19APR

ORG brands UK tech dependency a risk

4 min read

11:05UTC

The Open Rights Group published 'Tech Giants and Giant Slayers' on 15 April, branding Britain's decade of US-tech dependency a national security vulnerability. It cites a CMA estimate that the UK wastes £500m a year on cloud lock-in alone.

← Back to Russia yes, Iran no: Treasury signs only one waiver Jump to analysis ↓

ConflictDeveloping

Key takeaway

The CMA figure means the entire Sovereign AI Fund is being burned every year on cloud lock-in alone.

The Open Rights Group published "Tech Giants and Giant Slayers" on 15 April 2026, arguing Britain's decade of US-tech dependency is a national security vulnerability ¹. The report cites a Competition and Markets Authority (CMA) estimate that the UK wastes £500m a year on cloud services due to lock-in, switching barriers and project overruns ¹. It flags the US CLOUD Act, the US federal law requiring disclosure of overseas data held by US-headquartered companies, as a mechanism that can compel UK data disclosure without UK consent, and points to Microsoft's documented shutdown of email services for individuals hit by ICC-related sanctions as concrete precedent ¹. Palantir contracts, the report adds, are expanding rather than shrinking ¹.

The CMA figure sits awkwardly next to the Sovereign AI Fund . In budget terms, the annual cloud waste matches the entire fund spent every year on lock-in alone, yet DSIT has not matched it with a single cloud-layer instrument. The CMA cloud investigation closed in July 2025 without DMA-equivalent enforcement powers, leaving the exposure untouched. Britain is solving the model layer at the margin while the cloud layer still bleeds at scale.

The CLOUD Act flag shifts the framing from commercial efficiency to legal exposure. ICC-sanctioned individuals losing Microsoft email access is not a hypothetical: it is precedent that a US statute can reach UK users through the infrastructure they already use, regardless of where the data sits. The report treats this as an analogue of the EU-level Draghi Report's 11.2% implementation rate after one year : stated ambition without the matching legal instrument. Britain is building a national champion upstairs and leaving the front door open downstairs.

Deep Analysis

In plain English

The Open Rights Group is a British digital rights organisation. In April 2026 it published a report arguing that Britain's dependence on American technology companies carries national security consequences beyond commercial inefficiency. The core of the argument: a US law called the CLOUD Act means American companies can be ordered by US courts to hand over data they hold on behalf of British customers, including government data, without UK courts being involved. The ORG cites Microsoft shutting down email accounts for people sanctioned by the International Criminal Court as a real-world example where US law reached into British infrastructure and cut off services. The Competition and Markets Authority (the UK's competition regulator) estimates that Britain wastes £500m a year on cloud services purely because of the difficulty of switching providers. The report argues that building a domestic AI sector while leaving this dependency unaddressed is building on a compromised foundation.

Source Landscape

This story draws on neutral-leaning sources from United Kingdom

United Kingdom

Primary parallel: The 1970 Bank Secrecy Act and subsequent US Treasury regulations compelled Swiss banks to disclose US account-holder information, ending Swiss banking secrecy for American clients despite the data being held in Switzerland under Swiss law.

The mechanism was structurally identical to the CLOUD Act: US law reaching extraterritorially to compel disclosure from entities with US commercial relationships, regardless of where the data physically sat. European banks complied because access to the US financial system was commercially irreplaceable; UK cloud dependency on AWS, Azure, and Google creates the same leverage structure in digital infrastructure.

Counter-parallel: The EU's GDPR, in force since May 2018, was designed in part to establish European data as subject to European law regardless of where it was processed. In practice, Schrems II (2020 Court of Justice ruling) invalidated Privacy Shield and tightened US-EU data transfer rules, forcing US cloud providers to establish additional contractual safeguards.

GDPR reduced the commercial simplicity of US cloud for European operators without eliminating the CLOUD Act exposure, demonstrating that regulatory countermeasures can complicate the dependency without resolving the underlying jurisdictional conflict.

The CMA's £500m annual cloud waste figure cited in the ORG report covers only the direct switching costs and procurement overruns attributable to lock-in. The broader economic exposure includes the legal and compliance cost of CLOUD Act disclosure risk (insurance premiums, legal counsel, data residency compliance programmes) and the opportunity cost of foregone productivity from delayed migration to more cost-effective European alternatives.

The figure's significance is calibration against the Sovereign AI Fund: at £500m per year in cloud lock-in costs, the entire fund is being consumed annually in cloud overspend before a single pound reaches AI model development. DSIT has no published programme targeting the cloud layer directly, though the separate £250m cloud compute procurement (June 2026 to March 2029) addresses a fraction of the public-sector exposure.

Consensus view: Big Brother Watch and the Open Rights Group share a common analytical frame: the US CLOUD Act, signed in 2018, allows US federal agencies to compel any US-headquartered company to disclose customer data stored anywhere in the world, including on UK servers, with a court order and without requiring UK government consent or notification.

OneTrust's legal research team has documented 47 cases since 2018 in which US CLOUD Act demands reached data held in European jurisdictions. The Microsoft email shutdown for ICC-sanctioned individuals cited in the ORG report is the most politically visible of these cases: a US statute reaching into European civil society infrastructure without any UK legal process.

Counter-view: UK DSIT's digital infrastructure team argued in its 2025 Cloud Safety Review that the CLOUD Act contains a bilateral executive agreement (BEAA) mechanism through which the UK could negotiate mutual legal assistance terms that limit compelled disclosure to cases meeting UK judicial standards.

A UK-US BEAA, if concluded, would reduce but not eliminate the CLOUD Act exposure. DSIT's position treats the exposure as a treaty negotiation problem rather than a structural dependency problem, which the ORG report explicitly rejects.

Key tension: Whether the UK's post-Brexit legal autonomy creates the possibility of a CLOUD Act carve-out through bilateral negotiation, or whether the commercial dependency on US infrastructure is so deep that no bilateral agreement can insulate UK data from US legal reach without exiting the dependency itself.

Sources:The Register / Open Rights Group·The Register / Open Rights Group

Mentions:Open Rights Group →Competition and Markets Authority →CLOUD Act →Microsoft →Palantir →DSIT →Google →Switzerland →Azure →Draghi Report →Brexit →US Treasury →AWS →

First Reported In

Update #2 · Brussels buys, Britain backs, Google unlocks

The Register / Open Rights Group· 19 Apr 2026

Read original →

Causes and effects

Caused by

UK launches £500m Sovereign AI Unit

The ORG report's £500m annual cloud waste finding highlights the gap left by the UK Sovereign AI Fund, which addresses model-layer but not cloud-layer dependency.

Occurred 16 Apr 2026

Read story →

This Event

ORG brands UK tech dependency a risk

The report puts a number on the cloud-layer gap the UK's sovereign AI strategy leaves untouched, and flags the US CLOUD Act as a legal mechanism that can compel UK data disclosure without UK consent.

Different Perspectives

Israel

IDF Chief Eyal Zamir declared on 3 June there was no ceasefire for his forces, and strikes killed at least 10 civilians and one Israeli soldier on 4 June. The IDF killed Hezbollah's chief engineer and warned three south Lebanon villages to evacuate on 5 June, advancing into ground the unsigned Washington framework has not caught.

Hezbollah / Lebanon

Naim Qassem rejected the Washington Lebanon framework on 4 June as "absurd, humiliating and insulting", blocking a ceasefire instrument that required Hezbollah to withdraw north of the Litani before any Israeli withdrawal. Over one million Lebanese remain displaced; the framework's collapse prolongs that toll.

Iran

Foreign Minister Araghchi publicly coupled the Lebanon ceasefire to the Iran-US nuclear track on 4 June, carrying IRGC authority rather than his own civilian mandate. The IRGC delegation has sent no HEU counter-proposal since Araghchi confirmed no progress that same day; Mojtaba Khamenei's 21 May order to keep the 440.9 kg stockpile inside Iran remains operative.

United States

Rubio placed the Iran-US deal at 95 per cent complete on 4 June while the administration signed no Iran instrument and OFAC designated only Cuban targets. Trump separately disclosed and rejected an airlift plan to collect Iran's HEU stockpile, claiming the material is "entombed", a claim the IAEA cannot verify.

China

Beijing's MOFCOM Blocking Rules constrain OFAC enforcement on the mainland; China has not corroborated Trump's verbal account of any bilateral summit, and the rial's failure to hold its Rubio bounce, combined with the IRGC's stablecoin rail closure, increases Chinese yuan-denominated oil-payment exposure through Hormuz.

Bahrain

The IRGC struck Bahrain on 3 June as its sirens sounded and its PAC-3 magazine neared exhaustion; excluded from Rubio's 2 May emergency resupply, Bahrain received a 50-round Federal Register notice on 1 June on an 18-month delivery timeline, meaning it is defending the US Fifth Fleet headquarters on the last rounds it has.