England Data Sovereignty and Sovereign Cloud

Post-Brexit Britain is building its own data sovereignty regime, independent from the EU. The Data Protection and Digital Information Act (DPDI Act), enacted in May 2024, relaxes DPO requirements, revisits the cookie consent model, and champions "innovation and business promotion" — marking a clear departure from the EU's GDPR. However, this "third way" is caught between two structural risks: the adequacy decision with the EU (extended in June 2025, but still at risk of lapsing) and extraterritorial data access under the US CLOUD Act. The most contentious issue is data sovereignty around Microsoft 365 (M365). Nearly every UK government department, the NHS, and Parliament use M365, yet Microsoft's EU Data Boundary (launched January 2024) excludes the UK, leaving UK government data legally exposed to compelled disclosure by Microsoft under the US CLOUD Act. In October 2022, UKCloud — the UK's only domestically produced sovereign cloud provider — was liquidated, further concentrating the government's cloud dependence on US hyperscalers. The NHS Palantir Federated Data Platform contract (£330 million, approximately ¥61 billion) has also drawn fierce criticism as an entrusting of patient data to a US company. The UK cloud market is worth approximately £15–18 billion per year (roughly ¥2.775–3.33 trillion), and its data centre market is the largest in Europe, with capacity exceeding 800 MW. This paper comprehensively examines the legal framework underpinning UK data sovereignty, the freedoms and constraints of post-Brexit independence, the M365 data sovereignty debate, the current state and challenges of sovereign cloud, data requirements in the NHS and financial services sectors, and the outlook going forward.

What is UK Data Sovereignty — The "Third Way" After Brexit

UK data sovereignty is a unique concept born from Brexit.

With the end of the transition period on 31 December 2020, the EU's GDPR was inherited into UK domestic law as the "UK GDPR." The content is largely identical to the EU GDPR, but references to institutions were replaced with the ICO (Information Commissioner's Office), and authority was transferred from the EU Commission to UK Secretaries of State. The Data Protection Act 2018 (DPA 2018) serves as the foundational legislation for this framework.

The Data Protection and Digital Information Act (DPDI Act), enacted on 24 May 2024, marked a substantive divergence of UK data protection law from the EU. It relaxed the DPO (Data Protection Officer) requirement to a "Senior Responsible Individual," simplified DPIA (Data Protection Impact Assessment) requirements, shifted the cookie consent model to an opt-out basis, and expanded the "legitimate interests" lawful basis. For international data transfers, it also enabled approvals based on a broader range of factors rather than the strict "essentially equivalent" standard.

The UK government has positioned this approach as a "world-leading data regime" and a "Brexit dividend." Information Commissioner John Edwards (appointed January 2022, formerly New Zealand Privacy Commissioner) stated that "data protection law is not a barrier to innovation but a framework that enables trustworthy innovation." However, Jim Killock, Executive Director of privacy advocacy group Open Rights Group, has warned of the erosion of UK data protection and sovereignty.

A Tightrope Walk with the EU — The Extension of Adequacy Decision and Its Vulnerabilities

The greatest constraint on UK data sovereignty is its dependence on the EU adequacy decision.

The European Commission adopted the UK adequacy decision on 28 June 2021, permitting the free transfer of personal data from the EEA to the UK. The decision included a four-year sunset clause set to expire on 27 June 2025, but was extended in June 2025. The European Data Protection Board (EDPB) acknowledged the changes introduced by the DPDI Act while stating its opinion that "essential equivalence is maintained."

However, the risk of expiry has not disappeared. The DPDI Act's relaxation of DPO requirements, simplification of DPIAs, cookie consent reforms, and expansion of international transfer standards remain concerns for the EU side. The precedent set by Max Schrems' legal challenges, which invalidated the EU-US Safe Harbor (Schrems I, 2015) and Privacy Shield (Schrems II, 2020), could equally be applied to UK adequacy. Should adequacy lapse, UK-EU data transfers would need to rely on SCCs (Standard Contractual Clauses) or BCRs (Binding Corporate Rules), imposing compliance costs on UK businesses running into billions of pounds annually.

The UK is attempting to pursue a "third way" — maintaining adequacy with the EU while being more flexible than the EU — but these two objectives are inherently in tension.

The M365 Data Sovereignty Debate — The Most Serious Structural Risk

The most contentious issue in UK data sovereignty is the Microsoft 365 (M365) data sovereignty problem.

The scale of the UK government's dependence on M365 is overwhelming. The Cabinet Office, Home Office, Ministry of Defence, Department for Education, HMRC (His Majesty's Revenue and Customs), and even Parliament itself use M365. The NHS has also migrated NHS Mail to Exchange Online. Hundreds of thousands of government employees and public sector workers use M365 on a daily basis.

Microsoft's data residency commitments are as follows. "Core customer data" for UK tenants is stored in data centres at UK South (London) and UK West (Cardiff). This covers Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams (chat/channel messages).

However, there are significant exceptions. First, telemetry data, diagnostic data, support data, and some processing operations may leave the UK. Second, some operations may be temporarily processed outside the UK. Third, global services such as Bing integration, Copilot features, and Delve are not region-specific.

The biggest issue is that Microsoft's EU Data Boundary (which began on 1 January 2024) excludes the United Kingdom. EU/EFTA customers are provided with enhanced guarantees that their data is stored and processed within the EU/EFTA, but the UK is not included. This creates an asymmetry in which protections offered to EU government customers are not extended to UK government customers.

The US CLOUD Act (enacted 23 March 2018) is the root of the structural risk. The CLOUD Act allows US law enforcement agencies to compel US-headquartered technology companies to produce data regardless of whether that data is held within the United States or overseas. This means that even if UK government data is stored in Microsoft's UK data centres, the US government can order Microsoft to disclose that data under the CLOUD Act.

The UK–US Data Access Agreement (signed 3 October 2019, entered into force October 2022) is the first bilateral agreement under the CLOUD Act. It allows the law enforcement agencies of each country to request data directly from technology companies in the other country, but this is limited to serious crimes and cannot target the nationals of the other country. However, national security requests (such as those under FISA Section 702) fall outside the scope of the agreement, and US intelligence agencies may still be able to access the data of UK government employees.

Questions regarding M365 data sovereignty have been raised in both the House of Commons and the House of Lords. The Open Rights Group has campaigned on the government's use of Microsoft products and data sovereignty concerns, while Privacy International has expressed concerns about the CLOUD Act and government data.

AI integration is amplifying the risks. The integration of Microsoft Copilot into M365 raises new questions about where AI processing takes place and what data is fed into AI models. As geopolitical tensions rise, attention to digital sovereignty is also intensifying. The Labour government (in office since July 2024) has expressed an interest in digital sovereignty, but has yet to take decisive action with regard to M365.

The Collapse of UKCloud——The Structural Dilemma of Sovereign Cloud

The most iconic event in the history of UK sovereign cloud is the collapse of UKCloud.

UKCloud was established in 2011 as the UK's only homegrown sovereign cloud provider. Data stored exclusively within the UK, operated solely by UK nationals, compliant only with UK law — these were its selling points. The NHS, Ministry of Defence, police, local authorities, and central government were among its customers.

On 24 October 2022, UKCloud entered compulsory liquidation. PwC was appointed as liquidator. Revenue was approximately £40–50 million, but the company was unprofitable, having lost the price war against hyperscalers (AWS, Azure, Google). Attempts to raise additional funding and find a buyer both failed.

The lessons from the collapse are clear. First, sovereign cloud providers are at a massive disadvantage against hyperscalers in terms of economies of scale. Second, the UK government's procurement process tends to prioritise cost over sovereignty. Third, being "sovereign" alone is insufficient as a differentiator. Fourth, there is criticism that the government should have treated UKCloud as strategic infrastructure in the same way it treats the defence industry.

In an ironic turn, following the collapse, many former UKCloud customers migrated to AWS or Azure, further deepening the government's dependence on hyperscalers.

NHS & Financial Services Data Requirements

The NHS and financial services are the most sensitive areas of UK data sovereignty.

NHS patient data is subject to UK GDPR/DPA 2018, as well as Common Law duties of confidentiality, the Caldicott Principles (eight principles), and the NHS Data Security and Protection Toolkit (DSPT). In practice, NHS data must be stored within the UK.

The most contentious issue is the Palantir Federated Data Platform (FDP). NHS England awarded a seven-year contract worth approximately £330 million (around ¥61 billion) to Palantir Technologies (a US company whose early investor was In-Q-Tel, the CIA's investment arm) in November 2023. The FDP is intended to integrate data across NHS organisations to improve operational efficiency and waiting time management, but it has drawn fierce criticism as an entrusting of patient data to a US company. openDemocracy and Foxglove have brought legal challenges, and polling has shown public discomfort with Palantir handling NHS data. Over one million people are reported to have opted out of NHS data sharing. Palantir counters that the FDP is "federated" — meaning data remains within each NHS organisation's own infrastructure and is not centralised — and that data does not leave the UK.

In financial services, the joint supervisory statement SS2/21 (Outsourcing and Third Party Risk Management) issued by the FCA and PRA is significant. While UK data residency is not directly mandated, requirements around maintaining regulatory oversight capability, audit access, and business continuity mean that in practice data must remain within reach of UK regulators. The Financial Services and Markets Act 2023 introduced direct regulatory oversight powers over "Critical Third Parties" (such as AWS, Azure, and Google Cloud).

Government Security Classification and the Reality of Sovereign Cloud

UK government data has three levels of security classification.

OFFICIAL (including OFFICIAL-SENSITIVE) accounts for approximately 90% of government data and can be processed on accredited public cloud platforms (including hyperscaler UK regions). SECRET requires stricter controls and typically necessitates UK-based infrastructure and additional assurances. TOP SECRET is the highest classification and generally requires air-gapped environments, on-premises infrastructure within the UK, and operation by UK nationals holding security clearance.

The NCSC's 14 Cloud Security Principles cover areas including protection of data in transit, asset protection, separation between users, governance frameworks, operational security, personnel security, secure development, and supply chain security. The NCSC has evaluated and published assessments of AWS, Azure, and Google Cloud services against these principles.

Notably, the NCSC explicitly states that "the physical location of data is often less important than the legal jurisdiction it falls under and the security measures used to protect it." However, it also acknowledges that for certain classifications and threat models, UK data residency may be an appropriate requirement.

Market Data — Europe's Largest Cloud Market

The United Kingdom is Europe's largest cloud market and also its largest data centre market.

The UK cloud infrastructure services market is estimated at approximately £15–18 billion (around ¥2.775–3.330 trillion) per year, growing at an annual rate of 20–25%. Market share is dominated by AWS (approximately 30–33%), Microsoft Azure (approximately 25–28%), and Google Cloud (approximately 10–12%).

Government cloud procurement through the G-Cloud framework (Crown Commercial Service) has cumulatively exceeded £12 billion. The UK's data centre capacity exceeds 800MW, the largest in Europe, with London serving as Europe's largest data centre hub. The cybersecurity market is approximately £12–13 billion in scale, ranking third in the world.

Following the collapse of UKCloud, the UK sovereign cloud market is now dominated by hyperscaler UK regions, with an approach based on technical and contractual controls rather than dedicated sovereign providers.

Future Outlook — Data Sovereignty and the Future of Sovereign Cloud in the Age of AI

UK data sovereignty stands at a turning point where multiple dynamics intersect.

The impact of the DPDI Act will materialise over the coming years. The Act was passed in May 2024, but many provisions require secondary legislation that was still being drafted as of early 2026. If future regulation widens the divergence from the EU, maintaining adequacy status will become increasingly difficult.

The intersection of AI and data sovereignty is the most significant new issue. Where training data for AI models is stored and processed, the handling of sensitive data during AI inference, and data flows arising from Microsoft Copilot's M365 integration — all of these amplify data sovereignty concerns. The UK AI Safety Institute (established November 2023) focuses on AI safety, but its remit also touches on the intersection with data sovereignty.

On the future of sovereign cloud, despite the failure of UKCloud, investment in sovereign cloud is accelerating globally. Partnership models such as Thales-Google in France and T-Systems-Google in Germany may well be adopted in the UK. If the UK government commits to sovereign requirements, the market could reach £5–8 billion by 2028–2030.

The UK's "data bridge" concept represents the most optimistic scenario: maintaining adequacy with the EU while leveraging close ties with the United States (the UK-US Data Access Agreement, Five Eyes, and the "special relationship"), and expanding data transfer agreements with Japan, South Korea, Australia, and others. If successful, the UK could become an attractive jurisdiction for multinational data operations. However, if it comes to be seen as a pipeline routing EU data to the US — with weaker protections — the EU would likely move to restrict that route.

The M365 data sovereignty issue is a structural challenge that will not be resolved in the short term. Open-source alternatives such as LibreOffice, Nextcloud, and Matrix are being advocated, but no alternative currently matches the M365 ecosystem. The UK government's dependence on M365 runs deep, and migration would be extraordinarily costly and disruptive. This issue vividly illustrates that digital sovereignty is not merely a technical challenge, but a complex interplay of geopolitical, legal, and economic factors.

Impact on the Industry

First, the divergence of the UK's DPDI Act from EU GDPR has created a structural tension between "promoting innovation" and "maintaining adequacy status." The June 2025 extension brought relief, but further divergence increases the risk of lapse, potentially imposing billions of pounds in annual compliance costs on UK businesses.

Second, the M365 data sovereignty issue is the most serious and immediately difficult challenge for the UK government to address. The exclusion of the UK from Microsoft's EU Data Boundary creates an asymmetric level of protection between EU government customers and UK government customers. The risk of US data access under the CLOUD Act can be mitigated—but not entirely eliminated—through technical measures such as customer-managed encryption keys and confidential computing.

Third, the collapse of UKCloud demonstrated that sovereign cloud cannot be sustained without economies of scale. However, partnership models such as Thales–Google and T-Systems–Google have succeeded globally, and similar approaches may come under consideration in the UK.

Fourth, the NHS's Palantir contract (£330 million) illustrated that data sovereignty is not an abstract concept but a real issue directly involving citizens' most sensitive data—health records. The fact that over one million people opted out proves that public trust determines the success or failure of data sovereignty strategies.

Reference Information: UK Data Protection Act 2018, UK GDPR (Retained EU Law), Data Protection and Digital Information Act 2024 (Royal Assent May 24, 2024), European Commission UK Adequacy Decision (June 28, 2021), US CLOUD Act (March 23, 2018), UK-US Data Access Agreement (Signed October 2019, In Force October 2022), NCSC Cloud Security Guidance & 14 Cloud Security Principles, FCA/PRA SS2/21 Outsourcing and Third Party Risk Management, Financial Services and Markets Act 2023 (Critical Third Party Regime), NHS Data Security and Protection Toolkit, Microsoft EU Data Boundary (January 1, 2024), Microsoft UK Data Residency Documentation, G-Cloud Framework Documentation (Crown Commercial Service), UKCloud Liquidation Records (PwC, October 2022), ICO Annual Reports & John Edwards Statements, Palantir NHS FDP Contract (November 2023, £330M), Parliamentary Hansard (M365 Data Sovereignty Questions), Open Rights Group Publications, Privacy International Reports, EDPB Opinion on UK Adequacy, NCSC Assessment of AWS/Azure/Google Cloud, techUK Cloud and Data Reports, UK Government Cloud Strategy (2023/2024), UK AI Safety Institute, DPDI Act Secondary Legislation Progress