Skip to content

UK government demands access to Apple users’ encrypted data

Resources / Blog / UK government demands access to Apple users’ encrypted data
Summary

In January 2025, security officials in the United Kingdom’s government issued an order to Apple demanding that they create a “backdoor” to allow access into their encrypted cloud service. The order was a “technical capability notice” under the Investigatory Powers Act (IPA).

However, Apple has a longstanding stance on protecting user privacy as one of its core values, and the company has refused similar requests in the past, calling privacy a “fundamental human right”. 

For example, the company declined to unlock the iPhones of two individuals that committed a terrorist attack at Naval Air Station Pensacola in Florida in 2020. That request came from the US government and the FBI.

We look at what it would mean for Apple’s iCloud users if Apple were to grant the UK government access to encrypted data, potential issues that could arise with the European Union if it happened, and Apple’s response to the demand.

What specific access is the UK government demanding?

The UK government’s demands relate to Apple’s Advanced Data Protection (ADP) service, which Apple launched in 2022 and which provides robust end-to-end encryption to files and other personal data uploaded to and stored in Apple’s iCloud cloud servers.

The request was not limited or particularly targeted, however. It would provide the UK government with blanket access to the unencrypted files of any Apple iCloud user in the world, not just in the UK. 

At present, the ADP’s end-to-end encryption means that only the account holder can decrypt the files. No one else, including Apple, can do so.

What would it mean for Apple and its users if the UK government gained access to their encrypted data?

The UK getting unlimited access to worldwide iCloud users’ files and data could potentially be a violation of individuals’ data privacy in countries with other data privacy laws, like EU Member States. 

Based on the request and technological issues, there would be little way to guarantee that the UK government only accessed the files of British users, and an argument could be made that the move would violate UK residents’ privacy rights under laws like the UK GDPR. 

Acquiescing to the UK government’s demands could also be a blow to Apple’s reputation and Apple users’ trust in the company given its traditionally strong stance on privacy protection, in addition the sheer number of users and amount of data potentially affected.

What arrangements do the UK and EU currently have for data transfers?

The UK and EU have an agreement that allows for the free flow of personal data between the two regions, so both sides have determined adequacy, meaning that both provide appropriate safeguards to personal data in transit and at rest. 

This agreement comes up for review in 2025, and this issue may result in the consideration of restrictions on data flow between the UK and EU.

What has Apple’s response been to the IPA and the UK government’s demands?

Initially Apple declined to comment on the demand. However, the company did flag concerns about the IPA in a submission to the UK Parliament in 2024. Apple noted then that the IPA enabled the UK government to impose demands on companies and users outside of the UK. 

Per an Apple spokesperson in March 2024, “There is no reason why the UK [government] should have the authority to decide for citizens of the world whether they can avail themselves of the proven security benefits that flow from end-to-end encryption.”

The IPA also bars companies from revealing if they have received a technical capability notice from the UK government. The UK government also won’t confirm or deny the existence of these notices.

Encryption and access have long been contentious issues between large tech platforms that collect, manage, and store user data and those that want access to it for a variety of purposes. The UK Home Office has clashed with Meta — parent company of Facebook, Instagram, and WhatsApp — before as well. 

Multiple governments have previously invoked dangerous criminals, child abusers, and hampered investigations when stonewalled on access to devices or personal data. Apple has argued that excessive government access would threaten individuals’ privacy and security around the world.

A UK government spokesperson noted when Apple’s ADP was released, “End-to-end encryption cannot be allowed to hamper efforts to catch perpetrators of the most serious crimes.”

Consumers around the world have become increasingly concerned about and invested in how their data is handled by the companies that they rely on for work, entertainment, purchases, social connections, and more. These concerns commonly include what third parties get access to that data, whether they are other commercial enterprises or governments.

What Apple is doing instead of giving in to the UK government’s demands

When the IPA came into effect, Apple noted that it may be forced to withdraw security features for UK users, which was likely to result in UK users losing access to features like iMessage and FaceTime.

That is more or less what Apple has decided to do in this case as well, rather than acquiesce to the demands to create a backdoor into the encrypted iCloud service.

The company has stopped offering end-to-end ADP-encrypted iCloud storage to new UK users. Existing users will have to disable the feature in the future. Because of the way ADP works, Apple can’t automatically disable it on existing iCloud accounts.

Apple spokesperson Julien Trosdorf stated, “We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy.”

The removal of ADP means that Apple, law enforcement, and other entities will now be able to access British users’ files and data, including photos, voice memos, notes, and iCloud file backups. Law enforcement representatives, however, would still need a warrant to do so.

There are some types of data stored in iCloud that by default will continue to be encrypted end to end. These include passwords, payment information, health information, and logs from iMessage. ADP is also still available for Apple iCloud users outside of the UK.

Apple’s Trosdorf also noted, “Apple remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in the future in the United Kingdom. As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will.”

Users of Google’s Android operating system and Meta’s WhatsApp are still able to encrypt backups for the time being, including users in the UK.

Ruling against UK government’s request for closed hearings

On April 7, 2025, a judge ruled against the UK Home Office, which had requested a closed hearing over the UK government’s demands to access information secured by Apple’s ADP.

Siding with civil liberties groups and news organizations that consider the case a matter of major public interest, the judge ruled that the legal proceedings cannot be held in secret.

Trust is critical for companies to grow

Like so many other companies, especially digital ones, Apple needs to meet a lot of demands in order to build and retain customer trust. When these demands are at odds with each other — like government access to users’ files and the company’s policies on data privacy — it can be a big challenge. 

To date, Apple has taken a strong stand in promoting data privacy. As pressures mount from consumers, governments, and other invested parties, maintaining that stance and meeting legal requirements while keeping customers happy will likely require ever-more sophisticated technology and strategy.

Usercentrics enables you to provide users with transparent, legally required information about your data processing operations, and enables them to make informed consent decisions. Demonstrate your respect for data privacy, meet regulatory requirements, build trust with your customers, and get the data you need to grow your business.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Celestine Bahr
Director Legal, Compliance & Data Privacy, Usercentrics GmbH