In February 2025, Apple preferred to remove the “Advanced Data Protection” end-to-end encryption functionality for users of its iCloud storage service in the UK, rather than create a backdoor in this system. This backdoor request was required by the UK Home Office via a “technical capability notice”, under the Investigatory Powers Act (Act).
Encryption is one of the technical measures required to ensure data security and comply with the “Privacy-by-Design” principle. It prevents access to data, even in the event of a request for access from foreign authorities.
As the IPA is extraterritorial in scope, it enables the UK government to impose requirements on companies in other countries, and for users located worldwide, while still being able to prohibit suppliers from informing their users.
This “Apple / IPA Act” case could well represent a breakthrough, the beginning of a rethink of end-to-end encryption. It has no precedent in other democracies. Giving in on encryption is tantamount to opening the door to systemic surveillance, considered incompatible with democratic values. Explanations.
The Investigatory Powers Act (IPA), an attack on encryption
The Investigatory Powers Act (IPA) is a 2016 British law establishing a new framework to govern the use and oversight of investigatory powers by law enforcement, security and intelligence agencies.
The Act brought together many of the UK’s existing investigatory powers into a single piece of legislation. Its opponents see it as an extension of the powers of British intelligence agencies. Edward Snowden has described the IPA as one of the worst pieces of intelligence legislation in the Western world.
As technology and the types of threats facing the UK have rapidly advanced and evolved, the Investigatory Powers Act was revised in 2023 and 2024, with the aim of enabling security and intelligence agencies to deal with a rapidly evolving range of threats.
One of the strongest criticisms of the text concerns the extensive powers granted to the Home Office. Under the IPA, the UK Home Office has the power to issue orders to technology companies and to demand access for British intelligence services.
Companies receiving requests for cooperation are subject to a secrecy regime, since they are legally prohibited from disclosing the existence of such requests without explicit authorization from the Home Secretary. This secrecy requirement and the absence of any notification to users prevent citizens from understanding the security status of the communication tools they use.
Last but not least, the IPA makes it possible to force the addition of backdoors, even in the case of end-to-end encryption. The IPA thus gives the government the ability to force companies to create backdoors in their systems to enable intelligence services to bypass encryption. This is what happened with Apple at the beginning of 2025, the company having received a “technical capability notice” relying on section 253 of the Investigatory Powers Act and asking it to introduce a backdoor in its optional “Advanced Data Protection” feature, designed to secure data backed up via iCloud.
Encryption and backdoors: a false dilemma
The very principle of creating a backdoor for the British authorities poses a fundamental problem. Once a weakness exists in an encryption system, it can potentially be discovered and used by anyone, particularly for malicious purposes, to access user data. This is a serious breach of privacy and civil liberties.
Cybersecurity experts have voiced their disapproval of the requirement to add backdoors. They also deplore the Home Office’s ability to delay or block proposed security changes by service providers. The NGO TechUK, for its part, fears that the IPA will serve as a model for less democratic governments wishing to tighten their controls on citizens.
Apple boss Tim Cook has publicly voiced his fears about setting “a dangerous precedent”. The company has always refused to create backdoors in its products or services designed to circumvent encryption. For their part, the heads of WhatsApp and Signal have stated that they would rather leave the UK than weaken their end-to-end encryption by introducing backdoors.
As part of the Apple affair, civil liberties organizations – the Electronic Frontier Foundation, the American Civil Liberties Union, Amnesty International, Project TOR, Mozilla – have voiced their support for the Apple brand.
The IPA, a concrete illustration of the risks of extraterritoriality
Extraterritorial in scope, the Investigatory Powers Act does not just operate on British territory. The British government would therefore be in a position to impose secret requirements on providers located in other countries, which would apply to their users located all over the world.
The IPA is not the only law that goes beyond the borders of the country that gave birth to it. On the other side of the Atlantic, the Cloud Act gives US authorities access to electronic communications data stored on servers located in the USA or other countries. Also in the U.S., the Foreign Intelligence Surveillance Act (FISA), extended until 2026, is one of the U.S. government’s most far-reaching surveillance tools. It enables the country’s intelligence services to access the communications of non-Americans abroad, without having to go before a judge.
IPA, Cloud Act, FISA: these three pieces of legislation all claim the ability to access data beyond their national borders. They impose cooperation obligations on technology companies, and operate in secrecy, often preventing these companies from informing their users.
Under these extraterritorial laws, European companies using non-sovereign solutions find themselves exposed to foreign jurisdictions, and lose control over their data and sovereignty.
This situation also exposes European companies to jurisdictional conflicts, for example between the Cloud Act and the RGPD, the European regulation opposing transfers of personal data outside the European Union without an adequate level of protection.
Data localization (via the location of datacenters) is no longer a sufficient criterion for ensuring data sovereignty. It is now also necessary to take into account the jurisdiction to which the data is subject.
Data storage solutions provided by AWS, Microsoft or Google are not considered sovereign (even if they host their French customers’ data on French soil, for example), since they are subject to US legislation. Conversely, in the case of a sovereign cloud, the data is stored on servers located in France, but is primarily managed by a French player and placed under French jurisdiction.
The Oodrive approach: security, compliance and sovereignty
In this context, Oodrive adopts an approach based on security, regulatory compliance and digital sovereignty.
Its solutions comply with the most stringent security regulations right from the design stage, as part of a “Security-by-Design” architecture. Security mechanisms – end-to-end encryption, strong authentication, etc. – are integrated natively and transparently for users, guaranteeing a seamless experience. Data is protected, without impacting productivity. Encryption keys are managed exclusively by customers, stored in a dedicated HSM box.
Oodrive is 100% owned and operated in Europe. The company hosts its collaborative solutions in Europe (sovereign hosting). Customer data is not subject to extra-European laws such as the Cloud Act or FISA. They are exclusively under French jurisdiction, and therefore safe from espionage and external interference, in full compliance with the RGPD.
In addition to security, compliance and sovereignty, Oodrive is also committed to transparency for its customers. True to its commitment to digital trust, Oodrive will never introduce backdoors or other hidden accesses into its solutions.
Security cannot be conditional. Giving in on encryption would mean undermining the entire digital ecosystem. More than 2.5 million professionals have chosen to collaborate on their sensitive projects within the Oodrive bubble of trust, testifying to the relevance of this transparent and responsible approach.
A collective responsibility to give nothing away when it comes to security
The “Apple / IPA Act” case in the UK is much more than just a technical dispute over encryption between a company and a government. It raises a critical question: are we prepared to sacrifice the foundations of data protection to state-imposed surveillance?
Faced with this offensive against end-to-end encryption, European companies have a role to play in not giving in to non-sovereign solutions, in not sacrificing security for convenience. Otherwise, they risk losing control over their most sensitive data, and exposing themselves to requests for access to their data by foreign authorities.
Beyond the geographical location of servers, it is the jurisdiction to which data is subject that determines its actual level of protection. Data hosted in France but managed by an American player remains exposed to American extraterritorial laws. European companies must take this reality into account in their technological choices, and opt for truly sovereign solutions.
Faced with this challenge to encryption, Europe must assert its vision of a digital world that respects fundamental rights, and support a European, ethical and sovereign cloud ecosystem. Through their technological choices, companies can promote the emergence of a European digital model that respects democratic values, by favoring transparent players.
