We would like to see that in PIPEDA as well.
Thank you.