David TaylorWhatsApp is trending in the UK in May 2026 — and not because of a new feature. The messaging giant is at the centre of a landmark legal battle with the UK government over encryption backdoors, a dispute that has major implications for every British business using the app to communicate.
The Technical Capability Notice Behind the Row
In early 2025, the UK Home Office issued a Technical Capability Notice (TCN) to Apple under the Investigatory Powers Act 2016. The TCN required Apple to build a backdoor into its Advanced Data Protection (iCloud encryption) system, granting UK authorities access to end-to-end encrypted data.
Apple refused and withdrew its Advanced Data Protection feature from the UK entirely. WhatsApp subsequently announced it was backing Apple's position and intended to submit evidence in the legal proceedings challenging the Home Office order.
Will Cathcart, head of WhatsApp, warned publicly that the UK's demands could "set a dangerous precedent", potentially encouraging authoritarian governments worldwide to make similar demands and eroding global encryption standards.
A tribunal is scheduled to hear seven days of open evidence in 2026, with challenges from Privacy International and other groups contesting the legality of TCNs under the Human Rights Act.
What This Means for UK Data Protection Law
The dispute is unfolding against a backdrop of major change in UK data protection law. On 5 February 2026, key reforms to the UK's data protection regime came into force. The changes introduced new flexibility for businesses in areas like cookie consent and automated decision-making, but simultaneously raised the bar for compliance in the handling of children's data and sensitive personal information.
According to the Information Commissioner's Office, businesses must ensure that any third-party communication tool used for processing personal data meets UK GDPR standards — including demonstrating that data is stored and transmitted securely.
That is where WhatsApp sits in an awkward position. End-to-end encryption is precisely what makes WhatsApp compliant with data security expectations under UK GDPR. If the UK government succeeds in forcing backdoors, encrypted communications tools would no longer be technically secure — and businesses relying on WhatsApp for internal communications could face unexpected compliance exposure.
The Risk for UK Businesses Using WhatsApp at Work
Surveys consistently show that WhatsApp is one of the most widely used business communication tools in the UK, particularly among small and medium enterprises (SMEs). Teams share files, discuss clients, and coordinate operations on the platform daily.
If UK authorities gain compelled access to encrypted messaging data, the risks for businesses include:
Confidential communications exposed. Solicitor-client privilege, medical consultations, financial advice — all transmitted over WhatsApp — could potentially fall within the scope of a TCN. UK professionals in regulated industries (law, healthcare, finance) should review whether their firm's data handling policies adequately address this scenario.
GDPR liability. Under the UK GDPR, a business is responsible for any personal data it processes through third-party tools. If WhatsApp is compelled to provide access to messages containing client data, the business — not just WhatsApp — could face scrutiny from the ICO over whether its transfer mechanism was lawful.
Mitigating steps businesses can take now include:
- Auditing which categories of data are shared over WhatsApp (special category data, such as health information, attracts stricter rules)
- Documenting a legitimate basis for using WhatsApp as a business tool
- Considering enterprise-grade alternatives (Signal for Business, Microsoft Teams with E2E, or self-hosted solutions) for the most sensitive communications
- Reviewing employment contracts and bring-your-own-device (BYOD) policies to clarify when WhatsApp use is sanctioned
How Ofcom Is Involved
The Online Safety Act tasked Ofcom with consulting on client-side scanning — a method of scanning messages locally on a device before encryption. Ofcom was due to report back to government on the technical feasibility of such scanning by April 2026. Critics, including WhatsApp and numerous cybersecurity researchers, argue that client-side scanning is functionally equivalent to breaking end-to-end encryption.
As of May 2026, Ofcom's conclusions have not yet been implemented in law, but the direction of travel is clear. UK policymakers are seeking capabilities to access encrypted communications. Whether they succeed will be determined partly by the tribunal hearing, partly by political will, and partly by how loudly businesses and civil society push back.
Practical Advice for IT Decision-Makers
The uncertainty itself creates risk. UK IT consultants are advising clients to treat the current period as a window for proactive action rather than waiting for the outcome of the tribunal.
Three steps worth taking before the tribunal's findings:
Map your messaging data flows. Which teams use WhatsApp? For what categories of information? Producing a simple data flow map will tell you exactly how exposed you are if backdoors are mandated.
Update your privacy notices. If personal data processed via WhatsApp is mentioned in your privacy notice (it should be), update the risk disclosures to reflect the ongoing legal uncertainty around encryption.
Have a contingency plan. Identify at least one alternative encrypted messaging solution your organisation could migrate to within 30 days if WhatsApp's security model materially changes.
At Expert Zoom, you can connect with experienced IT and data protection consultants who help businesses navigate UK digital compliance in fast-moving regulatory environments. For related reading on UK digital privacy rights, see our earlier analysis: What Bluesky's Outage Revealed About UK Users' Data Privacy Rights.
This article is for informational purposes only and does not constitute legal or technical advice. For specific compliance guidance, consult a qualified data protection officer or IT consultant.
