This is the million-euro question. Let me say first that there is no regulated process that expresses [Inaudible--Editor] in the GDPR. We should build on the basis of the criteria. First of all, existing adequacy decisions will remain in force up until the moment they are updated or repealed. There is a line of continuity.
Second, we have a lot of clarification in the GDPR as compared to existing direct.... For instance, the commission will now be able to adopt those adequacy decisions also for the law enforcement sector. It's much more clear that the new GDPR will allow for an adequacy determination to be made with respect to a particular territory of a third country, or even to a specific sector or industry—so partial adequacy findings.
Although the GDPR provides for a rebus sic stantibus approach, a periodic review of every adequacy finding, including existing decisions by the European Commission at least every four years, we're not in a hurry to put Canada on top of our decisions. You should now verify on the basis of the new, extensive list of criteria now listed in the GDPR for the assessment of that adequacy, what is needed.
My first recommendation before entering into details is to realize that chapter 5 of the GDPR is much less relevant compared to today. Today we apply the European Union legislation on data protection, mainly the two directives, to companies established in one of the European Union countries. Therefore you have to discuss to what extent a controller is established here.
As of May 25 of next year, the principle will be different. It will no longer be a mix of territoriality and establishment, but a system where we pay attention to the place where the services are delivered. The entire set of provisions in the GDPR will be fully applicable, including but not only, those on transfers to controllers offering goods and services into the EU remotely, or profiling people at a distance.
It means that if, for a company, there is a perspective to have a continuous processing of personal data, not only in a one-way direction to Canada, attention is to be paid to the full set of provisions, not only to chapter 5. Assuming that we are only considering a minor dimension, which is the one of transfer, we have to pay attention to a second important approach. The GDPR was drafted and prepared for final adoption before the Schrems case, which relates to October 6, 2015, when it was too late to change the wording.
Adequacy now is a little different. We started in the seventies with the requirements of essential equivalence. If we look to the convention 108, adopted in 1981, the system in another country should be equivalent. The directive adopted in the EU in 1995, so 14 years later, has been focusing on something lighter, what is simply adequate. Then we have criteria to verify when a country or a system or a territory is offering an adequate level of protection.
Now, because of the new legal status of the Charter of Fundamental Rights and because of the Lisbon treaty, which is de facto the European Constitution, the European Court of Justice has said that these criteria are to be read jointly, with the condition expressed by the same court in the Schrems case.
They read what is adequate as now being essentially the equivalent.