Earlier last month, The Washington Post reported that Apple, a technology company known for emphasizing privacy as one of its key selling points, had been ordered by the U.K. government to create a back door that would enable the retrieval of all content uploaded by any Apple user worldwide to iCloud. iCloud is a cloud storage service that is encrypted by default, and its users may also opt in to the use of end-to-end encryption, an additional layer of security ensuring that only the user (and not even Apple) can access the stored data.Unsurprisingly, the news received global attention. In the days that followed, additional reports emerged revealing that the U.S. Department of Justice was aware of the U.K. demands, that Apple was withdrawing its Advanced Data Protection (ADP) feature (i.e., end-to-end encryption) for U.K. iCloud users, and that the company was contesting the order before the Investigatory Powers Tribunal (IPT).
This blog examines the impact of the order on the U.K.’s ability to maintain its EU data adequacy. Given that neither Apple nor the U.K. government has confirmed the existence or exact content of the order in question, and the latter continues to rely on its ‘Neither Confirm, Nor Deny’ (NCND) policy, the post is based on three assumptions:
- Apple has been served with a Technical Capability Notice (TCN) by the U.K. Home Office;
- The notice essentially requires Apple to take steps that would allow access to encrypted user data stored on iCloud; and
- The notice has a global effect, applying not only to U.K. users but to all Apple users worldwide.
The post argues that the order contravenes Article 8 of the European Convention on Human Rights (ECHR), particularly in light of recent case law on government access to encrypted communications. It concludes that, based on CJEU jurisprudence and the impact of the ECHR on the interpretation of EU Charter rights, the current U.K.-E.U. data transfer regime (and any future agreements) is highly unlikely to survive judicial scrutiny, unless the TCN regime is abandoned.
TCNs, Encryption Backdoors and the ECHR
It is assumed that the U.K. Home Office has served Apple with a Technical Capability Notice (TCN), one of the most extreme measures under the Investigatory Powers Act 2016 (IPA). The IPA, in section 253, empowers the Home Secretary to order telecommunication operators to take steps that include providing facilities or services of a specified description, or removing electronic protection (such as encryption). The Act further clarifies that TCNs “may be given to persons outside the United Kingdom (and may require actions to be taken, or refrained from, outside the United Kingdom)”.
TCNs require prior approval from a Judicial Commissioner, a serving or retired senior judge providing independent quasi-judicial authorisation, as part of the ‘double lock mechanism’ introduced by the 2016 Act to address the previous regime’s lack of ex ante independent oversight. Moreover, TCNs are subject to strict secrecy: an operator that receives a TCN “must not disclose the existence or contents of the notice to any other person without the permission of the Secretary of State”.
It is also worth noting that during parliamentary debates on the IPA, TCNs already faced strong criticism. These concerns were exacerbated in June 2023 when the U.K. government announced its intention to introduce a series of controversial changes. While some proposed changes, such as the obligation for operators “to engage in the consultation process for a notice”, were eventually abandoned, others (including the power to issue orders requiring companies to give advance notice to the Home Office before implementing technical changes) were incorporated into the IPA through the Investigatory Powers Amendment Act 2024 (IPAA).
Against this backdrop, a TCN was reportedly served to Apple in January 2025, instructing the company to facilitate global access to encrypted user data stored on iCloud. Although it is not entirely clear whether the U.K. order targets all encrypted data or solely data protected by end-to-end encryption (i.e., data of users who had enabled Advanced Data Protection), for the sake of this argument, we assume that the TCN pertains exclusively to E2EE data. This is because the Home Office would likely not need a TCN in place to gain access the (non-E2EE) encrypted iCloud data Apple holds the key to and it would also explain the company’s decision to withdraw the ADP feature for U.K. users.
The compatibility of the IPA, and specifically its provisions governing TCNs, has not yet been challenged before the ECtHR. However, in Big Brother Watch v United Kingdom, which concerned the legislation preceding the IPA, the Grand Chamber appeared to legitimise bulk surveillance and implicitly endorse the IPA’s ‘double-lock’ authorisation process as an adequate safeguard for bulk interception.
Nonetheless, the Court’s more recent judgment in Podchasov v Russia, which addressed measures requiring the decryption of communications, may shed further light on this issue. In that case, the Russian Federal Security Service (FSB) demanded that Telegram provide access to and decrypt the communications of six users. In a unanimous ruling, the Court found that Russia had “overstepped any acceptable margin of appreciation” and that the measures were disproportionate as they impaired “the very essence of the right to respect for private life”. According to the Court:
in order to enable decryption of communications protected by end-to-end encryption, such as communications through Telegram’s “secret chats”, it would be necessary to weaken encryption for all users. These measures allegedly cannot be limited to specific individuals and would affect everyone indiscriminately, including individuals who pose no threat to a legitimate government interest. Weakening encryption by creating backdoors would apparently make it technically possible to perform routine, general and indiscriminate surveillance of personal electronic communications. Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users’ electronic communications.
Given the striking similarities between TCNs and the Russian orders examined in Podchasov, and the fact that the Apple order reportedly goes even further by demanding steps to potentially allow access to the data of all iCloud users globally, it will be interesting to see whether the IPT or domestic courts reach a different conclusion.
Schrems 3.0? TCNs as a Threat to an ‘Adequate’ Level of Data Protection
The conformity (or lack thereof) of a non-EU country’s surveillance legislation with the ECHR is critical not only for meeting international human rights obligations but also for determining whether that country can obtain an adequacy decision, namely a formal decision adopted by the European Commission which recognises that a non-E.U. country, provides an equivalent level of protection for personal data and thus permits the transfer of personal data between the Union and that country. In absence of such a decision, transfers of personal data to non-E.U. countries are prohibited, unless specific safeguards are applied.
Commission decisions, including data adequacy ones, must comply with the Charter of Fundamental Rights of the EU (CFREU), which, much like the ECHR, guarantees the right to privacy (as well as the right to the protection of personal data) and stipulates that their meaning “shall be the same as those laid down by the Convention” (Article 52(3)). In that vein, the CJEU has maintained that the corresponding rights of the ECHR should be considered “as the minimum threshold of protection” when interpreting the Charter and has steadily turned to Strasbourg’s jurisprudence for guidance, when examining the compliance of surveillance-related measures with the CFREU. In addition, in the first Schrems case, the CJEU declared the Commission’s ‘Safe Harbour’ decision, which authorised the transfer of personal data between the E.U. and the U.S., invalid. The Court examined the U.S. surveillance regime and held that, by permitting U.S. authorities “to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life” the decision breached EU data protection law, read in light of the Charter. In the second Schrems case, which concerned another successful challenge to the commercial data transfer framework between the U.S. and the E.U., the Court of Justice clarified that the level of protection required for an adequacy decision under Article 45 of the GDPR must be interpreted in light of the provisions of the Charter of Fundamental Rights of the EU (CFREU).
Following Brexit, in June 2021, the European Commission adopted two adequacy decisions for the United Kingdom, under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED). The former relies on Article 45(1) GDPR, which permits transfers of personal data between the Union and a third country, if the Commission determines that the country “ensures an adequate level of protection”. Both U.K. adequacy decisions are set to expire in June 2025.
Despite strong objections from the European Parliament and the European Data Protection Board regarding the IPA’s bulk surveillance provisions, the European Commission proceeded with an expedited adoption, reportedly pressuring regulators to reconsider their positions.
In this context, focusing on the U.K. GDPR adequacy decision, it is somewhat surprising that there is no mention of TCNs. Regarding the exercise of the U.K.’s bulk powers under the IPA, the decision states that:
the collection and retention of large quantities of data acquired by the Government through various means (i.e. the powers of bulk interception, bulk acquisition, bulk equipment interference and bulk personal datasets) and which can subsequently be accessed by the authorities. This description is clarified by contrasting it to what ‘bulk power’ is not: it does not equate to so-called “mass surveillance” without limitations or safeguards… Moreover, bulk powers are available to intelligence agencies only and are always subject to a warrant issued by the Secretary of State and approved by a Judicial Commissioner. In choosing the means to collect intelligence, regards must be given to whether the objective in question can be sought by “less intrusive means”. This approach follows from the framework of the legislation which is built on the principle of proportionality and therefore prioritises targeted over bulk collection. (Footnotes omitted)
These assurances partly led the European Commission to conclude that:
when United Kingdom law enforcement or national security authorities access personal data falling within the scope of this Decision, such access is governed by laws that set the conditions under which access can take place and ensures that access and further use of the data is limited to what is necessary and proportionate to the law enforcement or national security objective pursued.
The decision then goes on to add:
Given the importance of such conditions, limitations and safeguards for the purposes of the present Decision, the Commission will closely monitor the application and interpretation of the UK rules framing government access to data… Close attention will also be paid to the execution by the UK of relevant judgments of the European Court of Human Rights…
The U.K. adequacy decision appears to have been adopted on the premise that the U.K. Government will make no use of TCNs or other bulk surveillance measures that could put the Commission’s assessment in jeopardy. Considering the CJEU’s willingness to go even further than Strasbourg in interpreting Charter rights as well as its general aversion to indiscriminate measures, if a challenge was brought against the current E.U.-U.K. adequacy regime, it would have high chances of success. The same would apply for any future decisions, if the Commission, despite the public outcry, decided to renew the U.K.’s adequacy, before an amendment of the relevant IPA provisions had taken place (a declaration of incompatibility under the Human Rights Act 1998 would likely not suffice).
Conclusion
Until recently, few would have imagined that TCNs, among the most intrusive and secretive measures in the U.K.’s surveillance regime – ideally never to be used – would dominate the news for weeks. Likewise, it would have been equally absurd to think that the U.K. government would assert the authority to have Apple take steps to facilitate access to the encrypted data of users around the globe.
As the U.K. IPT prepares to hear Apple’s challenge against the imposition of the TCN, and the European Commission reviews the U.K. adequacy decisions ahead of the 27 June 2025 deadline, the prospects of a U.K. victory on both fronts appear to be slim, particularly considering the long-term challenges that are likely to emerge before both Strasbourg and Luxembourg courts.
Beyond the substantial financial and organisational costs associated with the U.K.’s failure to secure E.U. adequacy, the true victims of the Apple order are likely to be minorities, human rights defenders and activists who depend on encryption for protection from oppressive regimes and whose rights could be irrevocably compromised by the Home Office’s unilateral decision.
Ioannis Kouvakas is a Senior Legal Officer and Assistant General Counsel for Privacy International (PI). The views expressed in this blog post are solely of the author and do not necessarily reflect those of his employer.
Suggested citation: I. Kouvakas, ‘You Can’t Have Your Apple and Eat It Too: Decryption Orders and the Perilous Future of U.K. Data Adequacy’, U.K. Const. L. Blog (13th March 2025) (available at https://ukconstitutionallaw.org/))
