The Information Commissioner’s Office (ICO) will be consulting in the summer on UK Standard Contractual Clauses (SCCs) for international data transfers. It is not expected that these will be identical to the revised European SCCs, the final approved form of which is currently awaited. Given the position on the proposed European Commission adequacy decision in relation to the UK, it is unlikely that the UK version will be any less onerous to implement. It also means that contractual arrangements will remain in a state of flux for some time to come.

Bavaria’s Supervisory Authority, BayLDA, applying the Schrems II decision, concluded that the email marketing service Mailchimp, which involved the transfer of email addresses by FOGS Magazin to the US, relying on the SCCs, was unlawful. BayLDA considered that Mailchimp could qualify as an ‘electronic communication service provider’ under US surveillance law, and consequently additional measures were required to ensure that the data transferred were protected from US surveillance.

A European Parliamentary Research Service report on EU-UK private-sector data flows after Brexit analyses the proposed European Commission adequacy decisions under the GDPR and the Law Enforcement Directive, in particular criticisms which have been levelled at UK surveillance, the immigration exemption and the Digital Economy Act 2017, levels of enforcement by the UK Information Commissioner’s Office, onward transfer of data; and the UK’s level of commitment to EU data protection standards. A link can be found on and other data protection resources on

See further below under Cyber security.

‹ Back to Publications