The structure of the adjudication of issues, where they start and how they get appealed, is a very important question. We have to recognize that, with the importance of privacy and the amount at stake for the public and organizations, getting it right is really important.
The powers of the Privacy Commissioner are very broad. There's really only anorexic protection procedurally, yet the Privacy Commissioner makes the determination as to whether there's a breach and can make a recommendation as to whether there are penalties.
The appeal goes to the tribunal, but the tribunal only has the power to order a reversal if it's an error of law. It has no power to do anything if it's a mixed question of fact and law or a question of fact. When you look at the way the CPPA operates, there are going to be huge numbers, almost invariably a huge number of questions of fact and law. This means that, effectively, there are almost no procedural protections before the Privacy Commissioner, and any decisions are virtually unappealable. Also, the constitution of a tribunal doesn't require a judge, which is required in other contexts. I do think there needs to be procedural protection in front of the Privacy Commissioner.
As for the appeal, you heard Ms. Denham talk about at least a reasonableness standard. That doesn't even exist before the tribunal. That would only exist on a further judicial review, but it's almost impossible to get there.
I do think the structure really needs to be changed to provide at least a modicum of procedural protection.