This is great news for companies on both sides of Brexit’s still-new divide, as it wards off the prospect of yet more red tape, which experts said could have meant as much as $2.2 billion in compliance costs for British businesses. But it’s a controversial decision, and one that may end up challenged in the courts, thanks to the U.K.’s surveillance practices.

Under EU data-protection law, personal data—that is, any piece of data that can be connected with an identifiable person—can travel freely within the EU. However, it isn’t supposed to go to an outside country unless the Commission has awarded that country a so-called adequacy agreement, or the company exporting the data is using complex contractual mechanisms to do so.

An adequacy decision essentially means the country in question has laws that “adequately” protect EU citizens’ fundamental data-protection and privacy rights when their data ends up there. The European Commission has previously adopted such decisions for the likes of Israel, Japan, Argentina, Canada, New Zealand, Switzerland, and Uruguay.

On Monday, it added the U.K. to the list, on the basis that the U.K. hasn’t changed its data-protection laws since it left the EU, so its privacy regime remains completely aligned with the EU’s tough General Data Protection Regulation (GDPR).

‘The power of data’

“The U.K. has left the EU, but today its legal regime of protecting personal data is as it was,” said Věra Jourová, the European Commission’s vice president for values and transparency, in a statement. “After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the U.K.,” added Justice Commissioner Didier Reynders. “This is an essential component of our new relationship with the U.K.”

The British government welcomed the news, while noting that the U.K. “now operates a fully independent data policy.”

“After more than a year of constructive talks it is right the European Union has formally recognized the U.K.’s high data-protection standards,” said Oliver Dowden, the government’s digital chief, in another statement. “We will now focus on unlocking the power of data to drive innovation and boost the economy while making sure we protect people’s safety and privacy.”

However, two big questions remain.

First, what will happen when the U.K. changes its data-protection laws at some point, as Prime Minister Boris Johnson has promised to do? And second, what about the U.K.’s surveillance practices, which privacy advocates—including some EU data-protection regulators—have been warning about for years?

On the first point, the European Commission insists it has baked safeguards into its adequacy decision, for example by time-limiting it to four years—an unprecedented move.

The Commission’s decision also excludes personal data transferred to the U.K. for the purposes of immigration control, because—as British courts ruled earlier this month—the country’s data-protection law illegally lets authorities deny people access to their own personal immigration records, and it therefore needs to be amended.

“We are talking here about a fundamental right of EU citizens that we have a duty to protect,” said Jourová. “This is why we have significant safeguards, and if anything changes on the U.K. side, we will intervene.”

The second point, about British surveillance, is more complicated.

Inside to outside

In a notorious quirk of the EU data-protection system, the union can wag its finger at outside countries over their surveillance practices, but it can’t do the same for its own members, because national security remains a national matter, outside the scope of the EU’s internal rulebook.

That’s why transfers of personal data to the surveillance-happy U.S. have proved so politically and legally explosive in recent years, even though European intelligence agencies also engage in invasive practices, including the sharing of surveillance data with the U.S. National Security Agency (NSA).

The U.K., of course, just went from being inside the club to being an outsider, so the European Parliament passed a resolution last month warning that the Commission’s draft adequacy decision turned a blind eye to British intelligence’s data-sharing with the Americans. Parliament also said the U.K. didn’t have watertight legal safeguards against mass-surveillance abuses, with limitations being “left to executive discretion subject to ‘respectful’ judicial control” rather than being set out in law.

In a legal analysis of the Commission’s final draft decision, privacy professors Ian Brown and Douwe Korff wrote earlier this month that the EU executive had made “no attempt at critical analysis” of the U.K. government’s claims about its own surveillance safeguards.

Brown and Korff also warned that the Commission hadn’t taken into account the strict case law of the Court of Justice of the EU (CJEU), which famously struck down two data-sharing agreements between the EU and U.S.—which were essentially pseudo-adequacy agreements, to paper over the U.S.’s lack of federal data-protection safeguards—over American surveillance practices.

Those CJEU rulings established that the EU’s privacy watchdogs can investigate and block data transfers to an outside country if they threaten Europeans’ fundamental rights—regardless of the adequacy decisions the Commission has taken.

So, even though Monday’s decisions give EU and British businesses some breathing space, they may not be the end of the matter.

More must-read tech coverage from Fortune:

• Digging into Bitcoin’s energy problem
• The importance of stimmies, capital gains tax, and a killer meme—day traders reveal their investing secrets
• Facebook exec Fidji Simo: Apple is “hurting” the creator economy
• Andreessen Horowitz raises $2.2 billion for a third crypto fund
• Unbound by Brexit, largest U.K. mobile operator announces roaming charges for EU travel