Explainer
Can the US government access UK cloud data?
How the US CLOUD Act reaches data stored in Britain, who's exposed, and how to remove the risk.
In short
Yes. Under the US CLOUD Act, US authorities can compel American cloud providers to hand over data they control, even when that data is stored in the UK. Because the obligation follows the provider, not the server location, a UK data centre operated by a US company does not, by itself, protect your data.
What is the CLOUD Act?
The US Clarifying Lawful Overseas Use of Data (CLOUD) Act lets US authorities require US-based providers to disclose data in their possession or control, regardless of where in the world it is physically stored. The trigger is the provider's nationality and control, not the data's location.
Why a UK region doesn't protect you
Storing data in a UK region of a US-owned cloud keeps it physically in Britain, but the operator remains a US company subject to US law. If compelled, it can be required to produce that data. Residency addresses location; it does not address jurisdiction or control, which is the heart of the issue.
Who's exposed, and how to remove the risk
- Most exposed: Government, defence, finance, healthcare, and any holder of sensitive or regulated UK data on US-owned platforms.
- Own the model: Running a model you own removes dependence on a foreign provider's control.
- Stay in your perimeter: On-prem or air-gapped deployment means there is no foreign operator to compel.
- UK jurisdiction: Use a genuinely UK-controlled provider and deployment.
What this looks like with Locai
Compliance is easier to evidence when the model, the data, and the logs are all things you actually own, not things a vendor describes in a whitepaper.
Locai Labs believes organisations should own their intelligence. Renting access to a general-purpose model that lives on someone else's servers is fine for low-stakes work; for the AI that touches your data, your customers and your decisions, the model itself should be yours. That is the bet behind everything we build.
It is also a bet that an expert model beats a generalist on the work that actually matters to your business. A smaller model trained on your data, your language, your workflows and your edge cases routinely outperforms much larger generalists on the tasks you care about, and it does so on infrastructure you control. The goal is not the biggest model; the goal is the right model for your business.
And it is deployed sovereignly: an owned model that runs inside your perimeter, on-prem via Locai One, in your private cloud tenant, in a UK sovereign cloud, or fully air-gapped, depending on your residency and security requirements. Your prompts, your documents and your outputs stay inside your environment, under UK jurisdiction, with a data path designed to fit GDPR and the procurement standards regulated organisations are held to.
Frequently asked questions
What is the US CLOUD Act?
A US law allowing American authorities to compel US-based providers to disclose data they control, wherever in the world it is stored.
Does it apply to UK data?
Yes. If a US-owned provider controls the data, the CLOUD Act can reach it even when it is stored in the UK.
Does a UK data centre protect me?
Not on its own. Physical location doesn't override the provider's US jurisdiction; the obligation follows the company, not the server.
How do I avoid exposure?
Own your model and run it inside your perimeter (on-prem or air-gapped) under genuine UK jurisdiction, so there is no foreign operator to compel.
Book a sovereign AI briefing
A 30-minute session on owning your model: deployment options, the data path, and a clear cost range for your use case.