Is Your AI Provider Subject to the US CLOUD Act?
Most organisations using AI in the United Kingdom believe their data is protected because it is "hosted in the UK." This belief is incorrect, and the consequences for regulated professionals — in healthcare, legal, and financial services — are significant.
What the CLOUD Act Is
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was signed into US law in March 2018. It grants US law enforcement the authority to compel US-based technology companies to hand over data stored anywhere in the world — regardless of where the data is physically located.
If your AI provider is a US company, or is a subsidiary of a US company, the US government can demand access to your data without the involvement of a UK court. No UK judicial oversight. No UK warrant required.
The CLOUD Act applies to companies, not to data centres. The location of the server is irrelevant.
Why "UK Data Centre" Does Not Solve the Problem
When a US cloud provider says your data is processed in a UK region — AWS EU-West-2 (London), Azure UK South, Google Cloud europe-west2 — they are describing the physical location of the hardware. They are not describing the legal jurisdiction governing access to that hardware.
Amazon Web Services is a US company. Microsoft Azure is a US company. Google Cloud Platform is a US company. Under the CLOUD Act, all three are obligated to comply with US government data requests, regardless of where their servers sit.
This distinction matters enormously for regulated professionals:
- Healthcare: Patient data processed through a US-owned AI service is technically accessible to US authorities. This creates a conflict with UK GDPR, the Data Protection Act 2018, and the Caldicott Principles.
- Legal professionals: Solicitors and barristers owe a duty of confidentiality under the SRA Code of Conduct and the Bar Standards Board Handbook. Using an AI tool subject to foreign government access could constitute a breach of that duty — and after Munir v SSHD [2026], a permanent waiver of privilege.
- Financial services: The FCA expects firms to ensure client data is handled in accordance with data protection legislation. Processing sensitive financial information through a US-controlled AI service introduces jurisdictional risk.
What "Structural Immunity" Means
There is an important difference between compliance and architecture.
A US company can be GDPR-compliant. It can sign a Data Processing Agreement. It can promise not to transfer data outside the UK. But it cannot exempt itself from US law. If a US court issues a CLOUD Act order, compliance with GDPR does not provide a defence.
Structural immunity means the CLOUD Act simply does not apply — not because of a contract, but because of corporate structure and hardware ownership. For the CLOUD Act to have jurisdiction, the provider must be a US company or controlled by one. If the provider is a UK company, operating on UK-owned hardware, with no US parent company and no US cloud infrastructure, then the CLOUD Act has no mechanism to compel disclosure.
This is not a legal argument. It is an architectural fact.
What This Means in Practice
Scenario A — US Cloud AI
A GP practice uses an AI tool built on OpenAI's API, hosted via Microsoft Azure in London. A US court issues a CLOUD Act order to Microsoft. Microsoft is legally obligated to comply. The GP practice is never informed. Patient data is disclosed to a foreign government without UK judicial oversight.
Scenario B — UK Sovereign AI
The same GP practice uses an AI tool that runs on UK-owned hardware, operated by a UK company with no US corporate parent. The same US court issues the same order. There is no US entity to serve it on. The order has no legal effect.
The clinical data is identical. The risk is entirely different.
Three Questions for Your AI Provider
Any professional handling sensitive personal data under a regulatory obligation should be asking:
- Is your company, or any parent company, incorporated in the United States?
- Do you use any US-owned cloud infrastructure (AWS, Azure, GCP) for processing?
- Can you confirm that no US government authority has legal standing to compel you to disclose my data?
Hush AI is structurally immune to the CLOUD Act.
UK company. UK-owned hardware. Zero US infrastructure. Zero data retention. Not because we promise — because there is no legal mechanism by which it could apply.
Get Started →Or email us with questions.
ICO Data Controller Registration: C1912355. Hush AI is founded and operated by a UK-registered doctor.