OPINION ARTICLE

When Facebook, MySpace, and Twitter exploded onto the scene in the late 2000s, we eagerly embraced social media, believing it to be a harmless space to share our lives. But, as with everything, there was a hidden cost: our privacy. Even now, despite the growing awareness fostered by the General Data Protection Regulation (GDPR), many of us still trade personal data for convenience—whether it’s for access to a new app feature or AI-powered services like ChatGPT, which cleverly tailors advertisements based on our input.

In a world where data fuels corporate giants like Google and Meta, it’s no surprise that information is often referred to as the new oil. And where there is oil, there is conflict. The fight over privacy rights—essentially, control over personal data—has become one of the defining legal and ethical battles of our time. Yet, not all battles receive equal attention. While the U.S. has seen high-profile clashes over encryption, such as Apple’s legal standoff with the FBI[1], a quieter but far more insidious erosion of privacy has been unfolding in the United Kingdom.

The Investigatory Powers Act (IPA) 2016, widely known as the “Snooper’s Charter,” has transformed the UK into a potentially one of the most surveillance-heavy democracies in the world. Now, in a case that has received vast but short-lived media coverage, Apple—a staunch advocate of user privacy—appears[2] to have been issued a Technical Capability Notice (TCN) under the IPA. This notice likely demands that Apple grant the UK government a backdoor to user data. Apple has long vowed never to build such backdoors and reaffirmed its position in a statement published on February 24, 2025[3]. However, in response to government pressure, Apple also announced the withdrawal of its Advanced Data Protection (ADP) feature from the UK—a move that, while not explicitly opening a backdoor, nonetheless weakens privacy safeguards and leaves users more vulnerable to government surveillance.

Beyond individual privacy concerns, the UK government’s push for greater surveillance may have unintended consequences for international data flows. The UK’s adequacy decision with the European Union, which allows for the smooth transfer of data between jurisdictions, is now at risk. The IPA’s overreach mirrors the U.S. surveillance laws that led to the downfall of two transatlantic data transfer frameworks—Privacy Shield[4] and its predecessor, Safe Harbour[5].

Ironically, the United States—often criticised for its invasive surveillance practices—has, in some ways, placed more legal constraints on government data collection than the UK. Following public outrage over the NSA’s mass surveillance programs, the USA FREEDOM Act of 2015 introduced restrictions on the bulk collection of metadata, requiring judicial oversight for surveillance requests. By contrast, the UK’s IPA offers little in the way of meaningful checks and balances. While it does require a “double lock” approval system—including authorisation from a Judicial Commissioner and the Investigatory Powers Tribunal[6]—this remains a quasi-judicial process with limited scrutiny.

The European Commission is set to review its UK-EU adequacy decision on June 27, 2025. In addition to concerns over the Snooper’s Charter, the UK’s proposed Data Protection and Digital Information Bill—currently under review in the House of Lords—aims to reinterpret GDPR more leniently. John Edwards, the Information Commissioner for the UK, often reiterated that the UK was standing by its position to reform the GDPR[7]. With the UK already issuing TCNs, the UK risks not only losing its adequacy status but also cementing its reputation as a surveillance state where individual privacy is expendable.

The gradual erosion of privacy in the UK is not a hypothetical future concern—it is happening now, and it demands public attention. If Apple, one of the most powerful tech companies in the world, cannot withstand government pressure, what hope is there for smaller companies and individual citizens? The fight for digital rights must not be waged in silence. Privacy is not a privilege—it is a fundamental right, and once lost, it is nearly impossible to reclaim.

[1] The dispute between Apple and the FBI stems from a court order requiring Apple to create a custom operating system to bypass security features on an iPhone used in the 2015 San Bernardino attacks. Apple opposed the order, arguing it was unlawful, unconstitutional, and would compromise the security of all its devices. The case raised concerns about privacy, security, and government overreach. The case was dropped by the FBI six weeks later, because its entire position was that it couldn’t access the iPhone without Apple’s help. When it turned out that they could in fact access the phone, the case collapsed. Leander Kahney, The Big Story, Apr 16, 2019 12:43 PM, The FBI Wanted a Back Door to the iPhone. Tim Cook Said No, Wired

[2] The IPA in 255 (8) compels the addressee of the notice not to disclose neither the existence of it, nor its contents, at the same time the Home Office said that the did not comment on operational matters, including, confirming or denying of the existence of any notices.

[3] https://support.apple.com/en-gb/122234#:~:text=Here’s%20what%20it%20means.,other%20threats%20to%20customer%20privacy.

[4] In its judgment of 16 July 2020 (ref. C-311/18), the European Court of Justice (ECJ) declared what is known as the “privacy shield” decision of the EU Commission to be invalid. 

[5] In its judgment of 6 October 2015 (ref. C-362/14), the European Court of Justice (ECJ) declared what is known as the “safe harbor” decision of the EU Commission to be invalid. 

[6] https://investigatorypowerstribunal.org.uk/oversight-and-where-we-fit-in/

[7] https://www.linkedin.com/posts/iga-sloan-cipp-e-96372343_about-cpdp-data-protection-day-activity-7289962359060639744-UwPo?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAku_5sByYfLFm671hCY9E4tdEnlyRPm7aA