Palantir, a data analytics firm best known for its ties to the defence and national security communities, plans to shift its entire UK data processing operation from the US, ahead of what experts are calling a global “regulatory tsunami” affecting cross-border data flows.
By the end of 2022, Palantir will offer UK clients, including NHS England, the Cabinet Office and the Ministry of Defence, the option to move all data processing within the UK, a change that it claimed will better protect them from security concerns such as hacks and data leaks. It will offer the same option in the EU, where it also works with public sector customers such as German police forces.
Palantir’s move comes amid rising geopolitical tensions between China, Russia and the west, including the US and EU, alongside new regulatory regimes that are pushing companies to Balkanise their data operations. New laws governing cross-border data flows would affect all businesses that use the internet to operate, with some estimates by risk management consultancy Leviathan Security Group claiming they could increase companies’ computing costs by up to 60 per cent.
A patchwork of new national regulations is emerging around data use in India, Japan, South Korea, Australia and the EU — including the EU’s General Data Protection Regulation and the Cross-Border Privacy Rules in Asia-Pacific — whose rules apply to any company which offers services to its citizens, regardless of their location.
Denver-based Palantir, which employs more than 600 people in the UK, processes sensitive health and national security data for UK public authorities. Although it currently already offers the option to host data within the UK, all metadata, such as information related to cyber security and use of the software, are processed in the US.
“We want to make the UK fully autonomous, from a regulatory and geopolitical point of view,” said Louis Mosley, who leads Palantir in the UK. “As tensions rise, it could be very disruptive if access was interrupted, and we want to reassure our UK customers there will be no diminution in service levels and no compromise on security.”
Palantir is set to be one of the first US software companies to take this step. Microsoft announced a similar move for the EU market in May this year, known as the EU Data Boundary, which will come into effect next year.
“We believe that more regulation will be coming, not just to the tech sector . . . but also for all companies to demonstrate how they are using data responsibly and respectfully, and not engaging in data abuse,” said Julie Brill, Microsoft’s chief privacy officer, at an FT event last week.
“Not all these laws will be the same. The kinds of things that Korea, Japan and India are currently pushing forward are going to be different to Australia, or the US or Europe. Companies need to understand the regulatory tsunami that is coming.”
Palantir said it was also responding to a major push from customers that want to contain data processing within the borders where they operate.
“We have seen a huge desire among nations to try and secure supply chains, both at physical infrastructure level and software level,” Mosley said. “Our belief is these trends are going to continue and potentially accelerate.”
Palantir also said it plans to hire 250 new UK employees and open a northern England office in 2022.
Ian Levy, technical director of the UK’s National Cyber Security Centre, said that companies will have to change how they do business to retain trust.
“States will start to take more drastic action to ensure that their supply chains are protected, and that their sovereign . . . technology stacks are insulated from the actions of others and enforce their national values,” wrote Levy, in a Wired editorial. “We will see . . . supply chains and infrastructure redesigned to align with these new realities.”
This article has been amended since publication to correct Palantir’s headquarters to Denver, from Detroit.