Apple’s UK withdrawal of technology providing end to end encryption for backed up data has put UK government powers and reach with respect to data under the spotlight.
On 7 February 2025, the UK government reportedly took steps to issue a “Technical Capability Notice” (TCN) to Apple Inc. under the amended Investigatory Powers Act 2016 (IPA) regarding Apple’s Advanced Data Protection (ADP) encryption system. In response, Apple has indicated that the system will no longer be available to new UK customers.
ADP is a technology which encrypts backed up information held in the cloud in ways which mean that even Apple itself cannot access the information. Although real-time messaging services will still be encrypted, the change is important as backups provide a route for intelligence services and law enforcement authorities to access information, generally by issuing a warrant to the controlling company.
The change has caused consternation in the technological world, and attention has turned on the UK government and its new powers under the IPA in relation to privacy.
Investigatory Powers (Amendment) Act
Founded in the 2023 Anderson report, and originating in the House of Lords, the Investigatory Powers (Amendment) Act 2024 extends government powers to request data under the IPA in various ways. It expands the definition of a “telecommunications operator” which is required to pass on information to cover non-UK systems being used to provide UK services, so putting many more technology companies within scope. It requires telecoms and postal operators to pre-notify technological changes such as end to end encryption which might affect the operator’s ability to assist the government, and limits an operator’s ability to implement technology changes already underway if they are the subject of a notice. The Amendment Act also allows UK intelligence services to scrape personal data from the internet where there is “no or low expectation of privacy”, including for use in algorithmic training, and widens government access to internet connection records.
Early concerns from the UK tech industry
In December 2023, UK industry body Tech UK wrote to the Home Office to express concern about the proposed amendments to the IPA. It said the new law would exacerbate conflicts of law, hinder technological advancements and impact UK overseas investment. It was worried about the law’s new extra-territorial effect, and also about a new power to issue notices preventing technology companies from making updates which might hinder information-sharing with intelligence agencies. It foresaw that this could constitute a power to veto changes indefinitely, impacting encryption and other privacy measures.
It was also concerned about how the change would make technology companies organs of the state. It said: “Instead of focusing on improving user privacy and security, firms’ attention would have to be diverted towards fulfilling the surveillance needs of the government”.
Putting these concerns aside, the Investigatory Powers (Amendment) Act was passed in April 2024 just after calling the snap general election. While almost the whole of the ongoing legislative agenda was dropped, a few bills including the Amendment Act slipped under the wire, and passed without debate or public fanfare.
Why is the law needed?
The law has been changed for good reason. A couple of obvious ones: First, protecting the vulnerable by disrupting the creation and sharing of content which exploits children and others is important work, and government needs real powers to disrupt the flow of information (even if much of the traffic is beyond traditional digital channels). Second, the development of AI models is something which governments need to do alongside the private sector, and the new powers aim to ensure that intelligence services do not fall behind due to the demands of data protection law.
Should we be worried?
However, there are several reasons to pause for thought. First, the amended IPA 2016 is the type of legislation which requires extremely robust institutions in order to be exercised fairly. It is overseen by the judiciary, and arguments continue about whether this oversight is sufficient, and sufficiently open. The debate feels more urgent in light of recent developments in the US, where judges are an important check to unregulated access to data by bodies such as the Department of Government Efficiency (DOGE). The UK is already in danger of losing international credibility through government overreach under the IPA, and although for the moment it may justifiably invoke judicial independence in the UK as a sufficient safety net, this argument might not hold up in other countries, or under future governments.
Second, it may cause disruption to international data sharing arrangements. A TCN may potentially cover “any information”, not just any relating to the UK. Some governments may wish to reconsider current channels for sharing law enforcement and intelligence data with the UK, such as the adequacy decision between the UK and the EU under the Law Enforcement Directive. Other administrations may be inspired to create their own TCN mechanisms. This is ultimately a threat to commercial data sharing channels by branding former data safe harbours like the UK as an unsafe destination for data. The development is unfortunately timed in light of the European Commission’s deliberations over whether to renew its adequacy decision on 27 June this year to allow the continued free flow of personal data from the EU to the UK.
Third, is the question of trust. The UK government wants to instil confidence in citizens to encourage sensible use of health, financial and transport data, and responsible adoption of technologies such as AI. Perceived failure to be open about changing the law is a short-term tactic with long-term costs in the risk to public trust as well as corporate confidence.
Implications for companies
Direct and immediate implications for UK companies may be limited, if TCNs are directed towards big tech outside the UK. But as Tech UK foresaw, the indirect impact may be seen in problems over data transfers, a chilling effect on overseas investment in the UK, making the legal landscape trickier to navigate, new pressures over encryption standards and backdoors in contract terms, and stifling innovation in UK encryption technologies. If encryption standards in the UK fail to keep up with international norms, controllers may find it impossible to meet the requirement for appropriate state of the art encryption in Article 32 of the UK GDPR.
The UK is also likely to see more disputes over government access to data, largely held (as ever) behind closed doors.
Disclaimer
This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2025.