In February 2025, Apple found itself at the center of a global data privacy battle as it refused to comply with a UK government order requiring backdoor access to its encrypted iCloud services. The UK issued a Technical Capability Notice (TCN) under the Investigatory Powers Act 2016(IPA), demanding that Apple create a mechanism for law enforcement to access end-to-end encrypted (E2EE) iCloud backups.
Rather than compromise its encryption, Apple chose to discontinue Advanced Data Protection (ADP) in the UK. ADP is Apple's strongest cloud encryption offering, ensuring that iCloud data (including photos, messages, and backups) is encrypted in a way that even Apple cannot access it.
This move has global consequences, especially for US-based accounting firms, which frequently store, transfer, and process financial data for international clients. Additionally, it raises critical concerns about the CLOUD Act, a US law that governs cross-border data access and law enforcement cooperation in cases involving encrypted information.
How Apple's Encryption Change Affects US Users
Data Security and Compliance Risks
For US-based accounting firms, client confidentiality is both critical and required. Firms handling UK clients' financial records may find their iCloud-stored data no longer protected by end-to-end encryption.
Key concerns include:
Increased Risk of Data Exposure: Without ADP, iCloud-stored documents, tax filings, and sensitive financial records could be more vulnerable to UK law enforcement access.
Regulatory Conflicts: Many US accounting firms must comply with SEC, FINRA, SOX (Sarbanes-Oxley Act), the FTC Safeguards Rule, and GLBA (Gramm-Leach-Bliley Act) regulations that mandate strict data protection measures. The lack of ADP in the UK makes compliance nearly impossible.
Legal Ambiguity in Cross-Border Data Transfers: Accounting firms that store data across multiple jurisdictions must ensure compliance with both US and UK regulations, which now conflict in terms of encryption protections.
The CLOUD Act: How US Law Intersects with Apple’s Encryption Changes
The CLOUD Act (2018) allows US law enforcement agencies to access data stored by American companies, even if the data is located outside the US. However, it also allows the US to enter bilateral agreements with other countries (such as the UK) to facilitate easier access to encrypted data for law enforcement purposes.
Some of the key elements of the CLOUD Act include:
Firms Using Apple’s iCloud Services May See Their Data Accessible to Foreign Governments With Apple removing ADP from UK users, US-based accounting firms working with UK clients must consider whether data stored in iCloud could be subject to UK law enforcement requests under the CLOUD Act agreement between the US and the UK.
Client Data Could Be Handed Over Without Client Consent Under the US-UK CLOUD Act agreement, law enforcement agencies in either country can request access to data stored by Apple, Google, or Microsoft without notifying the data owner.
Potential Need for Alternative Encryption Solutions To avoid compliance risks, accounting firms may need to switch to private encryption solutions or cloud storage providers that do not automatically comply with UK legal demands.
Potential Long-Term Consequences for the Industry
a) Pressure on Other Tech Companies
Apple’s refusal to comply with UK demands sets a precedent. Other cloud providers like Google, Microsoft, and Dropbox may face similar pressure to remove encryption features. If they follow Apple’s lead, more accounting firms will have to re-evaluate their entire cloud storage approach.
b) Increased Adoption of On-Premises and Hybrid Solutions
Due to these evolving risks, some US accounting firms may move away from cloud-only solutions in favor of hybrid or on-premises storage. This approach:
Reduces exposure to government surveillance.
Ensures compliance with stringent US regulations.
Gives firms greater control over encryption mechanisms.
c) Regulatory Backlash from the EU and Other Jurisdictions
The European Union’s GDPR (General Data Protection Regulation) takes a strong stance on data security. The weakening of encryption standards in the UK could result in new legal conflicts between the UK and the EU, potentially forcing US firms to navigate another layer of complexity in their international operations.
So How Do We Respond?
With Apple’s encryption rollback in the UK and the increasing role of the CLOUD Act in global data governance, US-based accounting firms must take proactive steps to safeguard their data and client confidentiality.
Recommended Actions:
Evaluate Cloud Storage Providers and consider alternatives to iCloud, such as secure portals, AWS, Box, or Tresorit, which offer more customizable encryption options.
Implement Additional Encryption Layers such as usng third-party encryption tools to protect financial documents before uploading them to cloud services.
Advise Clients on Data Security Changes during the engagment process with clients based in the UK or operating globally.
Revisit data storage and encryption policies to prevent exposure under foreign surveillance laws.
Adoption of zero-knowledge encryption tools (like Tresorit or ProtonDrive) may be necessary to ensure that neither Apple nor any government can access financial records.
Client communication must be updated to reflect changes in cloud storage risks
Apple’s refusal to comply with the UK’s backdoor demands marks a significant moment in the global encryption debate. However, the implications for US-based accounting firms go beyond Apple itself—they highlight a broader trend toward government intervention in cloud-stored financial data.
With the CLOUD Act facilitating cross-border access to encrypted data, accounting firms must now proactively secure their information while ensuring compliance with US, UK, and global financial regulations. Those who fail to adapt risk compromising both client confidentiality and regulatory compliance, making robust data protection measures more critical than ever.
Financial Guardians is a proud member of InCite, the recently launched online community exclusively for tax professionals, bookkeepers, and accountants. InCite members receive a 30% discount.
