No published test of whether foreign law can reach UK data before critical contracts are signed
The firms running Britain's most sensitive data platforms are US-owned: Palantir holds the £330m NHS Federated Data Platform contract and a £240.6m Ministry of Defence agreement awarded in December 2025 without competition. US law (the CLOUD Act) can compel an American company to hand over data it controls, wherever that data sits. No UK contract-approval process requires a published assessment of that exposure before signing, so the question is never answered on the record. Surfaced by The Synthetic State (syntheticstate.netlify.app), a pseudonymous self-published investigation; the underlying facts here are cited to primary sources, not to that synthesis.
A data platform can be lawful, secure and still reachable by a foreign government through the company that runs it. Decided contract by contract, in private, the cumulative exposure of NHS and defence data is never assessed as a whole.
A mandatory, published foreign-data-compulsion assessment for any government contract handling sensitive data through a foreign-owned supplier; and, buildable now without waiting for the rule, independent assessments of already-published contracts by a research body.
// Build now: First artefact: a research body's published foreign-data-compulsion assessments of already-signed contracts; the mandatory rule is the state-led end-state.
The firms running the most sensitive NHS and defence data are US-owned and reachable under the CLOUD Act, yet no approval process requires a published exposure assessment before contracts signed.