On December 22, 2025, the European Commission took a decisive step to renew its adequacy decisions with the United Kingdom, ensuring that personal data can continue to flow freely and safely between the European Economic Area (EEA) and the UK. While this move affirms the UK’s data protection safeguards as essentially equivalent to those of the European Union, it comes at a time when transatlantic data security and the influence of major US technology companies are under intense scrutiny—particularly following a Swiss investigation that cast a spotlight on Palantir, a US-based data analytics firm.
The Commission’s renewal, which extends the 2021 adequacy decisions for another six years through December 27, 2031, follows a rigorous review. This included input from the European Data Protection Board and the approval of EU member states through the comitology procedure. The decisions are not set in stone, however: they include a sunset clause, and a review of their functioning is slated for four years from now. According to the European Commission, these actions are meant to ensure continued alignment and vigilance as the UK’s legal framework evolves, particularly in light of recent amendments introduced by the Data (Use and Access) Act.
But as the ink dried on the Commission’s renewal, a different kind of debate was brewing in the UK Parliament. British MPs, prompted by the findings of a year-long investigation from the Zurich-based research collective WAV and Swiss magazine Republik, raised fresh concerns about the government’s contracts with Palantir. This US company, known for its powerful data integration and analysis software, as well as its AI-enabled military targeting systems, has become a key player in both public health and defense sectors across Europe.
The Swiss investigation, based on freedom of information requests and internal government documents, revealed that Palantir had spent seven years attempting to win contracts with Swiss federal agencies—only to be rejected at least nine times. The Swiss army, in particular, undertook a thorough internal assessment of Palantir’s products in 2024, focusing not only on their technical capabilities but, crucially, on the implications of Palantir’s US ownership. The army’s expert report concluded that because Palantir is a US company, there remained a possibility that sensitive data shared with it could be accessed by the US government or intelligence services, despite Palantir’s repeated assurances to the contrary.
“There is no basis to the claim in the report by the Swiss army about potential access to sensitive data and no truth to it whatsoever,” a Palantir spokesperson told The Guardian. “We run a business that is predicated on the trust of our customers, which means we also do everything possible – from contractual, procedural, to technical controls – to ensure that our customers are in full control of their data, their operations and their decisions when using Palantir software.”
Despite these reassurances, the Swiss army decided against contracting Palantir, citing not only unresolved security concerns but also issues related to cost and operational flexibility. Experts within the army noted that using Palantir’s technologies might require the company’s specialists to be permanently onsite, potentially limiting the army’s ability to act independently during crises. Less than a year after the Swiss decision, the UK’s Ministry of Defence moved in the opposite direction, signing a £75 million contract with Palantir for data tools, followed by an even larger £750 million deal to boost military AI and innovation.
These developments have not gone unnoticed in the UK Parliament. Labour MP Clive Lewis was blunt in his assessment, telling The Guardian, “Palantir … is an organisation that the British government, in terms of the NHS, in terms of contracts, should stay very far away from … I think the Swiss army is right to be suspicious.” Rachael Maskell, MP for York Central, echoed the call for greater scrutiny: “The government needs to undertake transparent due diligence on the conduct of Palantir and other big tech companies. I know there were certainly questions in the NHS about Palantir’s capabilities. It’s clearly been handed a lot of money to do the federated data platform. I, as a politician, want to know that these companies are making ethical choices. And if they’re not – whether around weaponry, minerals or the climate – I think we as parliament should be given greater transparency around this.”
Palantir’s involvement in the UK’s public sector isn’t limited to defense. During the early days of the COVID-19 pandemic, the company pitched its services to Swiss health authorities, touting its partnership with the NHS. “We are already doing this in other countries, such as Great Britain, but we feel a special obligation to Switzerland and the federal chancellor,” Palantir wrote, according to documents obtained by WAV and Republik. Ultimately, Switzerland’s Federal Office of Public Health opted not to work with Palantir, choosing a competitor instead. The precise reasons for this decision were redacted, but meeting minutes referenced communication issues and the need for further questioning of Palantir.
The Swiss revelations have reverberated across Europe, sparking debate in Germany as well. Sinan Selen, head of Germany’s domestic intelligence service, recently warned European security services to exercise caution when adopting US software—though he stopped short of naming Palantir directly. Meanwhile, several German states, including Bavaria, Hesse, and Baden-Württemberg, have either adopted Palantir’s analysis software for their police forces or created legal pathways for its use. Not everyone is on board: Konstantin von Notz, a Green Party MP and intelligence expert, has called for Germany’s interior minister to “finally say goodbye to Palantir,” welcoming the Swiss decision to avoid contracting with what he described as a “highly controversial US company which has close ties to Donald Trump.”
Back in the UK, the controversy comes at a delicate moment. The European Commission’s renewed adequacy decisions are designed to safeguard the free flow of personal data, but they also depend on continued trust in the UK’s ability to maintain EU-equivalent protections. The Commission and the European Data Protection Board have committed to reviewing these arrangements after four years, underscoring the need for ongoing vigilance as technology, law, and international relations evolve.
As Europe weighs the benefits and risks of relying on US tech giants for critical data infrastructure, the debate over Palantir’s role illustrates just how high the stakes have become. For now, the UK retains its privileged status for data transfers with the EU, but questions about transparency, security, and ethical oversight—especially when it comes to sensitive government contracts—are far from settled.
In this climate of heightened scrutiny, the choices made by governments on both sides of the Channel will shape not only the future of data privacy but also the broader relationship between technology, national security, and democratic accountability.
