The UK could agree a data adequacy deal with the US in a matter of weeks following talks between digital secretary Michelle Donelan and US secretary of commerce Gina Raimondo. The deal would allow data to flow freely across the Atlantic, but while this could boost businesses it may also raise privacy concerns.

Michelle Donelan held talks with US counterpart Gina Raimondo on Friday (Photo by Ian Forsyth/Getty Images)

Donelan and Raimondo met for talks on Friday as part of the US politician’s visit to London, and discussed a “range of digital issues”, according to the Department of Culture, Media and Sport (DCMS). At the meeting the two governments committed to a new official annual dialogue, building on a tech co-operation agreement signed last last year.

Work towards a UK-US data adequacy agreement

Data adequacy agreements allow personal data to be transferred freely between different countries. The UK agreed one with the European Union last year, and more recently signed a similar agreement with South Korea, though this just replicates measures that was previously in place when the UK was a member of the EU.

A DCMS statement said Donelan and Raimondo discussed the UK’s adequacy assessment of the new US Data Privacy Framework, a framework agreed between the US and Europe for trans-Atlantic data transfers. US President Joe Biden signed an executive order on Friday which will see the new framework implemented.

Donelan and Raimondo “agreed to conclude the adequacy work in the weeks ahead,” the DCMS statement said.

“The United States shares our democratic values, digital priorities and commitment to high standards of data privacy,” Donelan said. “Data and tech are creating new opportunities for growth and connection between our two countries, including between our world-leading tech industries.

“I look forward to working together to bring these benefits to people on both sides of the Atlantic.”

Raimondo added: “Today’s announcement affirms our shared commitment to promoting responsible innovation and digital policies, while also supporting growth and opportunity.

“This partnership reflects our deepening cooperation on bilateral data and tech issues, as well as our commitment to closer engagement and global leadership as these issues continue to evolve. I look forward to working closely with Secretary Donelan as we continue looking for ways to balance the needs of privacy and responsible data use while removing barriers for critical business needs.”

Trade organisation techUK, which represents tech vendors, welcomed the potential agreement. Its CEO Julian David said: “An agreement will provide business with the legal certainty and confidence needed to access new markets and create opportunities for innovation. This will enable the UK to leverage its world-leading industries such as financial services and tech to drive wider economic growth on all sides of the Atlantic.”

UK-US data adequacy: privacy concerns?

The Data Privacy Framework has been agreed after two previous data sharing agreements between the US and Europe were invalidated after being challenged in court by privacy campaigners.

These challenges succeeded because the level of protection afforded to data in the US was found to be lower than that specified under GDPR, Europe’s data protection regulations. US government agencies are able to requisition data from the servers of private companies as part of their investigations, something which the European court found was detrimental to the rights of European citizens.

A data adequacy agreement between the UK and US could leave the data of British citizens data similarly exposed, though DCMS says “robust protections will be in place for UK data under a potential agreement.”

Since the second court ruling, which came in the Schrems II case brought by campaigner Max Schrems in 2020, transatlantic data transfers have continued using standard contractual clauses (SCCs), a legal mechanism that wasn’t invalidated by the judgement. These apply more stringent controls on how information is processed, and were updated by the EU and the UK last year. Though widely used for almost two years, the legitimacy of SCCs has yet to be tested in court.

Schrems has already voiced his criticism of the Data Privacy Framework, saying it does not address the problems of the previous agreements, and could challenge it in court.

The new adequacy agreement would be part of a wider shake-up of the UK data regime, with the government looking to move away from GDPR and set up a more flexible set of laws. However, work on the UK GDPR replacement, the Data Protection Bill, was paused after Liz Truss took office, with Donelan hinting in a speech last week that the proposed legislation could be altered.

Read more: UK government sets out AI regulation plans