Apple Inc. v Secretary of State for the Home Department

24th June 2025

Deliberately pointed? Unsubtle dig? Mere coincidence? As I opened WhatsApp on Friday 13 June on immediately waking up, I saw this message. But what does this mean for data protection in the UK?

Timeline of events

In late 2024, a Technical Capability Notice (“TCN”) was allegedly issued by the Home Secretary to Apple Inc. (“Apple”) under Section 253 Investigatory Powers Act 2016 (“IPA”). Whilst the content of the TCN has not been published, it allegedly compelled Apple to remove a particular security measure – Advanced Data Protection (“ADP”) – from targeted UK iCloud users.

In February 2025, Apple withdrew ADP from UK users so that the opt-in security measure would no longer be available to them. Apple subsequently filed a complaint with the Investigatory Powers Tribunal (“IPT”) raising issues with the TCN. The Home Office argued that the hearing should be held entirely in secret and that publishing the ‘bare details of the case’ would be damaging to national security. The IPT directed that the hearing would be held in private on 14 March 2025 but that the published court list would cite the case number and names of the judges. In its judgment (published on 7 April 2025), the IPT held that it did not “accept that the revelation of the bare details of the case would be damaging to the public interest or prejudicial to national security”.

WhatsApp has now submitted evidence to the IPT in support of Apple, with WhatsApp’s CEO Will Cathcart stating on 11 June 2025 that, “the case “could set a dangerous precedent” by “emboldening other nations” to seek to break encryption, which is how tech firms keep customers’ information private”.

What this means from a technical perspective

ADP is an opt-in security feature which applies end-to-end encryption (“E2EE”) to data stored in the iCloud. Encryption is a reversible process that requires a specific key for decryption and is typically used to ensure data confidentiality. The original form of the message is known as the plaintext of a message; the encrypted form of the message is called the ciphertext. To convert ciphertext back into its plaintext form, the correct decryption key is required. Encryption protects against 3 main forms of attacks: interception, modification or insertion. For example, if someone tried to modify the content of an encrypted message without the decryption key, the modification would not ‘translate’ into a readable message i.e. it would not make sense to the user and would, therefore, be immediately obvious to them. E2EE, in terms of communication, means that data is encrypted on the sender’s device and only decrypted at the recipient device. The recipient would need the required decryption key to read the message from the sender. The data remains encrypted whilst stored and in transit.

Applied to ADP, only the user has both the encryption and decryption keys to their data, so that the user’s data is encrypted on their device, while sent to the cloud and then decrypted once called back by the user on receipt to their device. Apple does not hold its own key to decrypt a user’s data. Apple devices contain a separate processor that stores and manages sensitive information, including, encryption and decryption keys, called the Secure Enclave. It is entirely separate from the main processor for added protection. In ADP, the decryption keys are only available within the Secure Enclave on a given user’s device, so without the passcode or biometrics required to gain access to the device, key retrieval is impossible.

By contrast, Apple implements the Standard Data Protection (“SDP”) protocol to iCloud users’ data by default. Apple does store its own set of encryption keys to, for example, assist in account recovery.

What this means from a data protection perspective

User personal data is stored in the iCloud. Notwithstanding whether it has access to personal data processed, a data controller must comply with applicable obligations under applicable data protection legislation, including, ensuring that personal data is processed ‘lawfully, fairly and transparently’ (Art. 5 (1) (a) UK GDPR). Data controllers and data processors must process personal data ‘securely’ (the ‘integrity and confidentiality’ principle (Art. 5 (1) (f) UK GDPR)). Separately, any organisation might receive a request for disclosure of personal data from third parties. In line with the lawfulness principle, a lawful basis must be established for such provision and receipt of personal data.

Security

The UK GDPR requires that organisations implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk …”. In determining ‘appropriateness’, an organisation appears to have a large degree of autonomy. It must take into account the following broad factors, “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons …” (Art. 32 (1) UK GDPR). In fact, the UK GDPR provides that, “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed” (Art. 32 (2) UK GDPR). Encryption is explicitly listed as an example of an appropriate security measure.

SDP and ADP are security measures which Apple has implemented to protect user personal data stored in the iCloud. Users can opt in to receive the enhanced security of the ADP, possibly, in light of the breadth and depth of data which could be stored in the cloud. In not creating its own decryption keys for ADP, Apple is confining decryption entirely to a user’s device, therefore, decreasing the risk of exposure. In doing so, Apple is seeking to further decrease the risk of a personal data breach e.g. the unlawful or unauthorised access to personal data i.e. an interception attack. Additionally, and fundamentally, Apple is giving effect to a stated aim of the GDPR which is that “Natural persons should have control of their own personal data” (Rec. 7 GDPR).

The TCN issued by the Home Office allegedly “[required it] to be able to maintain access to its users’ data in decrypted form, so that such data is available to be passed to the intelligence agencies” (Case number: IPT/25/68/CH). Apple does not have the technical means – the decryption key – to comply with the TCN on a targeted basis or otherwise. This might explain Apple’s initial reaction to the TCN of withdrawing ADP from UK iCloud users entirely – it seems to be the only available technical solution for complying. The autonomy seemingly afforded by Art. 32 UK GDPR is not, therefore, total but, in fact, fettered. Additionally, complying with the TCN would entail Apple withdrawing a security measure afforded to all UK users (as it did initially) or reducing the efficacy of that security measure (by itself holding the decryption key) despite the risks identified by it, and so undermining its compliance with Art. 32 UK GDPR. The Home Office’s argument that it issues TCN “…on an exceptional basis, in relation to the most serious crimes and only when it is necessary and proportionate to do so”, may well be true but, in this case, its effect would not be proportionate. This is the definition of a policy issue and may reveal Apple’s motivation for appealing the TCN. Another possible motivation is obtaining instruction for complying with requests for disclosure from law enforcement authorities in compliance with other key controller obligations under the UK GDPR; although wishful thinking springs to mind.

UK Adequacy

The European Data Protection Board (“EDPB”) has now adopted Opinion 06/2025 which recognises the European Commission-proposed 6 month extension to the validity of the UK adequacy decisions under the GDPR and the Law Enforcement Directive. The stated reason for this is to enable the “ongoing legislative process in the UK” to be concluded i.e. the Data (Use and Access) Bill to be passed into UK law. At the time of writing, the Bill has passed through all the necessary legislative stages and is awaiting Royal Assent. Given that this extension has been granted so that the legislative developments can be taken into account when the European Commission assesses whether the UK provides ‘essentially equivalent’ protection for personal data when determining renewal, it would be natural to wonder whether the Apple v. Home Office proceedings may also impact this renewal.

Data protection training

Book a place on our BCS accredited training course

Sign up here

Enjoy That? You Might Like These:

articles

Data (Use and Access) Act 2025 – Privacy and Electronic Communications Regulations
23 September
The next instalment in our series on the Data (Use and Access) Act 2025 (“DUAA”) expands on our previous blog (which can be found here), regarding how Chapter 2, Part... Read More

articles

Introduction to the new verification rules – if you are a director/PSC/LLP member, this will affect you
5 September
The Economic Crime and Corporate Transparency Act 2023 (ECCTA) is now being brought into force and is something that is going to impact every company and LLP registered in the... Read More

articles

Industry Insights: Guy Hembury – building the Thames Valley’s future through tech, talent, and trust
5 September
When Guy Hembury speaks about technology, you quickly realise he doesn’t mean just “tech” in the narrow sense. For him, it’s not all AI, apps, and algorithms — it’s a... Read More
Click here for more Insights