That's right, and that's what he goes on to say in his submission:
the CPPA includes a number of mechanisms for the [Office of the Privacy Commissioner] to assist organizations in meeting their obligations, including providing guidance on privacy management programs, developing guidance materials, and reviewing and approving codes of practice.
I'm not interested that much in what are generally accepted best practices by industry associations. I'm more interested in the power of the guidance of the Privacy Commissioner. I'm reluctant to support a provision that allows anonymization to be watered down to “almost impossible but maybe possible” because the language is given there to allow outside industry associations to set the standard and not the Privacy Commissioner. Wouldn't you agree that the Privacy Commissioner is the appropriate office to set these standards, not private sector organizations?