MPs press UK regulator to prove Palantir deal won't expose data to US

2026-06-01 By Main Street Independent

The UK Financial Conduct Authority is facing pressure from MPs and digital rights campaigners to prove that its AI partnership with the US company Palantir will not expose sensitive British financial data to the Trump administration under the US Cloud Act.
The US Cloud Act can compel American-based tech companies to disclose data to US authorities in criminal investigations, and legal experts have warned that Palantir’s classification as a “data processor” does not automatically shield it from the law’s reach.
Martin Wrigley, a Liberal Democrat member of the Commons science and technology select committee, has written to the FCA demanding it explain the legal basis for its position that the Cloud Act does not apply.
The FCA has told the Commons Treasury select committee that Palantir does not control the data and that all information remains encrypted under the FCA’s exclusive control during the 12-week trial.

The deal and the concerns

The Financial Conduct Authority has entered a 12-week trial with Palantir to test whether the company’s AI systems can improve the regulator’s ability to detect financial crime. Under the arrangement, Palantir is expected to apply its technology to a wide range of FCA information, including case intelligence files, reports from lenders about suspected frauds, consumer complaints and social media data.

The deal has drawn scrutiny because Palantir, co-founded by the Trump-supporting billionaire Peter Thiel, is subject to US law. Martin Wrigley, the Liberal Democrat MP for Newton Abbot, said the arrangement raises the risk that sensitive data could be passed to American authorities.

“My concern is the FCA is doing very significant investigations into sensitive data using a foreign-controlled company that could be advised to pass data across to the US government,” Wrigley said.

Wrigley has written to the FCA demanding it “better understand on what legal basis the FCA believes that the US Cloud Act would not apply in these circumstances.” He added that “in the days of Donald Trump, control means whatever Trump thinks it means.”

The Cloud Act question

At the heart of the dispute is the US Cloud Act, which can oblige tech companies to disclose information to American authorities as part of serious criminal investigations. The FCA told the Commons Treasury select committee in March that the law does not apply to the arrangement and that the regulator will remain the data controller at all times.

“There will not be any intelligence shared,” said Jessica Rusu, the FCA’s chief data, information and intelligence officer.

One legal expert in data handling told the Guardian that the distinction between a data controller and a data processor is misleading, because data processors do not automatically fall outside the scope of US law. The surest way for a US company like Palantir to avoid responding to a court order under the Cloud Act, the expert said, is to ensure it has no access to intelligible data.

The Open Rights Group, a UK digital rights campaign, said the Cloud Act “gives US authorities the right to access data held by businesses based in the US, such as Palantir.”

Mariano delli Santi, the group’s legal and policy officer, said the US is not bound by UK legal frameworks that define the rights of data controllers. “By handing over data to Palantir, the FCA is pushing UK residents’ data into the meat grinder of the Trump administration,” delli Santi said. He added that the data could also be subject to the USA Patriot Act, which explicitly covers financial data, and provisions of the Foreign Intelligence Surveillance Act that allow monitoring of non-citizens’ digital communications outside the US without a search warrant.

Palantir and the FCA respond

Palantir cited three “glaring” reasons why the feared scenario “could never happen.”

“The Cloud Act does not give US law enforcement agencies unfettered access to data,” a Palantir spokesperson said. “It requires a serious criminal investigation and a judicial warrant before a request can even be made. In the event of such a request, US government guidance is clear that it should go to the organisations that control the data, not processors like Palantir. Because FCA data is encrypted with keys within the exclusive control of the FCA, it is not technically possible for Palantir to respond to such a request without the FCA’s direct involvement.”

An FCA spokesperson said: “This 12-week trial will test whether we can improve how we collate information so we’re better able to tackle financial crime and the distress it causes. Criminals aren’t slow to use technology to cause harm. We need to stay ahead of them. The data used in the trial will be fully encrypted and under our control. No one is able to access the unencrypted data without our authorisation.”

A broader debate

The FCA regulates the conduct of about 42,000 businesses, with responsibilities ranging from consumer protection to preventing financial crime and market abuse. The volume and sensitivity of data involved has intensified concern.

The deal is the latest in a series of moves by UK public bodies to engage US technology companies to apply AI to government functions. Concerns about UK data sovereignty have risen alongside those partnerships.

Palantir also supplies software to US Immigration and Customs Enforcement, which is carrying out the Trump administration’s immigration crackdown, and to the Israeli military. The company holds more than £500m in contracts with NHS England and the UK Ministry of Defence.

On 21 May, London mayor Sadiq Khan blocked a £50m two-year deal between Palantir and the Metropolitan Police to apply AI to criminal intelligence data, citing a “serious breach” of procurement rules. Khan said Londoners wanted public money spent with companies that “share the values of our city.”

Machine-readable details

Article metadata

Published: 2026-06-01
Topic tags: computing and information technology, government policy, international relations
Framework version: 1.3.0
Generated: 2026-06-01T12:58:03Z
Consensus floor: v0.3.0
Mindspec: v0.3.0