This paper reconstructs how the UK data protection framework has evolved in the last four years, from the time of the Brexit referendum to the introduction of the TCA. It assesses to what extent the new UK data protection regime reflects the Brexit desiderata, and analyses the challenges of the future relationship between the UK and the EU in light of the solutions envisioned by the TCA. It argues that, even when an adequacy decision will be in place, the UK will neither achieve the desired level of regulatory emancipation advocated by the Brexit supporters nor will it offer a stable and reliable mechanism for data transfers. Indeed, the adequacy mechanism will subject the UK legal system to regular monitoring by the EU which will restrict the UK’s ability to freely develop its own data protection framework for fear of losing the EU adequacy status. Moreover, in light of the recent CJEU case law on data transfers and data retention, a UK adequacy decision will naturally be exposed to the risk of being invalidated due to the non-conformity of the UK national security regime with EU law.