Apple Discontinues Advanced Data Protection for UK Users

In a significant development, Apple has announced the discontinuation of its Advanced Data Protection (ADP) feature for users in the United Kingdom. This decision follows a request from the UK government under the Investigatory Powers Act, compelling Apple to provide access to encrypted user data for counterterrorism and national security purposes.

What Has Happened?

Advanced Data Protection, introduced by Apple in late 2022, offered end-to-end encryption for iCloud data, ensuring that only the user could access their files, photos, and notes. However, under the UK’s Investigatory Powers Act of 2016, which grants authorities the power to access encrypted data in the interest of national security, the government issued a technical capability notice requiring Apple to provide access to this encrypted data. This legislation is primarily aimed at enabling law enforcement to investigate terrorism and serious criminal activities. Rather than compromising its global security protocols by creating a backdoor, Apple has chosen to withdraw the ADP feature for UK users. As of February 21, 2025, new users in the UK are unable to enable ADP, and existing users will be required to disable the feature to continue using iCloud services.

Implications for Users and Organisations

The removal of ADP means that certain iCloud data categories, such as backups, photos, and notes, will no longer benefit from end-to-end encryption in the UK. Consequently, this data could be accessible to Apple and, by extension, to government authorities if legally compelled. While some data types, including iCloud Keychain passwords, Health app data, iMessage, and FaceTime, will remain end-to-end encrypted, the overall privacy landscape for UK users has been altered.

As organisations adapt to this change, it is an important time for them to reassess their policies and procedures, particularly those relating to the use of mobile devices, such as iPhones, and cloud services like iCloud. Businesses should review their Acceptable Use Policies (AUP) to ensure they clearly define what is acceptable in terms of data processing and storage on these devices.

Organisations need to consider the confidentiality of customer, client, and service user data. What information are employees processing using Apple devices, and do they need to record everything they access, or can they avoid using data that might identify an individual unless absolutely necessary? It is essential to think critically about what data is being captured and stored. This reflection can help mitigate potential risks and ensure that organisations remain compliant with data protection regulations while maintaining the security and privacy of their stakeholders.

Protecting Your Data

In light of these changes, individuals and organisations should consider the following measures to safeguard their sensitive information:

• Utilise Third-Party Encryption Tools: Before uploading data to cloud services, encrypt it using trusted third-party applications. This ensures that only you hold the decryption keys, maintaining control over your data.
• Explore Alternative Cloud Services: Some cloud providers continue to offer end-to-end encryption. Research and consider services that prioritise user privacy and comply with your security requirements.
• Implement On-Premises Storage Solutions: For highly sensitive data, maintaining on-premises storage with robust encryption can provide greater control and reduce reliance on third-party services.
• Stay Informed About Legislative Changes: Regularly monitor legal developments related to data protection and privacy, and encryption to understand how they may impact your organisation’s data security strategies.

How AJC Can Assist

At AJC, we understand the evolving challenges posed by changes in data protection policies and regulations. Our team of experts is equipped to:

• Assess Your Current Data Security Posture: We evaluate your existing data protection measures and  identify potential vulnerabilities arising from recent changes.
• Provide Training and Support: We offer training sessions to educate your team on best practices for data protection and security.
• Ensure Compliance with Data Protection Legislation: Our consultants stay abreast of legislative developments to help your organisation navigate the complexities of data protection laws, ensuring compliance and minimising risk.

In an era where data privacy is increasingly under threat, proactive measures are essential. AJC is committed to empowering you with the tools and knowledge necessary to protect your sensitive information effectively. If you require advice or support on data protection and information governance, please do not hesitate to get in touch. 

Please contact us on 020 7101 4861 or email us info@ajollyconsulting.co.uk if you think we can help.

Sources:

Associated Press: Apple drops encryption feature for UK users after government reportedly demanded backdoor access.
The Times: Apple pulls data protection tool after UK government security row.
The Guardian: Apple removes advanced data protection tool in face of UK government request.

Image accreditation: Armand Valendez (July 2017) from Pexels.com. Last accessed on 24th February 2025. Available at: https://www.pexels.com/photo/apple-logo-544295/