Apple employs an end-to-end encryption software for its customers called “Advanced Data Protection” (“ADP”), this required enrolment and was used by an unknown number of users. ADP means that user data is encrypted when sent by a user, and is only decrypted upon receipt, with even Apple not having access to the unencrypted ‘raw’ data. ADP is an extra layer of protection over Apple’s usual standard of protection for user data (which is accessible by Apple and disclosable to law enforcement upon request with a valid warrant).
Apple has previously resisted requests from the US government for access to ADP data, with the argument that once any third party is able to have “backdoor” access, threat actors and cybercriminals will closely follow. Apple has maintained its commitments to privacy and has even resisted court orders to unlock phones in controversial circumstances such as mass shootings in the US.
In February, the UK Home Office allegedly served Apple with a demand for access to encrypted data stored on its cloud services by Apple users worldwide. This demand was made under the UK Investigatory Powers Act 2016 (the “IPA”). The Home Office has not officially confirmed the issuance of the IPA notice and Apple has not formally responded to it, but it is believed the notice was served to access the user data only in the event of UK national security concerns.
Apple had previously contested proposed changes of the IPA in 2024 under the Investigatory Powers (Amendment) Act (which has now become law). The changes mean that certain services (e.g. network providers) may be required to notify the UK government before making changes to their security measures.
From 21 February, Apple prevented new UK users from taking advantage of its ADP service, with attempts to do so resulting in a message stating “Apple can no longer offer Advanced Data Protection (ADP) in the United Kingdom to new users”. Existing users will have their access suspended at an unknown future date.
Whilst this arguably circumnavigates some of the notice, by allowing Apple’s UK user data to be accessible to law enforcement via warrant, the government could pursue Apple as IPA notices apply worldwide. Apple has now appealed the demand under the IPA, which will be assessed by the Investigatory Powers Tribunal in the next few weeks (although the hearing may not be made public). However, even an appeal cannot delay implementing the notice and failure to comply is a criminal offence.
This matter has wider implications regarding freedom of speech, an individual’s right to privacy, and law enforcement. It is also significant considering the adequacy decision (which ensures the free flow of information between the UK and EU) made by the EU about the UK is due for renewal later this year. The EU previously warned against divergence from EU data protection standards and the attempted infringement of Apple’s end-to-end encryption and the use of the IPA may be seen as just that.
For more information, please contact our privacy & data team.
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up
