UK privacy protections were criticized by an activist who told the European Union that the British shouldn’t be trusted to protect user data after Brexit.

The personal data of EU citizens “do not at present have an adequate level of protection in the UK,” Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, wrote in a letter to the European Commission on Monday.The UK “lacks an effective independent supervisory authority that is capable of enforcing compliance with data protection law and vindicating data subjects’ rights,” added Ryan.

Without a so-called adequacy decision from the EU by the end of the year, companies would be thrown into legal limbo and no longer be able to transfer data safely across the English Channel. At the risk of hefty fines under the EU’s strict data protection rules, UK companies that rely on data flows to and from the bloc would have to quickly find alternatives, involving more paperwork.

An EU adequacy decision would be a green light for such transfers without restrictions. To get there, the UK will have to meet a number of strict conditions. One of them is “the existence and effective functioning of one or more independent supervisory authorities,” according to the EU’s General Data Protection Regulation, or GDPR.

The Information Commissioner’s Office, or ICO, said it’s “already equipped for its new role as UK data-protection supervisory authority both during transition and beyond” and is “supporting businesses in the run-up to the transition period with guidance and advice.”

The UK’s Department for Digital, Culture, Media and Sport said in an emailed statement that it’s “committed to high data protection standards and the UK is a global leader in protecting people’s personal data.”

The ICO “already meets the EU’s criteria of an effective and independent data supervisory authority and is capable of fulfilling this role through the transition period and after it ends,” the DCMS said.

The Brussels-based commission declined to immediately comment beyond pointing out that adequacy talks with the UK are ongoing. It said the goal is to adopt a decision “by the end of 2020, if the applicable conditions are met.”

Ryan was until earlier this year chief policy officer at Brave Software Inc., which makes an ad-blocking browser. In 2018, he complained to the ICO about how search-engine companies and data brokers collected and processed masses of people’s most personal data for advertising purposes, calling it the largest data breach of all time.

The Irish data watchdog, partly based on a complaint by Ryan, opened a probe into Google’s data processing. The ICO published a report saying the advertising industry is underestimating the risks of real-time bidding.

Ryan also helped Brave file a complaint with the EU in April that member nations don’t comply with GDPR and leave their privacy watchdogs starved of resources.