Switzerland Rejected Palantir. The UK Gave It the Keys to Everything.

I used to work in US government intelligence. I now live in London. Those two facts make me uniquely uncomfortable about what I am about to explain.

In December 2024, Switzerland's military completed a 20-page risk assessment of Palantir Technologies and reached a conclusion that should have stopped every government procurement officer in Europe in their tracks: data held by Palantir could be accessed by the American government and intelligence services, and leaks from Palantir's systems "cannot be technically prevented."

Their recommendation was unambiguous. Find alternatives.

The UK's response to the same underlying evidence has been to move in the opposite direction: awarding Palantir more than £900 million in public sector contracts spanning NHS patient records, Ministry of Defence operations, policing, intelligence, nuclear weapons management, and border control. Often without competitive tender. Sometimes with extraordinary secrecy.

I want to walk you through why that divergence matters. Not as polemic. As analysis.

What Switzerland actually found

The Swiss story is more revealing than the headlines suggested. It was not a snap decision. Over approximately seven years, at least nine Swiss federal agencies, including the Armed Forces, the Federal Office of Public Health, the State Secretariat for Migration, and the Service Against Money-Laundering, refused or declined Palantir's products. The culmination was a 20-page risk assessment commissioned by the Swiss Armed Forces General Staff, completed in early December 2024 and presented to Army Chief Thomas Süssli.

The assessment evaluated Palantir's Asset Readiness module, a resource management and data analytics platform offered for military logistics. The risks it identified were specific.

Because Palantir is a US-headquartered company, the evaluators concluded there is a possibility that sensitive data could be accessed by the American government and intelligence services, a direct reference to the US CLOUD Act. They characterised the inability to prevent data leaks as an architectural problem, not merely a legal one. The report warned of a loss of national sovereignty. Palantir's proprietary system would require the company's own specialists to be permanently on-site, which could "limit the army's ability to act in crisis situations": a textbook vendor lock-in concern. And the massive data collection involved privacy risks, including the danger that individuals could be wrongly targeted through statistical correlations.

The Swiss Army's formal recommendation: "The Swiss Army should consider alternatives to Palantir."

Palantir's spokesperson told The Guardian there was "no basis to the claim" and "no truth to it whatsoever." The Swiss defence department softened the language publicly, calling it a "precautionary risk assessment."

But the investigation that brought this to light, published by the Swiss outlet Republik and the WAV research collective on 9 December 2025, was based on 59 freedom-of-information requests to 41 federal offices. It revealed that Palantir had been aggressively lobbying Swiss officials since at least 2016, including a 2018 visit by a Swiss government minister to Palantir's Palo Alto headquarters and CEO Alex Karp's personal relocation to Switzerland.

Switzerland is now pursuing domestic and European alternatives, emphasising what officials described as "absolute autonomy: Swiss servers, Swiss encryption, Swiss Cloud, and Swiss AI."

I need you to sit with this for a moment. A neutral country with no adversarial relationship with the United States looked at the technical architecture and legal exposure, and concluded the risk was unacceptable. Then look at what the UK did.

What Palantir actually is

Understanding Switzerland's concerns requires examining the company's origins and capabilities with some precision.

Palantir Technologies was founded in 2003 by PayPal co-founder Peter Thiel, CEO Alex Karp, Joe Lonsdale, Stephen Cohen, and Nathan Gettings. The company received early funding of approximately $2 million from In-Q-Tel, the CIA's venture capital arm, after mainstream Silicon Valley investors refused to back it. Intelligence agencies formed Palantir's earliest and primary customer base. In-Q-Tel's investment was small but consequential: it provided credibility and, more importantly, direct access to intelligence community users who shaped the product through iterative collaboration.

Leaked Edward Snowden documents, published by The Intercept in February 2017, showed that Palantir software was integrated with the NSA's XKEYSCORE programme, described internally as the NSA's "widest reaching" surveillance tool. A GCHQ report found within those documents described Palantir as "sponsored by the CIA" and noted the software was "developed through iterative collaboration between Palantir and intelligence community users."

Let me explain why this matters for the UK conversation. This is not a conventional enterprise software company that happens to have government clients. This is a company whose core product was designed inside the intelligence community, for the intelligence community, by the intelligence community. That distinction is material when you are evaluating data sovereignty risk.

Palantir operates two main platforms. Gotham, released in 2008, is its defence and intelligence product. It integrates disparate data sources into a unified "ontology" mapping people, places, events, and their relationships. Its capabilities include satellite tasking, AI-powered targeting workflows, geospatial analysis, and the ability to search for individuals based on attributes including tattoos, immigration status, vehicle ownership, and social media activity. Foundry, its commercial and civil government platform, unifies and visualises massive datasets. Foundry underpins the NHS Federated Data Platform.

The company's track record includes several episodes that bear directly on the question of whether it should be trusted with sovereign data:

Cambridge Analytica. Whistleblower Christopher Wylie testified to UK Parliament in March 2018 that "senior Palantir employees" worked on Facebook profile data acquired by Cambridge Analytica. CNN obtained emails from a Palantir business development employee suggesting the app-based data-harvesting methodology that Cambridge Analytica later used. Palantir initially denied any connection, then acknowledged an employee had engaged "in an entirely personal capacity."

ICE immigration enforcement. Palantir built ICE's Investigative Case Management system. In April 2025, it won a $30 million contract for "ImmigrationOS," a platform designed for targeting individuals for deportation, near-real-time tracking of self-deportations, and streamlining the removal lifecycle. Thirteen former Palantir employees published an open letter in May 2025 condemning the company's direction.

Predictive policing. Palantir ran a secret predictive policing programme with New Orleans police from 2012 to 2018 that generated a list of roughly 3,900 potential victims and perpetrators, without the knowledge of city council members, civil rights attorneys, or the public. The Verge's investigation confirmed that even James Carville, the political operative who helped arrange the partnership, acknowledged "no one in New Orleans even knows about this."

Its own security. A 2015 penetration test by cybersecurity firm Veris Group gave hired hackers "complete control" of Palantir's internal network. The Veris report, reviewed by BuzzFeed News, concluded that even a low-level breach would likely lead to the "compromise of critical systems and sensitive data, including customer-specific information." Palantir stated the findings were "old and have long since been resolved."

That is the company to which the UK has entrusted its most sensitive public sector data.

The UK has awarded Palantir more than £900 million in contracts

While Switzerland walked away, the UK became one of Palantir's largest customers globally.

An investigation by The Nerve, led by Carole Cadwalladr and published in February 2026, identified at least 34 current and past UK state contracts across at least 10 government departments, totalling a minimum of £670 million. That figure predates the latest £240.6 million MoD contract signed in December 2025. The documented total now exceeds £900 million, and The Nerve noted that the true figure is likely higher still, as multiple contracts remain unacknowledged or heavily redacted.

NHS Federated Data Platform: £330 million over seven years. Awarded in November 2023 to a Palantir-led consortium including Accenture, PwC, NECS, and Carnall Farrar, the FDP is built on Palantir's Foundry software and connects data across up to 240 NHS organisations: beds, waiting lists, rosters, and discharge data. The published contract was heavily redacted. 259 of 272 pages in Part 2 and 164 of 242 pages in Part 3 were blacked out.

NHS England states Palantir is a "data processor" that cannot commercialise or train AI on NHS data. However, adoption has been slow. By the end of 2024, fewer than a quarter of England's 215 hospital trusts were actively using the platform. By May 2025, Palantir claimed 72 trusts were live, still less than a third of the total. Greater Manchester's health authority stated there were "no products designed or produced by Palantir as part of the FDP programme that exceed the NHS Greater Manchester local capability." Leeds Teaching Hospitals told NHS England in a private letter that adopting some FDP tools would cause them to "lose functionality rather than gain it."

The FDP followed Palantir's £1 emergency COVID contract in March 2020, which evolved into a reported £23.5 million two-year extension awarded without competitive tender, and then a further reported £11.5 million six-month extension. Civil society groups Foxglove and openDemocracy identified that the original contracts allowed tech companies to retain IP rights and train AI models on citizen health data, provisions later amended after legal pressure.

Ministry of Defence: the contracts keep growing. In September 2025, Defence Secretary John Healey signed a "Strategic Partnership" with Palantir CEO Alex Karp worth up to £750 million over five years. On 30 December 2025, a follow-on £240.6 million three-year Enterprise Agreement was awarded without procurement competition, using a defence and security exemption. The contract covers "critical strategic, tactical and live operational decision making across classifications across defence and interoperable with NATO."

The revolving door between the MoD and Palantir has drawn parliamentary scrutiny. The Nerve reported that multiple former MoD officials joined Palantir in 2025, including former Director of Policy Barnaby Kistruck, who reportedly joined days after leaving the ministry.

UK policing: expanding behind closed doors. Reporting by Liberty Investigates and the Good Law Project has revealed an expanding network of police partnerships with Palantir. Leicestershire Police signed an approximately £800,000 contract under the East Midlands Special Operations Unit, then reportedly removed the listing from public record after press inquiries. When the Good Law Project sent FOI requests to UK police forces about Palantir involvement, the overwhelming majority refused to answer, citing national security exemptions.

Nuclear weapons and intelligence. AWE Nuclear Security Technologies holds £15 million in Palantir contracts for cloud support, identified by The Nerve on the Crown Commercial Service dashboard. Snowden documents revealed GCHQ adopted Palantir as its main data-processing software. The Cabinet Office used Palantir's Foundry for Brexit border planning.

I want to be careful not to stack these figures for rhetorical effect. Statistics without context are noise. So here is the context: the UK has placed a single US-headquartered company at the centre of its health data infrastructure, its defence decision-making systems, its nuclear weapons programme support, and an expanding network of police intelligence sharing. That is not a vendor relationship. That is a structural dependency.

The CLOUD Act creates an unresolved legal conflict

The legal mechanism at the heart of Switzerland's concerns is the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act), enacted on 23 March 2018. It requires US technology companies to preserve, backup, or disclose data "regardless of whether such communication, record, or other information is located within or outside of the United States."

I need to be precise about what this means in practice. A UK organisation storing data in UK data centres, using a US-headquartered software company like Palantir, remains potentially subject to US legal demands for that data. The contractual terms between the UK government and Palantir do not override US federal law. Palantir's status as a US-incorporated company creates a legal pathway that cannot be contractually closed.

The NHS contractual safeguards state that Palantir personnel outside the UK cannot access FDP data. As a February 2026 CMS law firm white paper noted, however: "CSPs with US connections may be required, under the US CLOUD Act, to disclose data relating to European/UK customers to the US Government," regardless of what contracts say.

The conflict with UK data protection law is direct. Article 48 of UK GDPR addresses the enforceability of third-country court orders. The European Data Protection Board and European Data Protection Supervisor issued a joint opinion concluding that service providers subject to EU law "cannot legally base the disclosure and transfer of personal data to the US" on CLOUD Act requests. Companies face a compliance double-bind: comply with a US CLOUD Act warrant and risk UK GDPR penalties of up to 4% of global annual turnover, or refuse and face US sanctions.

Section 26 of the Data Protection Act 2018 provides an exemption from most UK GDPR provisions if "required for the purpose of safeguarding national security, or defence purposes." This creates a pathway where data processed by Palantir for defence or security purposes could theoretically be compelled for disclosure to US authorities with limited UK legal protection.

The enforceability of UK contractual terms against a US court order under the CLOUD Act has never been tested in court. That absence of precedent is not reassuring. It is the definition of unquantified risk.

Europe is splitting on Palantir

Germany's Federal Constitutional Court ruled in February 2023 that police use of Palantir's automated data analysis software was unconstitutional, violating the right to informational self-determination. The court nullified Hamburg's authorising law outright and gave Hesse a deadline to rewrite its provisions. Despite this landmark ruling, political pressure to continue using Palantir persists: the conservative government under Friedrich Merz, elected in early 2025, reportedly brought Palantir acquisition back to the table as part of the federal-state "Polizei 20/20" programme.

Reports from the Netherlands suggest that Dutch police had allegedly been using Palantir in some capacity since 2011, with the arrangement only becoming public through open government requests in 2025. Europol reportedly used Palantir Gotham but discontinued the arrangement.

These are not obscure data points. They represent a pattern: wherever Palantir's arrangements with European governments have been subjected to judicial review, transparency requests, or independent evaluation, the findings have been unfavourable. The UK is notable primarily for the degree to which such scrutiny has been resisted.

The UK opposition is intensifying

The political and professional backlash in the UK is moving faster than many anticipated.

On 10 February 2026, a full Commons debate examined MoD Palantir contracts. MPs questioned the £240.6 million direct award and the role of Peter Mandelson, whose firm Global Counsel represented Palantir while he served as UK Ambassador to the US. On 27 February 2025, Mandelson accompanied Prime Minister Keir Starmer on a visit to Palantir's Washington headquarters. No formal minutes were taken. Defence Minister Luke Pollard, responding to direct questions about the missing minutes in the Hansard record, did not deny their absence.

On 11 February 2026, the British Medical Association, representing over 200,000 doctors, urged members to "immediately take steps to explore refusing any non-direct care usage of Palantir's Federated Data Platform." BMA Chair Tom Dolphin called for a "complete break from Palantir technologies in the NHS," citing the company's ICE immigration enforcement work as a threat to patient trust. The BMA had formally passed a resolution in June 2025 calling Palantir an "unacceptable choice of partner."

Green Party MPs wrote to the Cabinet Secretary on 10 February 2026 pressing for "an immediate inquiry" into Palantir contracts, warning that "the UK's reliance on Palantir risks making it even more difficult for the UK to confront or even publicly disagree with the US administration." Labour MP Clive Lewis described the findings of The Nerve investigation as a "scandal."

Civil society organisations including Foxglove, the Good Law Project, Liberty Investigates, Big Brother Watch, and the Open Rights Group are pursuing parallel legal and transparency challenges across health, defence, and policing.

From an analytical perspective, what strikes me is the breadth of the opposition. This is not a single-issue campaign. Medical professionals, parliamentarians across parties, civil liberties organisations, and investigative journalists are converging on the same conclusion from different starting points. That pattern typically precedes policy change. The question is how much further the dependency deepens before that change arrives.

How to Turn This Into a Competitive Advantage

If you run a UK small business or sit on a charity board, the Palantir situation creates genuine strategic opportunities.

Demonstrate data sovereignty awareness in tenders. Public sector procurement is increasingly sensitive to data sovereignty questions. If your business can demonstrate that its data processing chain avoids CLOUD Act exposure, that is a differentiator. Document your cloud providers' jurisdictions. Map your data flows. Make this visible in bid responses.

Position for the European alternative wave. Switzerland's pursuit of domestic alternatives signals a broader trend. Organisations that invest now in CLOUD Act-independent architectures, European-hosted cloud services, and demonstrable data sovereignty controls will be better positioned as procurement criteria shift.

Use this as a governance conversation. The Palantir story is a concrete, current illustration of third-party data risk. If your board has been resistant to investing in vendor due diligence or data protection impact assessments, this is the case study that makes the risk tangible.

How to Sell This to Your Board

Frame this precisely. Directors respond to quantified risk and regulatory exposure.

The regulatory exposure is real. Organisations processing data that flows through Palantir-dependent NHS or government systems should conduct Transfer Risk Assessments under UK GDPR, explicitly addressing CLOUD Act exposure. Failure to assess this risk is a governance gap.

The political risk is escalating. Parliamentary scrutiny, BMA opposition, and civil society legal challenges mean that Palantir's UK presence is becoming a reputational liability for organisations closely associated with it. Directors need to understand this trajectory.

The competitive positioning is time-sensitive. European governments are actively seeking sovereign alternatives. UK businesses that can demonstrate CLOUD Act-independent data processing will have a measurable advantage in public sector procurement within the next 12 to 24 months.

Board talking points:

1. Switzerland's military concluded that Palantir's architecture cannot prevent US government access to sovereign data.

2. The UK has awarded Palantir over £900 million in contracts without resolving the same legal vulnerability.

3. The BMA has called for a "complete break" from Palantir in the NHS. Parliamentary scrutiny is intensifying.

4. Our organisation should assess its own exposure to CLOUD Act risk through any US-headquartered vendor in our data processing chain.

5. Early investment in sovereign data architecture positions us for the procurement shift that is already underway in continental Europe.

What This Means for Your Business

1. Conduct a CLOUD Act exposure audit. Identify every US-headquartered company in your data processing chain. This includes cloud providers, SaaS platforms, and any software where data transits US-controlled infrastructure. Document the findings.

2. Review your public sector supply chain risk. If your business handles data that feeds into NHS, MoD, or police systems, the Palantir dependency is your dependency too. Understand where your data goes after you hand it over.

3. Update your Data Protection Impact Assessments. If you have not revisited your DPIAs since the CLOUD Act's implications became clearer, they are out of date. The ICO expects organisations to assess international transfer risks, including extraterritorial legal exposure.

4. Watch the procurement signals. The direction of travel in European public sector procurement is toward data sovereignty requirements. Build this into your medium-term technology strategy rather than treating it as a compliance afterthought.

5. Document your position. Whether you conclude that your CLOUD Act exposure is manageable or requires mitigation, the important thing is that you have assessed it and recorded the reasoning. That is the difference between governance and hope.

Related Posts:

• Stolen Credentials Are the New Normal: Why Your Authentication Is Already Broken

• ConnectWise ScreenConnect: The MSP Tool That Keeps Getting Hacked

• Nation-States Are Already Inside Your Network. Google Just Proved It.