United Kingdom

Five Eyes founder with bulk cable interception, a CLOUD Act agreement with the US, and Technical Capability Notices that blocked Apple’s end-to-end encryption

← Back to Privacy Law Directory

Overview

The United Kingdom is a founding member of the Five Eyes intelligence alliance (UKUSA Agreement, 1946). GCHQ operates the Tempora “full-take” cable interception programme, collecting all online activity passing through UK-accessible undersea cables and sharing it with the NSA. GCHQ’s Operation Edgehill (the counterpart to NSA’s BULLRUN) systematically attacked encryption standards. The Investigatory Powers Act 2016 (“Snoopers’ Charter”) consolidated bulk interception, internet connection records, and equipment interference powers. The 2024 amendment imposed a duty on technology companies to notify the government before enabling encryption, and in January 2025, a Technical Capability Notice blocked Apple from offering end-to-end encryption to UK users, the first such action by any democratic government. After US diplomatic pressure forced the UK to withdraw the global TCN in August 2025, the Home Office issued a new UK-only TCN in September 2025.[1][2][34]

On the civilian side, the UK GDPR (inherited from the EU via the Withdrawal Act 2018) is enforced by the Information Commissioner’s Office (ICO). The Data (Use and Access) Act 2025 introduced the UK’s most significant post-Brexit divergence from EU standards. The UK signed a CLOUD Act agreement with the United States (October 2022), enabling direct cross-border data requests to tech companies bypassing traditional MLAT channels. Post-Brexit, the UK lost access to SIS II, EIO, and Prüm.[3]

Privacy Framework

The ICO (Information Commissioner’s Office) can fine up to GBP 17.5 million or 4% of global turnover. Notable fines include British Airways (GBP 20M), Marriott (GBP 18.4M), Reddit (GBP 14.47M, February 2026) for children’s data failures under the Age Appropriate Design Code, Capita (GBP 14M), TikTok (GBP 12.7M), South Staffordshire Water (GBP 963,900, May 2026) for security failures that allowed a 2022 ransomware breach exposing 633,887 individuals to remain undetected for 20 months, and Clearview AI (GBP 7.5M, jurisdiction upheld by Upper Tribunal October 2025). The Reddit fine is the largest ICO penalty specifically for children’s data and age assurance failures. In H1 2025, the ICO doubled the prior year’s enforcement volume.[4][5][35][39]

The Data Protection Act 2018 supplements the UK GDPR: Part 3 governs law enforcement processing; Part 4 governs intelligence services (MI5, MI6, GCHQ) under a lighter-touch regime entirely outside the UK GDPR, with national security certificates able to exempt intelligence services from most data protection principles. The DUAA 2025 (most provisions effective February 2026) introduces “recognised legitimate interests” exempting specified purposes from balancing tests, relaxes automated decision-making restrictions, removes cookie consent requirements for non-intrusive cookies, and replaces the “essential equivalence” transfer standard with a more permissive “not materially lower” standard. EU adequacy was renewed December 2025 until December 2031.[6][7][8]

Surveillance Laws

Investigatory Powers Act 2016 (“Snoopers’ Charter”)

Consolidated and expanded UK surveillance under a single framework:[9]

Oversight runs on three tracks. The Investigatory Powers Commissioner (IPC), a senior judge supported by Judicial Commissioners, supplies the warrant-approval “Double Lock” and audits agency compliance. The Investigatory Powers Tribunal (IPT) hears complaints and human-rights challenges against the agencies. Parliamentary scrutiny falls to the Intelligence and Security Committee of Parliament (ISC).[9]

Parliamentary Oversight: The Intelligence and Security Committee (ISC)

The ISC is the UK’s parliamentary intelligence-oversight body, the closest counterpart to Canada’s NSICOP, Australia’s PJCIS, and the US congressional intelligence committees. Created by the Intelligence Services Act 1994 and significantly reformed by the Justice and Security Act 2013, it seats nine members drawn from both the House of Commons and the House of Lords, all cleared for highly classified material, and reviews the policy, administration, expenditure, and operations of MI5, MI6, GCHQ, and the wider intelligence community.[46][47]

The 2013 reform was the decisive change: it converted the ISC from a body appointed by and reporting to the Prime Minister into a committee of Parliament. Members are now nominated by the PM but appointed by their respective Houses, the chair is elected by the members rather than chosen by Downing Street, and reports are laid before Parliament. This is precisely the distinction that makes Canada’s NSICOP, which was modelled on the pre-2013 ISC and still reports to the Prime Minister, look weaker by comparison. The PM nonetheless keeps a redaction power: before publication the ISC must remove anything the Prime Minister considers prejudicial to national security, through a defined four-stage process (factual corrections, redaction requests, contested redactions argued by the agencies, and final sign-off), with roughly ten working days to review. Landmark outputs include the long-delayed Russia report (completed 2019 but withheld until July 2020, after No. 10 declined to clear it ahead of the December 2019 election) and recurring reviews of bulk powers, detainee mistreatment, and China.[46][47]

Investigatory Powers (Amendment) Act 2024

Introduced bulk personal datasets regime (including examining third-party datasets “in situ”) and a technology company notification requirement: operators must notify the government in advance of technical changes (such as enabling encryption) that could affect lawful access, and maintain the status quo while objections are investigated.[10]

Technical Capability Notices and the Apple Case

IPA Section 253 allows the Secretary of State to serve Technical Capability Notices (TCNs) requiring providers to build interception capabilities. TCNs are extraterritorial: they apply globally, not just to UK users. In January 2025, the Home Office served a TCN on Apple demanding a backdoor into Advanced Data Protection (end-to-end encrypted iCloud). Apple chose to block the feature in the UK rather than build a backdoor, making the UK the only major jurisdiction where Apple has restricted access to E2EE cloud storage.[11][12]

In August 2025, following intense diplomatic pressure from the United States (including direct involvement from President Trump, VP Vance, and DNI Gabbard), the UK withdrew the global TCN. However, in September 2025, the Home Office issued a new, UK-only TCN demanding Apple create a backdoor limited to British users’ encrypted iCloud data. Apple’s original IPT appeal was dropped as moot after the global TCN withdrawal. Privacy International and Liberty filed a separate IPT challenge against the TCN powers. A seven-day IPT hearing on the UK-only order was listed for 2026; as of mid-2026 the Tribunal had not issued a public ruling on the substantive challenge, and the UK-only TCN had not been publicly withdrawn.[34]

RIPA 2000 (Residual Provisions)

RIPA’s interception powers were repealed by the IPA 2016, but provisions on directed/intrusive surveillance, covert human intelligence sources (CHIS), and encryption (Part III) remain: authorities can compel decryption or key disclosure, with up to 2 years imprisonment (5 years for national security) for refusal.[13]

Online Safety Act 2023

Empowers Ofcom to require platforms to scan for CSAM on encrypted services using “accredited technology” that does not yet exist without undermining encryption. The provision is deferred until “technically feasible” but remains on the statute books. Signal, Apple, and WhatsApp warned they would leave the UK market rather than comply.[14]

Historical: Section 94 Telecom Act 1984

MI5 secretly collected bulk telephone data under Section 94 directions from 2001, revealed only in 2015 when the Commissioner found “there does not appear to be a comprehensive central record of the directions that have been issued.”[15]

Intelligence Agencies

MI5 (Security Service)

Domestic counter-intelligence and counter-terrorism under the Security Service Act 1989. Subject to DPA 2018 Part 4.[16]

MI6 (Secret Intelligence Service)

Foreign intelligence under the Intelligence Services Act 1994 (Section 1). Section 7 grants the Foreign Secretary power to authorise immunity from British prosecution for SIS personnel for acts committed abroad that would otherwise be illegal.[17]

GCHQ (Government Communications Headquarters)

Signals intelligence (SIGINT) and information assurance under ISA 1994 (Section 3). GCHQ is one of the most capable SIGINT agencies in the world and the UK’s primary contributor to the Five Eyes alliance.[18]

Tempora: Full-Take Cable Interception

GCHQ’s Tempora programme intercepted traffic from over 200 fibre-optic cables, processing over 21 million gigabytes per day with the capability to buffer 30 days of metadata and 3 days of content. Described by Snowden as the world’s first “full-take” surveillance dragnet. The NSA had 250 analysts assigned to sift Tempora data. The IPT found Tempora “in principle, legal” under RIPA but ruled GCHQ’s use of NSA PRISM data breached human rights.[19][20]

Mastering the Internet

Tempora is the buffering component of a larger GCHQ programme, Mastering the Internet (MTI), budgeted at over £1 billion to expand the agency’s capacity to intercept and process the world’s internet and telephone traffic. Its sister programme, Global Telecoms Exploitation (GTE), targets telephone communications. Snowden-era documents indicate the NSA contributed at least £17.2 million toward the programme, underscoring how closely GCHQ’s bulk-collection build-out was tied to its US partner.[48]

Karma Police: Web-Browsing Profiles

From 2007 GCHQ began building Karma Police, a programme whose stated ambition was to create “a web browsing profile for every visible user on the Internet.” It drew on Black Hole, a vast repository of bulk-intercepted metadata (browsing histories, search queries, social-media connections, instant-messenger chats, and email records) that also fed analytic tools such as Mutant Broth, which sifts intercepted cookies (known internally as “target detection identifiers”) to tie IP addresses to individual identities. The programmes were disclosed by The Intercept in September 2015 from the Snowden archive and show how the cable-interception infrastructure above is turned into individualised profiles.[49]

Operation Edgehill (Cryptanalysis)

GCHQ’s classified programme to decrypt internet encryption, the counterpart to NSA’s BULLRUN. The joint effort aimed to break SSL/TLS, VPNs, and encrypted platforms through exploiting implementation weaknesses, inserting backdoors into commercial products, pressuring companies, and manipulating standards bodies (most notably the Dual EC DRBG backdoor in NIST standards, withdrawn 2014).[21]

Cable Access and Overseas Operations

GCHQ accesses TAT-14 (transatlantic), SEA-ME-WE 4 (Europe to Asia, 17 countries), and other cable systems at UK landing points. Operation Socialist compromised Belgacom’s infrastructure to intercept EU institutional traffic. GCHQ operates surveillance facilities in Oman monitoring nine cables through the Strait of Hormuz, covering traffic between Europe, the Middle East, and Asia. Overseas operations face weaker oversight than domestic warrants.[22][23][24]

Commercial Surveillance Procurement

Palantir Technologies

The UK is one of Palantir’s largest government clients. On December 30, 2025, the MoD awarded a £240.6 million direct-award contract (no competitive tender, defence exemption) for data analytics interoperable with NATO, after Palantir hired four senior MoD officials during 2025. Combined with the £330 million NHS Federated Data Platform contract, total Palantir UK government spending exceeds £500 million. Unlike IPA-regulated intelligence collection, Palantir contracts have no equivalent judicial oversight.[25]

Live Facial Recognition

The Metropolitan Police deployed LFR 231 times in 2025, scanning 4.2 million people, and installed the UK’s first permanent LFR cameras in Croydon with no specific statutory authorisation. A High Court judicial review (January 2026, judgment pending) challenges LFR under Articles 8, 10, and 11 ECHR, arguing Met policy provides “virtually no constraints” on deployment. There is currently no bespoke legislation governing police LFR in England and Wales.[26]

Age Verification: Identity Infrastructure as Surveillance

The Online Safety Act 2023 requires platforms to prevent children from accessing harmful content, with Ofcom empowered to mandate age verification solutions. The Act’s scope extends beyond pornography to any content harmful to children, requiring age assurance across a wide range of online services. Combined with the deferred encrypted scanning provision (which would require platforms to scan content on encrypted services), the OSA creates a framework where both identity verification and content scanning infrastructure may be imposed on platforms serving UK users.[14]

The UK government has also pushed for age verification in other contexts: the IPA 2024’s technology company notification requirement ensures the government is consulted before platforms implement technical changes (including privacy-enhancing features like encryption that could affect age verification). This creates a regulatory environment where age verification infrastructure (biometric estimation, digital identity tokens, or document verification) becomes a permanent identity layer across the internet, generating metadata about who accesses which services. Once built for child protection, this infrastructure can be repurposed for other regulatory or surveillance objectives.

Ofcom Age Assurance Enforcement (2026): Ofcom’s first wave of Online Safety Act enforcement has targeted providers that failed to deploy “highly effective age assurance.” On February 23, 2026, Ofcom fined 8579 LLC £1.35 million for failing to implement the required age checks, plus £50,000 for ignoring a legally binding information request, the first OSA age-assurance penalty. On February 20, 2026, Ofcom opened an investigation into Reply Buzzer Ltd under the same programme. A compliance deadline of April 16, 2026 required all in-scope services to complete children’s access assessments, and the largest platforms were required to report to Ofcom by April 30, 2026 on minimum-age policies, anti-grooming controls, algorithmic-feed safety, and AI risk assessments; Ofcom is reviewing the submissions to determine which providers warrant escalation. On March 25, 2026, Ofcom and the ICO published a joint statement on age assurance setting common expectations for services in scope of both the Online Safety Act and UK data protection law, signaling coordinated enforcement. As of mid-2026 Ofcom has launched five enforcement programmes and opened 21 investigations into 69 sites and apps. Meta filed a judicial review in May 2026 challenging Ofcom’s OSA fee-and-penalty methodology; the first round of OSA invoices is expected in Q3 2026.[36][37][40]

VPN Circumvention and Ofcom Monitoring: UK VPN sign-ups surged 1,400–1,800% in the days following the July 25, 2025 enforcement go-live and remained sustained for weeks (Proton AG described the trajectory as “usually associated with civil unrest”). Ofcom has acknowledged that VPNs themselves cannot be blocked under the Online Safety Act, and in 2026 confirmed it is using a third-party monitoring tool with AI capabilities to track VPN-traffic trends as part of OSA oversight. The UK government has separately warned that platforms which “deliberately target UK children and promote VPN use” could face enforcement action under the OSA, including fines of up to £18 million or 10% of global revenue. Unlike the US Utah SB 73 model, Ofcom’s leverage runs through the in-scope service, not the VPN provider or the user.[38]

Device-Level Nude-Image Blocking: The London Tech Week Ultimatum (June 2026)

On June 8, 2026, in a speech at London Tech Week, Prime Minister Keir Starmer gave Apple, Google, and other operating-system providers three months to build or activate on-device technology that detects and blocks nude images for children across all apps and services. The Home Office wants nudity blocked across the whole device by default, switched off only through age assurance, so that adults retain access after verifying their age. The requirement would apply to UK smartphones and tablets already in use as well as newly sold devices, and the proposed legislation could reach not only OS providers but others in the supply chain, including retailers. If companies do not act within three months, the government says it will legislate to compel them, with fines and, as a last resort, criminal liability for “tech bosses.” Home Secretary Shabana Mahmood said tech companies have “a moral duty to act, by making it impossible for children to take, share or view nude images”; ministers pointed to SafeToNet’s HarmBlock as a proof of concept for device-level detection that, they argue, keeps data on the handset.[44]

Privacy and security groups characterised the proposal as government-mandated client-side scanning, the same architecture that drew international opposition to Apple’s abandoned 2021 on-device CSAM-detection plan and to the Online Safety Act’s deferred encrypted-scanning power. Signal warned the plan “will not keep children safe” and “endangers us all,” arguing that scanning every user’s content on the device breaks the trust model that makes end-to-end encryption meaningful and that such capabilities “never remain narrowly scoped” once built. Critics note that on-device AI scanning still inspects every image a user sends or views and relies on detection models that can be updated remotely, leaving the system open to expansion toward whatever content a future government deems objectionable, the same function-creep concern long raised against the IPA’s bulk powers. Coming months after the Apple Technical Capability Notice dispute, the ultimatum puts the UK at the centre of the global debate over whether device-level scanning can be reconciled with strong encryption.[45]

Under-16 Social Media Ban (proposed, June 15, 2026): Prime Minister Keir Starmer announced plans to bar under-16s from social media platforms including TikTok, Instagram, Snapchat, Facebook, YouTube, and X, while excluding messaging services such as WhatsApp and Signal. The measure is a government proposal, not yet law: ministers say they will bring legislation before Parliament by the end of 2026, with restrictions expected to take effect in spring 2027. Enforcement would run through Ofcom under the Online Safety Act framework, with non-compliant platforms facing significant penalties; the plan also extends to preventing strangers from contacting children on gaming and livestreaming services and restricting under-18 interactions with explicit-capable AI chatbots. Critically for privacy, the ban would require all users, not only minors, to undergo age verification via government ID, credit card, or facial-age estimation to access in-scope services, deepening the permanent identity layer the Online Safety Act has already begun to build. Starmer framed the regulations as a “line in the sand,” saying “tech giants had their chance and failed”; Technology Secretary Liz Kendall said companies had “countless opportunities to keep children safe, yet they have failed to act.” Civil-liberties groups, including Amnesty International, called the diagnosis right but the prescription wrong, warning that universal age checks normalise mass identity verification and surveillance of the entire adult population to police a minority of accounts.[50]

Data Retention

DRIPA 2014 (emergency fast-tracked legislation) was struck down by the High Court in 2015 and repealed by the IPA 2016. Current retention under IPA Part 4: Secretary of State can require telecom operators to retain metadata for up to 12 months with Double Lock authorisation. Internet connection records (websites visited, apps used) are also retained for 12 months.[27][28]

International Data Sharing Agreements

UK-US CLOUD Act Agreement

Entered into force October 3, 2022, the first CLOUD Act agreement worldwide. Allows UK law enforcement to directly serve legal process on US tech companies (Google, Microsoft, Meta, Apple) for communications data, eliminating 10-month MLAT waits. Reciprocal: US can directly serve UK companies, bypassing UK courts and the IPC. Renewed November 25, 2024 (three years early). By October 2024, the UK had issued 20,142 requests to US providers versus just 63 US requests to UK providers, a 320:1 asymmetry.[29][30]

Mutual Legal Assistance: Layered Framework

Council of Europe (50 signatory states): The UK remains party to the European Convention on Mutual Assistance in Criminal Matters (1959) and its Additional Protocols, providing MLA coverage with all Council of Europe members. This is now the UK’s primary multilateral MLA framework following the loss of EU instruments.

EU-UK Trade and Cooperation Agreement (TCA): The December 2020 TCA includes provisions for law enforcement and criminal justice cooperation, partially replacing lost EU frameworks. It covers surrender arrangements (replacing the European Arrest Warrant), exchange of criminal records (replacing ECRIS), and cooperation with Europol and Eurojust, though with reduced capabilities compared to full EU membership.

Bilateral MLAT with the United States: Longstanding treaty predating the CLOUD Act. Remains in force for evidence types not covered by the CLOUD Act (witness testimony, asset freezing, non-electronic evidence). The Home Office serves as UK central authority.[31]

Bilateral treaties: The UK maintains bilateral MLATs and extradition treaties with numerous countries, many including data sharing provisions. Commonwealth cooperation agreements leverage historical relationships.

Five Eyes Intelligence Sharing: Founding Member

Under the UKUSA Agreement (1946), GCHQ shares SIGINT with the NSA, CSE, ASD, and GCSB by default. The Five Eyes framework creates a reciprocal surveillance mechanism: GCHQ can collect on US, Canadian, Australian, or New Zealand persons and share with those agencies, circumventing their domestic surveillance restrictions. Conversely, partner agencies can collect on UK persons and share with GCHQ, bypassing IPA domestic restrictions. GCHQ provides the NSA with Tempora cable intercepts and receives NSA intelligence in return.[32]

Post-Brexit: Loss of EU Data Sharing

The UK lost access to:[33]

The I-LEAP (International Law Enforcement Alerts Platform) is being developed as a SIS II replacement, but the UK has emphasised pursuing a multilateral EU agreement rather than bilateral deals.

Other Frameworks

EU-US Umbrella Agreement: The UK is no longer directly party post-Brexit but cooperates under the TCA framework. SWIFT/TFTP: UK persons’ international wire transfers subject to US Treasury subpoena. PNR: Passenger data shared for US-bound flights. Interpol I-24/7: Full participation (195 countries). Europol: Cooperation maintained under TCA, though with reduced access compared to full membership.

The Privacy Backdoor Effect

Despite the IPA’s Double Lock mechanism, international agreements create alternative access pathways:

The result: the Double Lock and IPC oversight, while robust for domestic warrants, do not extend to data obtained through CLOUD Act requests, Five Eyes sharing, or MLAT channels, creating a gap between domestic protections and international data sharing frameworks.

Operation Saffron: UK Participation in First VPN Takedown (May 2026)

The United Kingdom was among the main participating states in Operation Saffron (May 19–20, 2026), the Europol- and Eurojust-supported, France/Netherlands-led action that dismantled the criminal anonymisation service “First VPN” used by 25+ ransomware groups since 2014. Authorities seized 33 servers across 27 countries and obtained the service’s complete user database of 5,000+ accounts, with intelligence on 506 users shared across partner states. UK participation continues its post-Brexit pattern of close operational cooperation with Europol and EU member states on cybercrime-infrastructure takedowns, alongside its CLOUD Act and Five Eyes data-sharing channels.[43]

Pending Legislation

National Digital ID Scheme (“BritCard”)

The government published a consultation in March 2026 on a national digital identity scheme, with legislation expected later in the Parliament. As proposed, use would not be mandatory in any scenario (the bill is expected to say so explicitly), data would remain with the organisations that already hold it rather than in a central database, and people aged 16 and over could apply, though the consultation asks whether to lower the age to 13 or remove it. By the end of the Parliament the digital ID is intended to take a central role in right-to-work checks. The scheme is highly contentious: a parliamentary petition against mandatory digital ID gathered nearly 3 million signatures, and MPs warned the infrastructure could “follow us, link our most sensitive information and expand state control.”[41]

Police Biometrics and AI/ADM Code

Lawmakers are also preparing a contentious police biometrics bill alongside the digital-ID legislation, raising facial-recognition and retention concerns. Separately, the Data Protection Act 2018 (Code of Practice on AI and Automated Decision-Making) Regulations 2026 establish a statutory code on AI and automated decisions, implementing provisions of the Data (Use and Access) Act 2025. Ofcom and the ICO continue to develop age-assurance expectations under the Online Safety Act and data-protection law (joint statement March 25, 2026).[42][37]

Sources

[1] Wikipedia: Investigatory Powers Act 2016 – Bulk interception, equipment interference, oversight
[2] EFF: UK Still Trying to Backdoor Encryption for Apple Users – TCN, Advanced Data Protection blocked
[3] US DOJ: Landmark US-UK Data Access Agreement (October 2022) – First CLOUD Act agreement worldwide
[4] Skillcast: Biggest ICO Fines – BA, Marriott, TikTok, Clearview AI
[5] Measured Collective: ICO Enforcement in 2025 – Capita GBP 14M, 23andMe, H1 2025 trends
[6] Wikipedia: Data Protection Act 2018 – Part 4 intelligence services regime
[7] ICO: DUAA 2025 – Recognised legitimate interests, cookie reform, transfer standard
[8] Hunton: EU Renews UK Adequacy (December 2025) – Renewed until December 2031
[9] Wikipedia: IPA 2016 – Bulk powers, ICRs, Double Lock, oversight
[10] DLA Piper: IPA Amendment Act 2024 – Notification requirement, BPDs
[11] Issues in Cybercrime Law: Apple TCN – IPA s.253, extraterritorial scope
[12] Computer Weekly: Apple IPT Appeal – Proportionality, Article 8 ECHR
[13] Wikipedia: RIPA 2000 – Encryption Part III, CHIS, surveillance
[14] Wikipedia: Online Safety Act 2023 – Encrypted scanning, Ofcom
[15] GOV.UK: Section 94 Telecommunications Act 1984 – Secret bulk collection since 2001
[17] Wikipedia: Intelligence Services Act 1994 – MI6, Section 7 immunity
[19] Privacy International: GCHQ Mass Surveillance – Tempora, full-take, 200+ cables
[20] Amnesty UK: GCHQ Ruling – IPT found PRISM access breached human rights
[22] The Guardian: GCHQ Taps Fibre-Optic Cables – TAT-14, cable access
[23] Der Spiegel: GCHQ Hacked Belgacom – Operation Socialist
[24] Declassified UK: GCHQ Oman Base – Nine cables, Strait of Hormuz
[26] The Register: High Court LFR Review (January 2026) – 231 deployments, 4.2M scanned, Croydon permanent cameras
[27] Wikipedia: DRIPA 2014 – Struck down, repealed by IPA
[28] The Cyber Solicitor: IPA Retention Notices – ICRs, 12-month retention
[29] GOV.UK: UK-US Data Access Agreement – First CLOUD Act agreement, October 2022
[30] Perkins Coie: US-UK Data Access Agreement – November 2024 renewal, 20,142 UK requests, 320:1 asymmetry
[32] Privacy International: Five Eyes – UKUSA 1946, default sharing, warrant bypass
[33] Statewatch: UK-EU Police Data Sharing Post-Brexit – Lost SIS II, EIO, Prüm; I-LEAP development
[34] Computer Weekly: Home Office Issues New Backdoor Order Over Apple Encryption (September 2025) – Global TCN withdrawn after US pressure; new UK-only TCN issued; original Apple IPT appeal dropped; Privacy International/Liberty separate challenge filed
[35] ICO: Reddit Issued with £14.47M Fine for Children’s Privacy Failures (February 24, 2026) – Largest ICO children’s data fine; no age assurance, no DPIA; Children’s Code enforcement
[36] Ofcom: Age Checks to Protect Children Online – First OSA age-assurance enforcement: 8579 LLC £1.35M + £50K fine (Feb 23, 2026); Reply Buzzer Ltd investigation (Feb 20, 2026); April 16, 2026 children’s access assessment deadline; April 30, 2026 reporting deadline for largest platforms on minimum-age, anti-grooming, algorithmic-feed safety, AI risk
[37] Ofcom & ICO: Joint Statement on Age Assurance (March 25, 2026) – Common expectations for age assurance on services likely to be accessed by children that fall within both the Online Safety Act 2023 and UK data protection law; coordinated enforcement framework
[38] UKFCF/ISPreview: Ofcom Monitoring UK VPN Use Due to OSA Circumvention – Ofcom acknowledges VPNs cannot be blocked under OSA; third-party AI-capable monitoring tool tracking VPN traffic; UK government warning about platforms “deliberately targeting UK children and promoting VPN use”; Proton 1,400–1,800% UK sign-up surge post-July 25, 2025 enforcement; OSA fines up to £18M or 10% global turnover
[39] ICO: Fine of Nearly £1M Against South Staffordshire Water (May 2026) – £963,900 penalty; phishing attack initiated 2020, ransomware operative May–July 2022; only 5% of IT environment monitored; obsolete unsupported software; unpatched critical systems; 633,887 personal records exposed; 20-month undetected dwell time
[40] The Next Web: Meta Takes Ofcom to Court over OSA Fee Methodology (May 2026) – Judicial review challenges how Ofcom calculates fees and penalties under the Online Safety Act; first invoices to issue Q3 2026 (likely September); first major platform challenge to OSA financial regime
[41] House of Commons Library: Digital ID in the UK (March 2026) – Government consultation on a national digital identity scheme; not mandatory; data held by existing controllers (no central database); 16+ eligibility (consultation asks whether to lower to 13); central role in right-to-work checks; ~3 million-signature petition against mandatory digital ID
[42] Biometric Update: UK Lawmakers Prepare for Contentious National Digital ID, Police Biometrics Bills (May 2026) – Forthcoming national digital ID and police biometrics legislation; facial-recognition and biometric-retention concerns; DPA 2018 (AI and Automated Decision-Making Code of Practice) Regulations 2026
[43] Help Net Security: Authorities Dismantle First VPN, Used by Ransomware Actors (May 21, 2026) – Operation Saffron (May 19–20, 2026) led by France and the Netherlands with Europol and Eurojust; the United Kingdom among the main participating states; 33 servers seized across 27 countries; complete user database of 5,000+ accounts obtained; intelligence on 506 users shared with partner countries
[44] GOV.UK: New Plans to Stop Children Taking, Sharing or Viewing Nude Images (June 8, 2026) – PM Starmer London Tech Week ultimatum; Apple/Google/OS providers given three months to activate device-level detection blocking nude images for children by default, deactivated only via age assurance; applies to existing and newly sold UK devices; supply chain incl. retailers; non-compliance triggers legislation with fines and possible criminal liability for “tech bosses”; Home Secretary Shabana Mahmood “moral duty to act”; SafeToNet HarmBlock cited as proof of concept
[45] The Register: Signal Says UK Plan to Scan Devices for Nude Images ‘Endangers Us All’ (June 9, 2026) – Privacy/security critique of the device-level scanning order as client-side scanning; Signal warns it “will not keep children safe” and surveillance capabilities “never remain narrowly scoped”; comparisons to Apple’s abandoned 2021 CSAM-detection plan, the Online Safety Act encrypted-scanning power, and IPA bulk powers
[46] Justice and Security Act 2013, Part 1 (ISC oversight) – Reconstituted the ISC as a committee of Parliament; nine members from both Houses appointed by their respective Houses on PM nomination; chair elected by members; reports laid before Parliament subject to PM redaction of material prejudicial to national security
[47] Intelligence and Security Committee of Parliament – Statutory oversight of MI5, MI6, GCHQ and the wider intelligence community; reviews policy, administration, expenditure and operations; publisher of the July 2020 Russia report and reviews of bulk powers, detainee mistreatment and China
[48] Wikipedia: Mastering the Internet – GCHQ programme budgeted at over £1 billion to intercept and process internet and telephone traffic; Tempora (buffering) and Global Telecoms Exploitation (telephony) as components; NSA contribution of £17.2M reported from Snowden documents
[49] The Intercept: From Radio to Porn, British Spies Track Web Users’ Online Identities (September 25, 2015) – Karma Police aim to build “a web browsing profile for every visible user on the Internet”; Black Hole metadata repository; Mutant Broth cookie analysis; Social Anthropoid; programme begun 2007, disclosed from the Snowden archive
[50] IAPP: UK Announces Social Media Ban and Content Restrictions for Under-16s (June 15, 2026) – PM Starmer proposal (not yet law) to bar under-16s from TikTok/Instagram/Snapchat/Facebook/YouTube/X, excluding WhatsApp/Signal; legislation before Parliament by end of 2026, in force spring 2027; Ofcom enforcement under Online Safety Act; universal age verification (government ID, credit card, facial-age estimation); also gaming/livestreaming stranger-contact limits and under-18 AI-chatbot restrictions; 90% parental support, 116,000+ Ofcom consultation responses
← Back to Privacy Law Directory