Inside the £670 Million Question: Why Parliament Is Finally Asking Who Controls Britain's Data

Palantir Technologies, the US data analytics firm co-founded by Peter Thiel and built on contracts with the CIA, now holds at least 34 current and past contracts across at least 10 UK government departments, worth a combined minimum of £670 million [1]. The company's software processes NHS patient records, military intelligence, immigration data, and police investigations. In February 2026, MPs debated the Ministry of Defence's latest Palantir contract in the House of Commons — a rare moment of direct parliamentary scrutiny for a company that has spent a decade quietly embedding itself across Britain's public sector [2].

The question is no longer whether Palantir is involved in UK governance. It is whether anyone outside Palantir fully understands the scope of that involvement — and whether the legal and institutional mechanisms exist to check it.

The Money: £670 Million and Counting

Palantir's UK government spending breaks down across several major departments. The Ministry of Defence accounts for the largest share, with current and historic deals worth approximately £388 million across at least a dozen contracts [3]. The NHS Federated Data Platform (FDP), awarded in November 2023, is valued at up to £330 million over seven years [4]. Smaller contracts cover the Home Office, HMRC, the Atomic Weapons Establishment, and multiple police forces [1].

Source: The Nerve, openDemocracy, Digital Health, Contracts Finder

Data as of Apr 1, 2026CSV

The December 2025 MoD contract alone — £240.6 million over three years — was more than three times larger than any previous Palantir defence deal [5]. Beyond these existing obligations, a strategic partnership announced in September 2025 envisions Palantir basing its European defence arm in London, with potential future MoD opportunities worth up to £750 million over five years [6].

Direct international comparisons are difficult because procurement transparency varies by country. France's DGSI (internal security directorate) renewed a multi-year Palantir contract originally signed after the 2015 Paris attacks, though the value has not been publicly disclosed [7]. Germany's use has been more contested: courts in Hesse and Hamburg restricted Palantir's police surveillance tools on constitutional grounds, and the German Federal Constitutional Court ruled certain applications of the software unconstitutional [8]. Switzerland went furthest, with at least nine federal agencies declining Palantir products after a formal risk evaluation found that US-headquartered status created an unacceptable sovereignty risk [9].

How the Contracts Were Won

A significant portion of Palantir's UK contracts were not awarded through standard competitive procurement. The £240.6 million MoD contract used a "defence and security exemption" to bypass competitive tender entirely [5]. The company's first NHS contract, during the COVID-19 pandemic in 2020, was awarded on an emergency basis [10]. Even the £330 million FDP contract, which did go through a competitive process, drew criticism: the published contract was heavily redacted, with NHS England citing commercial confidentiality [11].

Source: openDemocracy, The Register, Contracts Finder

Data as of Apr 1, 2026CSV

openDemocracy reported that Palantir hired four former Ministry of Defence officials before winning its record defence contract, including Damien Parmenter, a senior MoD director general who joined Palantir UK as an adviser [12]. Government transparency records show Palantir employees met with UK ministers and senior officials almost 90 times over a 10-year period [13]. Louis Mosley, Palantir's UK head, joined the MoD's Industrial Joint Council and met with then-Trade Secretary Liam Fox at Davos, where Fox's briefing notes described the NHS as "a huge and as yet untapped resource" [13].

The company itself does not dispute this level of engagement. When questioned, Palantir stated that like "the vast majority of companies operating at scale in the UK," it "engages with and consults government on policy matters, and vice versa" [13].

What Data Palantir Can Access

The NHS FDP involves the health data of over 55 million English patients [14]. As of mid-2025, 130 NHS hospital trusts had signed up to adopt the platform, with 72 already live [15]. NHS England maintains it remains the data controller at all times, with Palantir operating "strictly under the instruction of NHS England" and prohibited from accessing, using, or sharing data for its own purposes [15].

Beyond health, the scope is broad. The Financial Conduct Authority gave Palantir a contract to analyse data on fraud, money laundering, and insider trading across approximately 42,000 regulated businesses — including emails, call recordings, and social media monitoring [9]. MoD contracts cover "strategic, tactical and live operational decision making across classifications," interoperable with NATO and allied systems [5]. Police contracts in Leicestershire and elsewhere involve intelligence and investigation platforms [2].

The total number of UK residents whose records sit inside Palantir-operated systems has not been officially published. Between NHS patient data (55 million+), defence personnel records, immigration files, and financial regulatory data, the figure is substantial — though the federated architecture of the NHS platform means data is not centralised in a single Palantir-controlled repository [15].

Independent Audits and GDPR Compliance

NHS England states that all access to FDP data is "logged and auditable" and that processing complies with UK GDPR and the Data Protection Act 2018 [15]. However, no independent, publicly available audit of Palantir's compliance with data minimisation and retention rules has been published. The contract itself was released in heavily redacted form [11].

Medact, a health professionals' organisation, published a briefing in 2026 arguing that Palantir's "reputation, its lack of public trust, and a perceived clash with NHS values" were raised as potential barriers by a cross-parliamentary scrutiny committee in July 2025 [16]. Foxglove, a digital rights group, identified seven key risks in the FDP arrangement, including the possibility that the platform could enable cross-departmental data sharing — for instance, allowing Home Office access to patient data for immigration enforcement [17].

NHS England's position is that "any activity involving patient information must be handled through established information governance processes" [15]. But the structural concern — that Palantir's Foundry platform could technically facilitate such sharing even if it is not currently authorised — has not been fully addressed by any independent technical review made public.

The CLOUD Act Problem

A recurring concern among critics is the US CLOUD Act, which can compel US-headquartered companies to disclose data in their possession, custody, or control — even when that data is stored outside the United States [9]. This means that UK patient records, defence intelligence, or financial regulatory data processed through Palantir's systems could theoretically be subject to US government demands.

Switzerland's Federal Armed Forces explicitly identified this as a disqualifying risk in their 20-page evaluation of Palantir's products [9]. The UK has not conducted — or at least not published — an equivalent assessment. A 2026 report flagged the UK's broader reliance on US Big Tech as a "national security risk," estimating a £500 million annual premium for cloud services from US providers [18].

Palantir has responded to sovereignty concerns in some markets. Reports indicate the company has explored reshoring UK data processing away from US infrastructure [19]. But the legal exposure under the CLOUD Act is based on corporate jurisdiction, not data location — a distinction that technical measures alone cannot fully resolve.

Documented Harms and Palantir's Track Record

Critics point to several international incidents. In the United States, Palantir's contracts with Immigration and Customs Enforcement (ICE) included designing systems to track undocumented migrants and identify deportation candidates [10]. Amnesty International published a 2025 report arguing that Palantir's technology "risks supercharging arbitrary and unlawful visa revocations, detentions, deportations and violations of rights to privacy, freedom of expression, equality and non-discrimination" [20].

In Germany, the Federal Constitutional Court ruled that police use of Palantir's Gotham software in Hesse was unconstitutional, finding insufficient safeguards on data sources and the scope of data mining [8]. Denmark and the Netherlands have also raised concerns about algorithmic bias in Palantir deployments [21]. At the EU level, Europol used Palantir software in the task force responding to the 2015 Paris attacks, but according to documents obtained by The Guardian, the results were "so poor" that the agency considered suing Palantir because its software "could not properly visualize large data sets" [7].

Palantir maintains a public Privacy and Civil Liberties team and has published positions arguing its technology includes access controls and audit trails that prevent misuse [22]. The company has also rejected participation in the UK's digital identity programme, citing concerns about "democracy and data rights" — a stance some observers view as strategically positioning the company as privacy-conscious [23].

No confirmed data breach of UK government data processed by Palantir has been publicly reported. In February 2026, unverified claims of a Palantir hack circulated online but have not been substantiated [24].

The Revolving Door and Political Connections

The financial connections between Palantir's ecosystem and UK political parties add another dimension to the scrutiny debate. Quadrature Capital, a hedge fund with $71 million in Palantir holdings, donated £4 million to the Labour Party in 2024 — the sixth-largest political donation in British history [25]. The timing drew attention: the donation was made on 28 May but was published by the Electoral Commission only after Labour won the general election [25].

Transparency International UK noted that large donations from private sources "understandably raise questions as to in whose interest politicians are working" [25]. Palantir also held meetings with Prime Minister Keir Starmer, then-US Ambassador Peter Mandelson, six cabinet ministers, and senior officials from the Cabinet Office, Treasury, and Home Office throughout 2025, including an "informal visit" to Palantir's Washington headquarters [2].

In Parliament, Kit Malthouse MP raised Palantir in a Science and Technology Committee meeting in 2025, asking about protections to ensure UK programmes are "not complicit in war crimes" — referencing Palantir's broader international work [16]. An Early Day Motion signed by multiple MPs expressed concern about "serious allegations of complicity in human rights violations and the undermining of democratic processes" [26].

The Lock-In Problem: Can the UK Walk Away?

If Parliament demanded a migration away from Palantir's Foundry platform, the practical barriers would be significant. NHS England's contract includes provisions for "robust exit planning" and "standards and technical guidelines to utilise agnostic services that can be migrated" [15]. But analysts who have worked with the platform report being "forced to write code that is only compatible with Foundry," with the fundamental code of the platform "not fully readable to non-Palantir data engineers" [27].

No public cost estimate for a full migration exists. A UK consortium did bid for the original £480 million NHS data contract but lost to Palantir's consortium, which includes Accenture, PwC, Carnall Farrar, and NECS [28]. Domestic alternatives exist in principle — UK-based firms such as Cerner (now Oracle Health), TPP, and EMIS handle NHS data in other capacities — but none currently offers a like-for-like replacement for Foundry's cross-departmental analytics capabilities.

The MoD faces an even steeper challenge. The December 2025 contract explicitly describes Palantir's platform as supporting decision-making "across classifications" and interoperability with NATO systems [5]. Replacing that integration mid-stream would carry operational risks that defence officials have cited as justification for the direct-award procurement approach.

Legal Mechanisms That Could Limit Scrutiny

Several legal tools are already being used to restrict transparency around Palantir contracts. Police forces including West Yorkshire and North Yorkshire have invoked Section 24(2) of the Freedom of Information Act — the national security exemption — to neither confirm nor deny whether they use Palantir [29]. The Department of Health and Social Care has refused FOI requests about KPMG's role promoting Palantir to NHS hospitals [30]. The MoD used a defence and security exemption to justify awarding the £240.6 million contract without competition [5].

If Parliament imposed new disclosure or audit requirements, the government could invoke several mechanisms to resist: contract renegotiation clauses that protect commercial confidentiality, Section 24 and Section 31 FOI exemptions for national security and law enforcement, and potential national security carve-outs in any new procurement transparency legislation. Several of these mechanisms have already been tested against parliamentary questions and FOI requests — and have held [29][30].

This creates a structural problem. The same national security arguments used to justify awarding Palantir contracts without competition are also used to prevent scrutiny of those contracts after they are signed.

The Steelman Case Against Targeted Scrutiny

Defenders of Palantir — and of the broader US-UK tech partnership — argue that singling out one company is neither fair nor strategically coherent. The UK's own GCHQ and National Cyber Security Centre depend on intelligence-sharing arrangements with US allies under the Five Eyes framework. Amazon Web Services, Microsoft Azure, and Google Cloud host vast quantities of UK government data, all subject to the same CLOUD Act jurisdiction as Palantir [18].

Palantir's UK head Louis Mosley told the House magazine that Starmer "gets" AI, and that the company's investment — including a planned £1.5 billion in the UK with 350 new jobs — demonstrates commitment to the country [31]. The company argues its audit trails and access controls are more rigorous than many alternatives, and that its federated architecture keeps data under client control [22].

Some analysts suggest that the parliamentary focus on Palantir is partly driven by competitive dynamics. UK and EU technology firms that lost bids have an interest in regulatory frameworks that disadvantage US incumbents. The WeMove Europe petition against Palantir in Europe, for instance, frames the issue in terms of European digital sovereignty — a framing that serves both principled and commercial interests [32].

This does not invalidate the concerns. But it does mean that effective scrutiny should be systemic rather than company-specific: applying the same transparency, audit, and data sovereignty standards to all foreign data processors handling UK government information, rather than creating rules that target one firm while leaving equivalent risks from other vendors unaddressed.

What Happens Next

The February 2026 Commons debate on Palantir's MoD contracts marked the most direct parliamentary engagement with the company's UK role to date [2]. The government has signalled a "procurement shift" in response to criticism, though details remain vague [33]. A public petition calling for a full parliamentary debate on Palantir's role across UK defence, security, and public services has gathered signatures [34].

The core tension is straightforward. Palantir provides capabilities that UK government departments have come to depend on, across domains from healthcare logistics to battlefield intelligence. That dependence was built through a combination of emergency procurement, direct awards, and extensive lobbying — processes that largely bypassed the parliamentary scrutiny that contracts of this scale and sensitivity would ordinarily receive. Whether Parliament can now impose meaningful oversight on arrangements that were designed to avoid it will test both the political will of MPs and the legal architecture of UK government procurement.