In March 2024, a major UK local authority discovered something alarming during a routine audit. Despite assurances that data was “stored in Europe,” sensitive citizen records were legally accessible to US law enforcement under the CLOUD Act—without notification, without a UK court order, and without the council’s knowledge.
The council wasn’t in breach of contract. Yet it was potentially in breach of GDPR, the Data Protection Act 2018, and its own data protection policies.
This scenario is playing out across UK and EU government departments, NHS trusts, local authorities, and public sector bodies. Many organisations using household-name cloud providers don’t truly control their data, even when they think they do. For government entities handling citizen records, court documents, or planning applications, this creates serious legal and operational risks.
The Data Sovereignty Problem
Data sovereignty means having legal control over where your data is stored and who can access it. For government organisations, it matters because:
- Legal obligations: Public sector bodies must comply with GDPR, the Data Protection Act 2018, and sector-specific regulations.
- Public trust: Citizens expect their data to be protected. Foreign access undermines that trust.
- National security: Planning, infrastructure, or procurement data could be valuable to hostile actors.
- Freedom of Information compliance: Public bodies must track who accesses information and when.
Most popular cloud services are owned by US companies, which are subject to US law regardless of where data is stored.
How the CLOUD Act Undermines European Data Protection
The CLOUD Act, passed in 2018, allows US authorities to compel US-based companies to provide data stored anywhere in the world:
- US companies must comply with warrants for data stored in UK or EU servers.
- They may be prohibited from notifying the data owner.
- No UK court order is required.
- Data subjects cannot challenge access.
Real-world examples:
- Microsoft’s Irish data centre: Emails stored in Dublin could be accessed by US authorities.
- Meta’s €1.2 billion fine: EU user data was accessible under US law, violating GDPR.
- Google Analytics: Ruled unlawful in Austria, France, and Italy for transferring EU data to the US without protections.
Government services using Microsoft 365, Azure, Google Workspace, AWS, or Dropbox may be affected—even if data is stored in the UK or EU.
Why This Matters More for Government
Public sector organisations face heightened accountability:
- Enhanced data protection: ICO oversight and stricter scrutiny for citizen data; breaches carry reputational and political consequences.
- Freedom of Information transparency: FOI obligations require knowledge of data access. CLOUD Act access may make this impossible.
- Procurement and value for money: Cloud procurement must assess data sovereignty risks.
- Duty of care: Services involving vulnerable citizens require higher protection standards.
Real-World Risks Across Government Functions
- Local authorities: Social services, housing, benefits, council tax, planning, and licensing data are at risk.
- Courts and justice system: Case files, witness statements, and pre-sentence reports could theoretically be accessed without UK oversight.
- Healthcare and NHS: Patient records, including mental health, sexual health, and genetic data, are vulnerable.
- Central government: Policy documents, procurement records, personnel files, and economic data could be exposed, creating legal or diplomatic complications.
The Compliance Gap
Many organisations believe they’re protected because:
- Data is stored in UK or EU centres
- Providers claim GDPR compliance
- Contracts include data protection clauses
None of these prevent CLOUD Act access. US law still applies to US-owned companies, creating a hidden compliance gap.
What Government Organisations Should Do
Evaluate true data sovereignty:
- Check company incorporation and ownership
- Confirm servers never transit or back up in the US
- Ask how legal demands will be handled
Prioritise UK and EU providers:
- Subject only to UK/EU law
- Guaranteed notification of legal requests
- Data subjects’ rights protected under GDPR and UK law
Verify compliance credentials:
- ISO27001 and Cyber Essentials certification
- GDPR alignment through impact assessments
- FOI-friendly practices with audit trails
Ensure complete audit trails: Track every access, download, edit, and share for FOI and legal compliance.
Practical Applications
- Court bundles and legal proceedings: Secure access for judges, barristers, and solicitors with full audit trails.
- Multi-agency safeguarding: Controlled sharing of child protection and adult safeguarding data.
- Planning and development: Share sensitive plans, consultation documents, and commercial information securely.
- Procurement and contract management: Enable collaboration in tendering and contract negotiations.
- Inter-departmental collaboration: Version control, secure messaging, and records management for cross-government projects.
The Cost of Getting It Wrong
Failing to secure data properly can lead to:
- ICO enforcement action
- Reputational damage
- Legal challenges and costly litigation
- Service disruption
- Political accountability
Preventing these issues with compliant platforms is far cheaper than remediation after a breach.
What to Look for in Government-Grade Platforms
- UK incorporation and operation
- UK/EU-only hosting
- No US ownership or control
- ISO27001, Cyber Essentials, GDPR compliance
- Granular access controls
- Complete audit trails
- Redaction capabilities
- Responsive support
- Transparent pricing
Making the Transition
- Start with new projects to avoid disruption
- Pilot high-value use cases like court bundles or safeguarding
- Engage stakeholders early (IT, legal, data protection)
- Provide clear staff guidance
- Measure and demonstrate value
The Bottom Line
Government organisations must protect citizen data. The CLOUD Act creates legal, operational, and reputational risks for UK bodies using US cloud providers.
The solution is straightforward: adopt secure, UK-incorporated, UK-operated platforms free from US legal jurisdiction. These platforms deliver compliance, sovereignty, and functionality while supporting modern public services.
Data sovereignty isn’t optional—it is a legal requirement, operational necessity, and matter of public trust.
Ready to ensure your government data stays under UK jurisdiction? Start a free trial or book a demo to see how Projectfusion supports UK government and public sector organisations with truly sovereign, secure collaboration.