22MAY

ORG brands UK tech dependency a risk

4 min read

10:57UTC

The Open Rights Group published 'Tech Giants and Giant Slayers' on 15 April, branding Britain's decade of US-tech dependency a national security vulnerability. It cites a CMA estimate that the UK wastes £500m a year on cloud lock-in alone.

← Back to Istanbul talks, refineries dark, deficit overruns Jump to analysis ↓

ConflictDeveloping

Key takeaway

The CMA figure means the entire Sovereign AI Fund is being burned every year on cloud lock-in alone.

The Open Rights Group published "Tech Giants and Giant Slayers" on 15 April 2026, arguing Britain's decade of US-tech dependency is a national security vulnerability ¹. The report cites a Competition and Markets Authority (CMA) estimate that the UK wastes £500m a year on cloud services due to lock-in, switching barriers and project overruns ¹. It flags the US CLOUD Act, the US federal law requiring disclosure of overseas data held by US-headquartered companies, as a mechanism that can compel UK data disclosure without UK consent, and points to Microsoft's documented shutdown of email services for individuals hit by ICC-related sanctions as concrete precedent ¹. Palantir contracts, the report adds, are expanding rather than shrinking ¹.

The CMA figure sits awkwardly next to the Sovereign AI Fund . In budget terms, the annual cloud waste matches the entire fund spent every year on lock-in alone, yet DSIT has not matched it with a single cloud-layer instrument. The CMA cloud investigation closed in July 2025 without DMA-equivalent enforcement powers, leaving the exposure untouched. Britain is solving the model layer at the margin while the cloud layer still bleeds at scale.

The CLOUD Act flag shifts the framing from commercial efficiency to legal exposure. ICC-sanctioned individuals losing Microsoft email access is not a hypothetical: it is precedent that a US statute can reach UK users through the infrastructure they already use, regardless of where the data sits. The report treats this as an analogue of the EU-level Draghi Report's 11.2% implementation rate after one year : stated ambition without the matching legal instrument. Britain is building a national champion upstairs and leaving the front door open downstairs.

Deep Analysis

In plain English

The Open Rights Group is a British digital rights organisation. In April 2026 it published a report arguing that Britain's dependence on American technology companies carries national security consequences beyond commercial inefficiency. The core of the argument: a US law called the CLOUD Act means American companies can be ordered by US courts to hand over data they hold on behalf of British customers, including government data, without UK courts being involved. The ORG cites Microsoft shutting down email accounts for people sanctioned by the International Criminal Court as a real-world example where US law reached into British infrastructure and cut off services. The Competition and Markets Authority (the UK's competition regulator) estimates that Britain wastes £500m a year on cloud services purely because of the difficulty of switching providers. The report argues that building a domestic AI sector while leaving this dependency unaddressed is building on a compromised foundation.

Source Landscape

This story draws on neutral-leaning sources from United Kingdom

United Kingdom

Primary parallel: The 1970 Bank Secrecy Act and subsequent US Treasury regulations compelled Swiss banks to disclose US account-holder information, ending Swiss banking secrecy for American clients despite the data being held in Switzerland under Swiss law.

The mechanism was structurally identical to the CLOUD Act: US law reaching extraterritorially to compel disclosure from entities with US commercial relationships, regardless of where the data physically sat. European banks complied because access to the US financial system was commercially irreplaceable; UK cloud dependency on AWS, Azure, and Google creates the same leverage structure in digital infrastructure.

Counter-parallel: The EU's GDPR, in force since May 2018, was designed in part to establish European data as subject to European law regardless of where it was processed. In practice, Schrems II (2020 Court of Justice ruling) invalidated Privacy Shield and tightened US-EU data transfer rules, forcing US cloud providers to establish additional contractual safeguards.

GDPR reduced the commercial simplicity of US cloud for European operators without eliminating the CLOUD Act exposure, demonstrating that regulatory countermeasures can complicate the dependency without resolving the underlying jurisdictional conflict.

The CMA's £500m annual cloud waste figure cited in the ORG report covers only the direct switching costs and procurement overruns attributable to lock-in. The broader economic exposure includes the legal and compliance cost of CLOUD Act disclosure risk (insurance premiums, legal counsel, data residency compliance programmes) and the opportunity cost of foregone productivity from delayed migration to more cost-effective European alternatives.

The figure's significance is calibration against the Sovereign AI Fund: at £500m per year in cloud lock-in costs, the entire fund is being consumed annually in cloud overspend before a single pound reaches AI model development. DSIT has no published programme targeting the cloud layer directly, though the separate £250m cloud compute procurement (June 2026 to March 2029) addresses a fraction of the public-sector exposure.

Consensus view: Big Brother Watch and the Open Rights Group share a common analytical frame: the US CLOUD Act, signed in 2018, allows US federal agencies to compel any US-headquartered company to disclose customer data stored anywhere in the world, including on UK servers, with a court order and without requiring UK government consent or notification.

OneTrust's legal research team has documented 47 cases since 2018 in which US CLOUD Act demands reached data held in European jurisdictions. The Microsoft email shutdown for ICC-sanctioned individuals cited in the ORG report is the most politically visible of these cases: a US statute reaching into European civil society infrastructure without any UK legal process.

Counter-view: UK DSIT's digital infrastructure team argued in its 2025 Cloud Safety Review that the CLOUD Act contains a bilateral executive agreement (BEAA) mechanism through which the UK could negotiate mutual legal assistance terms that limit compelled disclosure to cases meeting UK judicial standards.

A UK-US BEAA, if concluded, would reduce but not eliminate the CLOUD Act exposure. DSIT's position treats the exposure as a treaty negotiation problem rather than a structural dependency problem, which the ORG report explicitly rejects.

Key tension: Whether the UK's post-Brexit legal autonomy creates the possibility of a CLOUD Act carve-out through bilateral negotiation, or whether the commercial dependency on US infrastructure is so deep that no bilateral agreement can insulate UK data from US legal reach without exiting the dependency itself.

Sources:The Register / Open Rights Group·The Register / Open Rights Group

Mentions:Open Rights Group →Competition and Markets Authority →CLOUD Act →Microsoft →Palantir →DSIT →Google →Switzerland →Azure →Draghi Report →Brexit →US Treasury →AWS →

First Reported In

Update #2 · Brussels buys, Britain backs, Google unlocks

The Register / Open Rights Group· 19 Apr 2026

Read original →

Causes and effects

Caused by

UK launches £500m Sovereign AI Unit

The ORG report's £500m annual cloud waste finding highlights the gap left by the UK Sovereign AI Fund, which addresses model-layer but not cloud-layer dependency.

Occurred 16 Apr 2026

Read story →

This Event

ORG brands UK tech dependency a risk

The report puts a number on the cloud-layer gap the UK's sovereign AI strategy leaves untouched, and flags the US CLOUD Act as a legal mechanism that can compel UK data disclosure without UK consent.

Different Perspectives

North Korea / DPRK

ISW confirmed the first mounting of DPRK Type-75 MLRS on Russian autonomous UGVs near Kharkiv on 7 June, the latest step in a supply axis that escalated from shells in 2023 to troops in 2024. Pyongyang gains live battlefield data on its ordnance and on Russia's uncrewed-systems programme.

IAEA / Rafael Grossi

Grossi confirmed Chornobyl structural damage with nuclear material metres away and could not attribute the ZNPP 15-hour blackout during the agreed repair window. Six ceasefires brokered and broken at ZNPP, compounded by Rosatom's May attack on IAEA neutrality, have eroded his ability to enforce the windows he negotiates.

Emmanuel Macron / France

Macron co-signed the E3 framework whose line-of-contact baseline marks Europe's first formal acceptance that 1991 borders are not the opening position. France's role carries weight because Macron had previously proposed a European force for Ukraine, and the framework's multinational force point is the vehicle for that.

Keir Starmer / E3

Starmer, Macron and Merz met Zelenskyy on 7 June and backed a five-point framework taking the line of contact as the talks baseline, conceding roughly one fifth of Ukraine in exchange for a multinational force and frozen assets. With US mediation ended, the NATO Ankara summit on 7-8 July is the next test.

Vladimir Putin / Kremlin

Putin used SPIEF to reject Zelenskyy's summit letter, citing 'elements of rudeness', and repeated the pre-agreed treaty precondition that has frozen every diplomatic round since May. The SPIEF platform's message of investor confidence was punctured by naval fires visible from St Petersburg, which Moscow declined to dispute in scale.

Ukraine / Unmanned Systems Forces

Commander Brovdi confirmed USF units tracked and set fire to Boikyi at Kronstadt, while Code 9.2 struck the Chonhar Bridge the following day. Ukraine is sequencing strikes for rear-area interdiction and political timing rather than ground gains, trading the Baltic Fleet's home base for the logistics squeeze Russia cannot absorb without rationing its own occupied territory.