The UK’s departure from the European Union marked more than economic and political rupture – it triggered a visible and enduring recalibration of security cooperation frameworks, data governance and sharing policies, and cross-border law enforcement. The transition from seamless integration within EU policing structures to a status of conditional cooperation that sees the UK labelled as a ‘third country’, has generated concerns over the implications of fragmented law enforcement on both domestic and international security. This article examines how increasingly diverging legal standards within law enforcement cooperation – particularly in intelligence sharing, data protection, and digital surveillance – are testing the limits of post-Brexit security collaboration, and what is truly at stake for the future of UK-EU relations under the Trade and Cooperation Agreement.

Throughout the years, cooperation between EU member states’ law enforcement agencies has grown exponentially, creating a net of intertwined processes aimed at facilitating and optimizing cross-border information exchange, judicial cooperation, evidence collection and common efforts on tackling severe crimes in the Schengen region. Following the 2016 ‘Brexit’ referendum which led to the formal withdrawal of the United Kingdom from the European Union in 2020, major tensions rose around the inevitable loss of vital structures in the UK and its implication for security across domestic police forces and across the EU. Before detailing the ways in which UK-EU law and order frameworks have been modified, it is vital to trace a brief history on the development of European police cooperation in order to better grasp the extent of the loss in the post-Brexit panorama.

From the 1990s to the late 2000s, the structure of networks that build EU criminal justice cooperation began to form relatively quickly following growing social and economic integration between member states. For instance, the implementation of the Schengen Information System (SIS) [facilitates information exchange between EU law enforcement agencies] in 1995 was quickly followed by the introduction of the European Union Agency for Law Enforcement Cooperation (known as ‘Europol’) in 1998. Europol represents today a fundamental agency in the fight against serious crime and is operative in areas such as drug dealing, terrorism and human trafficking, supporting thousands of investigations per year. The years 2002 and 2008 instead see the introduction of intelligence based tools that seek to simplify extradition processes and evidence sharing, founded on the guiding principle of ‘mutual recognition’ which establishes the validity of a policing decision across the entire Union. These tools include the widely used European Arrest Warrant (EAW) and the Prum network for DNA and fingerprinting exchange. 

In tandem with these systems the EU also introduces Europol’s sister agency, Eurojust, which regulates judicial cooperation among magistrates and prosecutors in the EU. Between 2012 and 2018 the EU consolidated its framework by implementing the updated second-generation version of the 1995 SIS system (SIS II), founding the European Agency for Law Enforcement Training (CEPOL) and strengthening cooperation through the set-up of the European Criminal Records Information System (ECRIS, introduced 2012) and the Passenger Name Records Directive (PNR, introduced in 2016).

As discussed above, EU cooperation on matters of criminal justice is intricate and extensive. Prior to Brexit, the UK enjoyed access to all the systems mentioned above, benefiting greatly from real time data provided by the SIS II and the European Criminal Records System. Historically, the UK had been the most active member in criminal justice matters, showing consistent involvement in law enforcement administration and its operations (up to 40% of Europol’s data trafficking pre-Brexit was British, Europol’s director from 2009 to 2023 – Rob Wainwright – was also British). Following its exit from the EU, the UK’s capacity for intelligence-led policing (considered to be the main strength of British policing) diminished incredibly as its membership to Europol was extensively limited and access to SIS II revoked. Vital to the UK’s political agenda at the time of the referendum was the negotiation of a strong deal with the EU in matters of strategic cooperation and the fight against crime.

In December 2020, the EU signed with the UK the Trade and Cooperation Agreement (TCA), entered in force officially in May 2021. The agreement provided the first clear understanding on the direction that UK-EU affairs would follow. The TCA works with levels of approximation and ambition, meaning that it focuses on approximating the UK’s position with that of a member state and bears varied levels of priority action for certain areas within the field of criminal law and security. At a practical level, the TCA has necessitated an operational shift in how UK law enforcement interacts with European partners.

Specifically, part III of the TCA detailed the cooperative framework on criminal justice matters regarding the detection, investigation, and prosecution of criminal offences. Negotiations allowed the UK continued access to the PNR and the Prum network, while revoking access to SIS II and ECRIS. Institutional relations were also altered, with the UK having no managerial nor decisional powers at Europol and its Eurojust officers being reduced to a temporary secondment status with no access to the case management system. The TCA also re-established the mutual recognition principle upon which, as previously discussed, most of the EU systems operate. Indeed, in the current post-Brexit environment the UK has lost complete access to the EAW, weighing down extradition processes (the EU has now the right to deny extradition involving its own citizens). This is further exacerbated by the loss of SIS II data, severely limiting the swift capacity to identify and arrest criminals who pose a threat to public safety and security. The UK now relies solely on systems such as the newly domestically designed I-LEAP and Interpol’s recognition software i24/7. The trouble with these systems is that they lack the completeness and the timeliness granted by SIS II. I-LEAP is still under construction and thus not fully operational, while Interpol’s i24/7 relies on the willingness of officials to upload information on the software, meaning that in consulting the i24/7 database the possibility of missing or partial information is an extremely tangible one.

Information exchange is possibly the most crucial asset in successful cross-border policing as it allows fast and up-to-date access to criminal intelligence data in order to deter, protect and investigate criminal activity transnationally. The considerable reduction of data exchange and the slowing down of intelligence-led processes post-Brexit, renders the UK vulnerable to external and internal threats and the proliferation of serious criminal networks. On this note, protocols on data sharing are still a source of great tension between EU and UK criminal justice cooperation. Despite the UK being considered a valued contributor to European intelligence-led policing even after Brexit, the Union remains hesitant towards British handling of sensitive data.

The TCA states that cooperation may be terminated if the UK is not compliant domestically with the rights and freedoms listed in the European Convention of Human Rights (ECHR) and if the UK shows deficiencies in the protection of sensitive data. Considering that the United Kingdom is – as of today – fully compliant with the ECHR (integrated domestically under the Human Rights Act 1998), the cooperative framework that keeps EU-UK relations close and in place, seems to be entirely contingent to EU evaluation of UK’s level of adequacy on data protection frameworks.

Particularly daunting is the approaching deadline for data adequacy decisions (June 2025) set by the Commission under a sunset clause present in the TCA. A ‘sunset clause’ is a legal provision that limits the duration of a law. In the Trade and Cooperation Agreement, the sunset clause is attached to the transfer of data from a EU/EAA country to a ‘third country’. The latter states that data exchange may happen only if the Commission finds that the non-EU/EAA country ensures an ‘essentially equivalent’ level of data protection to that of the EU. Adequacy decisions regarding the UK are set to expire on June 27, 2025 and unless the EU finds British policy on par, the TCA might find itself in concrete danger. Unfortunately, in recent months, there have been causes for doubt, with the United Kingdom introducing two Bills regulating data that have raised criticisms and concerns both inside and outside domestic soil.

In an effort to facilitate the flow and use of sensitive data for law enforcement personnel and national security purposes, the UK is currently following up on two Data (Use and Access) Bills previously introduced under Conservative government, which propose a restructured data regime aimed at reducing administrative burdens and enhancing flexibility. The DUAB will amend the UK’s implementation of the European Union Law Enforcement Directive (LED), which is transposed into UK law via the Data Protection Act (DPA) 2018. While government sources argue this will maintain high standards of protection and only simplify police data processing, critics say the proposals represent enough of a divergence from EU law that it will likely undermine the UK’s LED adequacy and thus endanger future EU-UK cooperation under the TCA.

In particular, the Bill brings significant changes to the legal framework around automated-decision making (ADM) impacting greatly the processing of data. The application of the Bill to policing would allow law enforcement agencies to use automated systems without any human oversight, routine transfer of data to offshore cloud providers, remove the need for police to log justifications when accessing data, and enable intelligence services to share data outside of the EU LED rules. These proposed changes, while framed as efficiency measures, mark a clear departure from the EU’s rights-based approach to data governance. The loosening of oversight requirements signals a shift toward a more permissive model of surveillance and data processing.

More broadly, the UK’s evolving approach raises concerns over regulatory independence and proportionality in data protection. One of the most contentious issues is the continued reliance on powers granted under the Investigatory Powers Act 2016 (IPA). The IPA grants UK intelligence sweeping surveillance capabilities, including bulk data collection, retention of communications metadata by service providers and hacking. The European Court of Justice has ruled similar practices in EU member states to be incompatible with fundamental rights under EU law, particularly the Charter of Fundamental Rights. As such, these reforms are increasingly viewed not as neutral regulatory updates but as a substantive shift away from the EU’s rights-based model of data protection. The regulatory divergence is further crystallised in the EU’s AI Act, a landmark framework that prohibits certain high-risk technologies outright and imposes rigorous controls on biometric surveillance. However, this divergence goes beyond principle, it introduces tangible barriers to cooperation.

Against this backdrop, the UK-EU Brexit Reset Summit, scheduled for May 2025, assumes critical importance. Coming just weeks before the Commission’s review of UK adequacy status, the summit presents an opportunity to reaffirm commitments to shared security objectives or risk an even more fragmented law enforcement landscape. There are indications that both sides may seek to explore new frameworks for defence and intelligence cooperation. However, the UK government remains committed to regulatory autonomy, particularly in digital innovation and artificial intelligence, while EU institutions show little appetite for compromising on data protection principles that underpin their entire legal order.

The stakes are tangible. Human trafficking networks, child exploitation rings and drug smuggling operations operate across borders with impunity. Disruptions in intelligence sharing and procedural cooperation make these networks harder to track, prosecute, and dismantle, representing critical blind spots in public safety infrastructure. The future of UK-EU security cooperation rests not just on treaties and technologies but on a shared commitment to core legal principles. As the UK redefines its post-Brexit identity, it must decide whether its pursuit of digital sovereignty is worth the cost of weakened security partnerships. The next 12 months may well determine whether the UK and EU can forge a new security compact or whether their paths will continue to diverge.