The GDPR provisions on transfer of data apply to all controls in the public and the private area without any distinction. We have different criteria now for the assessment. They basically allow for it to say that it should be a global evaluation and not purely a legal one.
The criteria are the following. First of all, there is the rule of law, so we have to look to relevant legislation in force, both general and sectorial, including—this is an important specific novelty—that concerning public security, defence, national security, and criminal law. This is why we now have the case on the Canadian PNR but also professional rules, security measures, which are complied with in a third country or by an international organization. We would like to see to what extent certain rights are effective and enforceable, so we look to effective administrative and judicial redress for data subjects.
A second element relates to the existence and effective actioning of at least one independent supervisory authority. How they advise and assist with regard to the data depends on the extent to which they may co-operate with supervisory authorities in other countries, but also on the international commitments they may have as an international organization.
The commission adopted a communications package on January 11 this year to focus, as a priority for the next two years and up, the mandate of the current commission. They have declared that we'll look first to start with a new dialogue where necessary. Then we'll look at the extent of the European Union's even potential commercial relationship with that country, including the existence of a free trade agreement or ongoing negotiations. Then we will look at the extent of personal data flows from the European Union.
There is the pioneering role. This is an essential role for South America, for instance, that the first country plays in the field of privacy data protection, so it is something that could serve as a model for other countries.
Finally, there is the overall political relationship with the third country in question.
We focus on data protection but not only. There is no procedure to apply for adequacy as I said, but I can describe in detail which best practices are observed in practice.