I would say a few things.
One of the most important elements of this statute that have been retained from its predecessor, PIPEDA, is that it remains a principles-based and risk-based statute, which means that it's intended to be technologically neutral and applicable in a vast array of situations. It is not granular insofar as to prescribe in every single instance what a company shall and shall not do. It's principles-based, which means that its interpretation is actually extraordinarily important and that it grows with time.
One of the challenges of taking a principles-based statute and applying a private right of action without a finding of fact first, without the body charged by Parliament with its interpretation finding a first instance of violation, is that you're actually allowing for a wide variety of readings as to what is at stake here.
I can imagine instances in which a private right of action is introduced, instances in which the legal test or the interpretation is extraordinarily rigid and is understood in every instance to say, well, it's just as easy for me to figure out whether or not there's been a violation here as it is for somebody else to do so, but that's not actually what's at question here. This is a principles-based and risk-based statute with respect to which extraordinary deference is given to the Privacy Commissioner in their first-instance findings of violations.
This is something that actually ties back into one of our concerns about the removal of the tribunal, and that is that the tribunal is actually not vested with relitigation of findings of fact. We didn't try to introduce a second body that gets to determine what is or is not a violation of our privacy laws. It gets to make a determination of the appropriateness of an administrative monetary penalty. Actually, one of the concerns we had or one of the considerations we had when creating the tribunal was actually introduced in this particular subamendment in a new way, by essentially giving another body—that is, the courts—the ability to make first-instance determinations that privacy has been violated.