Metropolitan Police made 700,000+ data requests in 2025 – a breach of digital rights?

In 2025 the Metropolitan Police Service (MPS) asked technology companies for private communications data more than seven hundred thousand times, according to a Freedom of Information (FoI) request obtained by The Register. The figure includes requests for metadata from everyday platforms – from food‑delivery apps to low‑cost mobile operators – and a dramatic rise in requests to the migrant‑focused MVNO LycaMobile.

---

Legal basis for the requests

The police rely on powers granted to the Office for Communications Data Authorisations (OCDA), now part of the Investigatory Powers Commissioner’s Office (IPCO). Under the Investigatory Powers Act 2016 (IPA), a senior officer can authorise the acquisition of communications data (CD) – information such as call logs, IP addresses and payment details – without a judicial warrant.

While CD does not contain message content, the General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018 still treat it as personal data. Article 6(1)(e) of the GDPR permits processing when it is necessary for the performance of a task carried out in the public interest, but the processing must be necessary and proportionate. The same principle is echoed in the California Consumer Privacy Act (CCPA), which requires businesses to disclose any government request for personal information and to limit collection to what is strictly required.

---

Who was affected?

Provider	Requests in 2025	Notable points
LycaMobile	93,527	500 % increase from 2024; provider serves many migrant and low‑income users
Proton Mail	139	Metadata only – includes payment details and IPs. Proton says Swiss law requires foreign requests to go through Swiss authorities
ProtonVPN	–	Proton claims no logs exist, making the request “highly dubious”
Signal	1	Signal states it has never supplied UK data; the single request could only have yielded registration details
Uber, Bolt, JustEat, Deliveroo, Domino’s	768	Requested for “intelligence analysis” of ride and delivery records
Other UK mobile operators (Vodafone, O2, Three, Lebara)	< 15,000 each	No comparable surge

The data also show that lawyers were targeted 219 times and journalists 157 times in 2024, with 106 warrant applications specifically aimed at identifying sources. Those applications can include content interception, a step beyond metadata collection.

---

Why the surge matters for users and companies

1. Potential GDPR breaches – The GDPR requires a data protection impact assessment (DPIA) when processing is likely to result in a high risk to individuals’ rights. The sheer volume of requests, especially the spike toward LycaMobile, suggests that many of these assessments may not have been carried out, exposing both the police and the companies to fines of up to €20 million or 4 % of global turnover.
2. Risks to journalistic sources – Even metadata can reveal patterns that identify a source. The lack of a requirement to inform the targeted professional undermines the GDPR’s principle of transparency and the UK’s own Data Protection (Journalists, Lawyers and Others) Regulations.
3. Cross‑border complications – Requests to Swiss‑based Proton Mail must pass through Swiss authorities. If the MPS bypasses that step, it could be infringing the EU‑Swiss Data Transfer Agreement and exposing the UK to international dispute.
4. Discriminatory impact – The focus on LycaMobile, a service used heavily by migrants and racialised communities, raises concerns under Article 7 of the GDPR, which prohibits processing that results in discriminatory outcomes.
5. Company compliance costs – Firms must log each request, assess its legality, and, where possible, challenge over‑broad demands. Failure to do so can trigger enforcement action from the ICO (Information Commissioner’s Office) or the California Attorney General under the CCPA.

---

What changes are needed?

Recommendation	Rationale
Mandatory DPIA for every bulk request	Ensures necessity and proportionality are demonstrated before data is handed over.
Independent judicial oversight for all CD requests	Removes the “operational autonomy” loophole that allows senior officers to approve requests without a judge.
Transparent reporting to data subjects	GDPR’s article 13 requires clear information about processing; a simple notice to affected users would restore some accountability.
Stricter limits on requests to MVNOs serving vulnerable groups	Prevents the digital border from expanding through policing, as warned by civil‑rights groups.
Cross‑jurisdictional safeguards	For foreign‑based services, the UK must respect the legal channels of the host country, otherwise it risks breaching international data‑transfer rules.
Enhanced protections for journalists and lawyers	Codify the requirement that any request involving a protected professional must be justified with a higher standard of proof.

---

The road ahead

The ICO has opened a preliminary investigation into the Met’s data‑request practices. If it finds systematic non‑compliance with GDPR, the force could face a fine of up to £17.5 million (the UK’s 4 % cap). Meanwhile, advocacy groups such as the National Union of Journalists and Migrants’ Rights Network are calling for parliamentary scrutiny of the OCDA’s delegation of authority.

For ordinary users, the takeaway is clear: the metadata that powers everyday services is now a frequent target of police surveillance. Under GDPR and CCPA, that data is still personal data, and the law demands that any government request be necessary, proportionate, and transparent. Until those safeguards are reinforced, the balance between public safety and digital privacy remains heavily tilted toward the former.

---

The Register will continue to monitor the Met’s compliance with data‑protection law and report on any enforcement action taken by the ICO or other regulators.