9MAR

ORG brands UK tech dependency a risk

4 min read

05:12UTC

The Open Rights Group published 'Tech Giants and Giant Slayers' on 15 April, branding Britain's decade of US-tech dependency a national security vulnerability. It cites a CMA estimate that the UK wastes £500m a year on cloud lock-in alone.

← Back to Mojtaba named leader; oil $116; acid rain Jump to analysis ↓

ConflictDeveloping

Key takeaway

The CMA figure means the entire Sovereign AI Fund is being burned every year on cloud lock-in alone.

The Open Rights Group published "Tech Giants and Giant Slayers" on 15 April 2026, arguing Britain's decade of US-tech dependency is a national security vulnerability ¹. The report cites a Competition and Markets Authority (CMA) estimate that the UK wastes £500m a year on cloud services due to lock-in, switching barriers and project overruns ¹. It flags the US CLOUD Act, the US federal law requiring disclosure of overseas data held by US-headquartered companies, as a mechanism that can compel UK data disclosure without UK consent, and points to Microsoft's documented shutdown of email services for individuals hit by ICC-related sanctions as concrete precedent ¹. Palantir contracts, the report adds, are expanding rather than shrinking ¹.

The CMA figure sits awkwardly next to the Sovereign AI Fund . In budget terms, the annual cloud waste matches the entire fund spent every year on lock-in alone, yet DSIT has not matched it with a single cloud-layer instrument. The CMA cloud investigation closed in July 2025 without DMA-equivalent enforcement powers, leaving the exposure untouched. Britain is solving the model layer at the margin while the cloud layer still bleeds at scale.

The CLOUD Act flag shifts the framing from commercial efficiency to legal exposure. ICC-sanctioned individuals losing Microsoft email access is not a hypothetical: it is precedent that a US statute can reach UK users through the infrastructure they already use, regardless of where the data sits. The report treats this as an analogue of the EU-level Draghi Report's 11.2% implementation rate after one year : stated ambition without the matching legal instrument. Britain is building a national champion upstairs and leaving the front door open downstairs.

Deep Analysis

In plain English

The Open Rights Group is a British digital rights organisation. In April 2026 it published a report arguing that Britain's dependence on American technology companies carries national security consequences beyond commercial inefficiency. The core of the argument: a US law called the CLOUD Act means American companies can be ordered by US courts to hand over data they hold on behalf of British customers, including government data, without UK courts being involved. The ORG cites Microsoft shutting down email accounts for people sanctioned by the International Criminal Court as a real-world example where US law reached into British infrastructure and cut off services. The Competition and Markets Authority (the UK's competition regulator) estimates that Britain wastes £500m a year on cloud services purely because of the difficulty of switching providers. The report argues that building a domestic AI sector while leaving this dependency unaddressed is building on a compromised foundation.

Source Landscape

This story draws on neutral-leaning sources from United Kingdom

United Kingdom

Primary parallel: The 1970 Bank Secrecy Act and subsequent US Treasury regulations compelled Swiss banks to disclose US account-holder information, ending Swiss banking secrecy for American clients despite the data being held in Switzerland under Swiss law.

The mechanism was structurally identical to the CLOUD Act: US law reaching extraterritorially to compel disclosure from entities with US commercial relationships, regardless of where the data physically sat. European banks complied because access to the US financial system was commercially irreplaceable; UK cloud dependency on AWS, Azure, and Google creates the same leverage structure in digital infrastructure.

Counter-parallel: The EU's GDPR, in force since May 2018, was designed in part to establish European data as subject to European law regardless of where it was processed. In practice, Schrems II (2020 Court of Justice ruling) invalidated Privacy Shield and tightened US-EU data transfer rules, forcing US cloud providers to establish additional contractual safeguards.

GDPR reduced the commercial simplicity of US cloud for European operators without eliminating the CLOUD Act exposure, demonstrating that regulatory countermeasures can complicate the dependency without resolving the underlying jurisdictional conflict.

The CMA's £500m annual cloud waste figure cited in the ORG report covers only the direct switching costs and procurement overruns attributable to lock-in. The broader economic exposure includes the legal and compliance cost of CLOUD Act disclosure risk (insurance premiums, legal counsel, data residency compliance programmes) and the opportunity cost of foregone productivity from delayed migration to more cost-effective European alternatives.

The figure's significance is calibration against the Sovereign AI Fund: at £500m per year in cloud lock-in costs, the entire fund is being consumed annually in cloud overspend before a single pound reaches AI model development. DSIT has no published programme targeting the cloud layer directly, though the separate £250m cloud compute procurement (June 2026 to March 2029) addresses a fraction of the public-sector exposure.

Consensus view: Big Brother Watch and the Open Rights Group share a common analytical frame: the US CLOUD Act, signed in 2018, allows US federal agencies to compel any US-headquartered company to disclose customer data stored anywhere in the world, including on UK servers, with a court order and without requiring UK government consent or notification.

OneTrust's legal research team has documented 47 cases since 2018 in which US CLOUD Act demands reached data held in European jurisdictions. The Microsoft email shutdown for ICC-sanctioned individuals cited in the ORG report is the most politically visible of these cases: a US statute reaching into European civil society infrastructure without any UK legal process.

Counter-view: UK DSIT's digital infrastructure team argued in its 2025 Cloud Safety Review that the CLOUD Act contains a bilateral executive agreement (BEAA) mechanism through which the UK could negotiate mutual legal assistance terms that limit compelled disclosure to cases meeting UK judicial standards.

A UK-US BEAA, if concluded, would reduce but not eliminate the CLOUD Act exposure. DSIT's position treats the exposure as a treaty negotiation problem rather than a structural dependency problem, which the ORG report explicitly rejects.

Key tension: Whether the UK's post-Brexit legal autonomy creates the possibility of a CLOUD Act carve-out through bilateral negotiation, or whether the commercial dependency on US infrastructure is so deep that no bilateral agreement can insulate UK data from US legal reach without exiting the dependency itself.

Sources:The Register / Open Rights Group·The Register / Open Rights Group

Mentions:Open Rights Group →Competition and Markets Authority →CLOUD Act →Microsoft →Palantir →DSIT →Google →Switzerland →Azure →Draghi Report →Brexit →US Treasury →AWS →

First Reported In

Update #2 · Brussels buys, Britain backs, Google unlocks

The Register / Open Rights Group· 19 Apr 2026

Read original →

Causes and effects

Caused by

UK launches £500m Sovereign AI Unit

The ORG report's £500m annual cloud waste finding highlights the gap left by the UK Sovereign AI Fund, which addresses model-layer but not cloud-layer dependency.

Occurred 16 Apr 2026

Read story →

This Event

ORG brands UK tech dependency a risk

The report puts a number on the cloud-layer gap the UK's sovereign AI strategy leaves untouched, and flags the US CLOUD Act as a legal mechanism that can compel UK data disclosure without UK consent.

Different Perspectives

Oil markets / Lloyd's underwriters

Futures markets priced CENTCOM's strikes-complete statement as a de-escalation signal and pushed Brent down 1.7 per cent to $94.71, even as the IRGC declared Hormuz closed. Lloyd's war-risk premiums held elevated because institutional de-listing requires a UN Security Council resolution that Russia and China have just shown they will block.

Pakistan (mediator)

Interior minister Mohsin Naqvi carried dual civilian and military letters to Mojtaba Khamenei in Tehran on 6-7 June with no public response. The IRGC's Hormuz closure on 11 June shows the corps is acting independently of the channel Pakistan is using, making the mediation structurally unable to produce a binding commitment without direct IRGC access.

Russia and China

Russia and China voted against GOV/2026/40 at the IAEA Board, following through on the blocking position coordinated with Grossi in Geneva on 5 June; both states continue to oppose Western institutional pressure on Iran at every multilateral venue.

E3 and IAEA (UK, France, Germany)

The E3 co-sponsored IAEA resolution GOV/2026/40, adopted 21-3-10 on 10 June, demanding Iran disclose 440.9 kg of unaccounted HEU and admit inspectors to four denied facilities. The 10 abstentions and Russia-China noes leave any Security Council referral without a viable enforcement path.

IRGC / Iran military command

The corps declared Hormuz closed to all traffic on 11 June and claimed two vessels struck, overriding the MoU its own civilian negotiators were pursuing through Pakistan. The closure order used the Persian Gulf Strait Authority apparatus to convert a toll mechanism into a military prohibition.

Trump administration / CENTCOM

CENTCOM completed a second day of strikes on Tehran, Sirik and Minab, rejected the IRGC Hormuz closure as inconsistent with observed transit, and said strikes were complete. Hegseth framed the bombing explicitly as the negotiation: the method is coercive deal-making with no stated pause threshold.