I am grateful to all noble Lords for their consideration of this instrument and their thoughtful contributions to this debate. The noble Lord, Lord McNally, pointed out the level of expertise around our virtual and physical Chamber. That is no novelty in this House, although having such a number of previous Ministers from DCMS here today feels like a particular form of pressure.
My noble friend Lady Neville-Rolfe and the noble Lord, Lord McNally, focused on the importance of achieving a data adequacy agreement with the EU.
Doing this remains a priority of this Government. We are working constructively with the Commission to secure data adequacy by the end of the transition period and are making steady progress. We see no reason why we should not be awarded adequacy since we remain committed to high standards, but the process is controlled by the Commission and we are realistic about the increasingly challenging timelines for completing this.
To respond to my noble friend Lady Neville-Rolfe’s questions about preparation, the UK is taking sensible steps to prepare for a situation where adequacy decisions are not in place by the end of the transition period. In such a scenario, businesses and other organisations would be able to use alternative legal mechanisms to continue to transfer personal data—of course, standard contractual clauses are the most common legal safeguard and would be the relevant mitigation for most organisations.
Guidance can be found on both the GOV.UK website and the Information Commissioner’s website regarding steps that organisations may be required to take relating to data protection and data flows by the end of the transition period. Organisations can also call the Information Commissioner’s helpline for further information.
The noble Lords, Lord McNally and Lord Stevenson, talked about the rollover of Japan’s adequacy decision. Specific UK arrangements have now been confirmed regarding the recent EU adequacy decision for Japan. This secures the necessary protections for UK data as well as EU data, so that data that flows from the UK to Japan will continue to receive the same level of protection after the transition period as they currently do.
More broadly, in relation to the Japan free trade agreement—which was raised, again, by the noble Lords, Lord McNally and Lord Stevenson, as well as the noble Lord, Lord Wallace of Saltaire—the UK-Japan FTA includes three provisions that seek to enhance cross-border data transfer relating to personal information protection, cross-border flows and data localisation. The data provisions the UK has negotiated with Japan exceed those agreed previously in the EU-Japan economic partnership agreement, which contains merely a review clause, and will enter into force on 1 January 2021. The agreement recognises the importance of protecting personal data and commits both parties to maintaining a legal framework that provides for the protection of personal information.
I fear that I may disappoint the noble Baroness, Lady Fox, in her wish to see an end to the GDPR. The GDPR will be retained in domestic law at the end of the transition period, but we will have the independence to keep the framework under review. As with all policy areas, the UK will control our own laws and regulations in line with our interests as we move forward.
The noble Lord, Lord Wallace of Saltaire, questioned the impact on our data protection standards in relation to our trading relationship with the US. We know that, far from being a barrier to innovative trade, certainty and high data protection standards allow businesses and consumers to thrive. As all noble Lords
have remarked, data is now the driving force of the world’s modern economies and fuels innovation across all sectors.
I thank my noble friend Lord Vaizey for his kind remarks about our new National Data Strategy. Sadly, I missed his maiden speech, so I am glad to have had the chance of a second session. The National Data Strategy is ambitious and pro-growth. We seek to ensure that people, businesses and organisations trust the data ecosystem, that they are sufficiently skilled to operate within it, and that they have access to high-quality data, as well as to provide the coherence and impetus for data-led work across government.
A number of noble Lords, including my noble friend Lady Neville-Rolfe and the noble Lord, Lord Stevenson, referred to the Schrems II decision. The UK Government are pleased that standard contractual clauses remain in place as an important mechanism for transferring data internationally, but we are disappointed that the EU’s adequacy decision on the US Privacy Shield has been invalidated by the CJEU in its judgment of 16 July. The Government are working with the Information Commissioner to address the impacts of the judgment on UK data controllers.
During the transition period, this includes the ICO supplementing the guidance provided by the European Data Protection Board and the European Commission with targeted advice to help UK controllers. Most recently, and since the Explanatory Memorandum was prepared, the European Data Protection Board has issued guidance on how to assess whether to supplement standard contractual clauses with examples of supplementary measures that could be used, if needed, to ensure that personal data remains protected to the required standard. It has also updated the templates for the standard contractual clauses. These were published for consultation on 12 November and have been updated to cover processor-to-processor and sub-processor transfers. The noble Lord, Lord Vaizey, commented on the boredom of data—maybe this is a small example.
In response to the remarks of the noble Lord, Lord Stevenson, the greatest impact will be on organisations which transfer data to the US, particularly to those US companies who had previously signed the privacy shield. After the transition period, the Secretary of State and the Information Commissioner will have powers to issue new instruments relating to transfers of personal data under Article 46 of the UK GDPR.
My noble friend Lady Neville-Rolfe asked about the burden on SMEs of having no adequacy agreement. Officials in DCMS, who were rightly congratulated on their work in this area, are engaging with SMEs through meetings and webinars to try to help them prepare for a scenario where adequacy decisions are not in place by the end of the transition period. In such a scenario, as noted already, organisations would be able to use alternative legal mechanisms to continue receiving personal data from the EU and the EEA.
The noble Baroness, Lady Fox, asked about the impact on law enforcement of not receiving adequacy. In this scenario, if we do not obtain a law enforcement adequacy decision, competent authorities would be able to rely on alternative mechanisms to continue receiving data from the EU, and transfers will most likely occur using the appropriate safeguards provision.
The noble Lord, Lord McNally, asked how we would continue to influence the development of international data standards. Since the UK is a signatory to the Council of Europe’s Convention 108, that is one route; the ICO also has functions to co-operate with data protection regulators in other countries.
I see that I have run out of time, so I apologise to those noble Lords whose questions I did not cover, but I will write. I thank all noble Lords again for their remarks.