The UK Loophole in Your Data Rights

Yesterday we covered how LexisNexis Risk Solutions built dossiers on 283 million Americans, sold them to ICE, and got hit with a $13.5 million FCRA settlement. That piece focused on the subsidiary. Today: the parent company, RELX PLC. It's incorporated in the United Kingdom. And the legal architecture available to UK intelligence services, once American data crosses that border, makes the ICE contracts look straightforward by comparison.

One Parent Company, Four Data Empires

RELX PLC (formerly Reed Elsevier) is a British-Dutch conglomerate that pulled in £9.4 billion in revenue in 2024, with an adjusted operating profit of £3.2 billion. That's a 33.9% margin. The company runs four segments: Risk analytics (LexisNexis Risk Solutions, ThreatMetrix), Legal (LexisNexis Legal), Scientific publishing (Elsevier, Scopus, Mendeley, SSRN), and Exhibitions (RX Global). Risk and Legal alone account for 67% of group revenue.

No other single corporate parent can profile a person as a graduate student through Mendeley, track their publication history through Scopus, score their insurance fraud risk through LexisNexis Risk Solutions, fingerprint their devices through ThreatMetrix (which tracks 4.5 billion devices across 185 countries), and connect them to immigration enforcement databases through LEIDS. Elsevier's own privacy policy confirms cross-subsidiary data sharing with "certain RELX companies."

RELX bought back £1 billion in shares in 2024 and has £1.5 billion more planned for 2025. The business model is working. The question is what that model actually looks like from the inside.

Three Verified Pathways to American Data

Most data broker reporting focuses on the buyer side: which agencies purchase what. That framing misses the jurisdictional issue. RELX is headquartered in London. Its subsidiaries collect American data in the US. Once that data moves to the UK parent, there are three distinct, legally documented ways it can reach intelligence agencies — and none of them require what most Americans would recognize as a warrant.

Pathway 1: Five Eyes Sharing

The UKUSA Agreement, signed in 1946 and expanded through classified appendices disclosed via a Yale Law School/Privacy International FOIA lawsuit, requires Five Eyes nations to share all signals intelligence "continuously, currently and without request." That includes both raw and analyzed intelligence. A 1961 amendment added the "third-party rule," which prevents the receiving country from sharing the intelligence with oversight bodies without the originator's consent. In practice, that means Congressional oversight committees may never see what GCHQ shares with NSA under this framework.

The Snowden disclosures in 2013 confirmed how this works operationally. GCHQ's TEMPORA program tapped transatlantic fiber-optic cables where they landed on British shores, buffering content for three days and metadata for thirty. That data was shared with NSA. GCHQ staff were instructed to "disguise the origin of material in their reports" to prevent disclosure that private companies were serving as intercept partners.

The Investigatory Powers Tribunal rulings from 2016 and 2018 are worth sitting with. The IPT found that GCHQ had been collecting bulk personal datasets from commercial entities unlawfully since approximately 2006, and bulk communications data unlawfully since 1998 — spanning up to 17 years. The July 2018 ruling found that "successive Foreign Secretaries wrongly gave GCHQ unfettered discretion to collect vast quantities of personal customer information from telecommunications companies." The UK's own surveillance court said GCHQ was operating without proper authorization for nearly two decades. The IPA 2016 was partly written to legalize, going forward, what had already been happening.

Pathway 2: The Investigatory Powers Act

The IPA 2016 defines "telecommunications operator" broadly enough to cover any entity that facilitates the "creation, management or storage of communications" through a telecommunications system. Bird & Bird's legal analysis concluded that "an online business that does not think of itself as part of the communications industry may nonetheless be providing a telecommunications service to its users," including cloud-based services and web-based platforms. RELX operates ScienceDirect, Mendeley, Scopus, and the LexisNexis research databases. All of them facilitate users storing, managing, and accessing content online. Under the IPA's definition, RELX almost certainly qualifies.

The Act gives GCHQ several tools: bulk interception warrants, bulk communications data acquisition warrants, and Technical Capability Notices (TCNs) under Section 253, which require a company to maintain permanent surveillance capability. TCNs come with a mandatory gag order. The company cannot tell anyone it received one.

We saw exactly how far TCNs reach in January 2025, when the UK Home Secretary issued one to Apple requiring backdoor access to iCloud Advanced Data Protection globally. Apple disabled the feature for UK users rather than comply. The US House Judiciary Committee wrote to the UK Home Secretary on May 7, 2025, calling it a threat to American citizens' privacy. DNI Tulsi Gabbard stated publicly that the UK had "agreed to drop" its demand for American users' data. But the UK then issued a revised TCN focused on British users. TCNs can target global services, and the gag order means the target company cannot even acknowledge the demand exists.

The 2024 Investigatory Powers (Amendment) Act made things worse. It created an entirely new regime allowing intelligence services to access "third-party bulk personal datasets" held by commercial companies, examining them on the company's own systems without the data ever being transferred. BPD warrants now last 12 months, up from six. For RELX specifically, this means GCHQ could seek a warrant to examine the LexisNexis Risk Solutions database in place, on RELX's own infrastructure.

Pathway 3: Direct Commercial Purchase

This one doesn't even require the UK. US intelligence agencies have been caught buying American data from commercial brokers without warrants. A January 2021 DIA memo, disclosed via Senator Ron Wyden's FOIA requests, confirmed that DIA purchases bulk smartphone geolocation data from commercial brokers and conducted 5 searches of the resulting database in 2.5 years. DIA explicitly argued it didn't need a warrant because it was buying in bulk, not targeting an individual.

Then in January 2024, Wyden released declassified letters confirming NSA purchases Americans' internet browsing data, including which websites people visit and which apps they use, from commercial brokers. NSA Director Gen. Paul Nakasone acknowledged NSA buys "various types" of information from data brokers, including data from devices "used outside, and in certain cases, inside, the United States."

RELX doesn't just sell to law enforcement. It has a dedicated intelligence community subsidiary. LexisNexis Special Services Inc. (LNSSI) was created after 9/11 to "deliver advanced data solutions for U.S. intelligence, homeland security, law enforcement, and defense agencies." In February 2023, LNSSI hired Lori Weatherwax, a 30-year federal government veteran who spent six years as a US Army Military Intelligence analyst and the rest at NSA, where she served as NSA Senior Representative to the CIA and Vice Chair of the National Signals Intelligence Committee. The unit holds a $23.5 million contract with the Defense Counterintelligence and Security Agency (DCSA), the agency that handles personnel security vetting, awarded in March 2026.

The ODNI's own declassified report from June 2023 admitted the intelligence community "does not know how much" commercially available data it purchases, "what types, or even what it is doing with that data." Their definition of commercially available information explicitly covers data broker purchases from companies like LexisNexis.

The One-Way Valve: UK-US Data Bridge

The UK-US Data Bridge, effective October 12, 2023, is what connects all three pathways. It allows American personal data collected by RELX's US subsidiaries to flow legally to its UK parent. LexisNexis Risk Solutions (incorporated in Georgia) has certified to the EU-US Data Privacy Framework and its UK Extension.

Once that data sits in the UK, the Fourth Amendment doesn't follow it. The Fourth Amendment restricts the US government. It has nothing to say about what GCHQ does under UK law. The Schrems II ruling invalidated the EU-US Privacy Shield in 2020 specifically because US intelligence access was too broad. Nobody has applied the same logic in reverse: whether UK intelligence access under the IPA is compatible with protecting American-origin data.

The bridge framework relies on self-certification. There is no independent audit verifying that US personal data entering UK systems is protected from IPA warrants. No one has been asked to reconcile the two.

Who Benefits

RELX shareholders benefit from a business model that generated £3.2 billion in operating profit and a 33.9% margin in 2024. The company lobbied 8 times against the Fourth Amendment Is Not For Sale Act, the bill that would have required warrants before agencies could buy data from brokers. That bill passed the House 219-199 on April 17, 2024. The Senate never voted. RELX spent $3.22 million lobbying in 2024 and contributed $915,369 through its PAC. The $172 million in DHS contracts since 2005, documented by AFSC, helps explain why.

US intelligence agencies benefit from a parallel data supply that avoids Fourth Amendment scrutiny entirely. The commercial purchase route is faster than a warrant, not subject to FISA Court review, and has no public disclosure requirement. The Five Eyes route is even better: foreign-collected intelligence arriving via GCHQ faces weaker minimization requirements under EO 12333 than domestically collected data, and the third-party rule shields the sharing from Congressional oversight.

Both sides benefit from the opacity. RELX's privacy policies don't mention Five Eyes exposure or IPA compulsion risk. US agencies don't have to disclose what they buy commercially or receive through intelligence sharing. The EFF coined the term "intelligence laundering" in 2013 for exactly this dynamic: using intermediaries to obscure the original source of surveillance, so neither courts nor the public can challenge it.

The Pieces Nobody Connects

Most RELX coverage treats each subsidiary as its own story. LexisNexis ICE contracts in one article, Elsevier publishing monopoly in another, ThreatMetrix in cybersecurity trade press. Each subsidiary has a separate brand and a separate controversy. The corporate parent barely comes up.

Elsevier's privacy policy confirms data flows to "certain RELX companies." Academic researchers have documented that Elsevier built what amounts to a full surveillance stack across the research lifecycle: Mendeley for reading behavior, ScienceDirect for publication access, Scopus for citation tracking, Pure for institutional productivity measurement, all feeding into a "Fingerprint Engine" that assigns weighted scores to individual researchers. Jefferson Pooley's analysis put it bluntly: "Facebook, Google, and Bytedance have to give away their consumer-facing services to attract data-producing users. For Elsevier and its peers, we're the product and we're paying (a lot) for it."

That research profiling sits in the same corporate parent as the database ICE uses to track immigrants, the device fingerprint network covering 185 countries, and the intelligence community subsidiary with a 30-year NSA veteran on staff. RELX also runs a joint venture (KeAi) with China Science Publishing & Media Ltd., the publishing arm of the Chinese Academy of Sciences. It built the international legal database for the Chinese Supreme Court. It has a tech hub in Shanghai, 550 employees in China, and its head of Chinese government affairs communicates with officials through WeChat.

RELX lobbied against the one bill that would have closed the commercial purchase loophole while simultaneously lobbying on FISA reform bills. When 364,000 people had their data exposed through a breach of LNRS GitHub repositories on Christmas Day 2024 (the company didn't learn about it until April 2025), the same databases that intelligence agencies can legally access turned out to be ones the company couldn't even secure from unauthorized access.

One Legislative Window

RELX has built the deepest personal data infrastructure of any single corporate entity I've looked at. It sits under a UK parent subject to surveillance law that includes gag orders, bulk collection warrants, and a 2024 power to examine commercial databases in place without transferring a byte. Legal pathways run from that data to intelligence agencies that are constitutionally prohibited from collecting it directly. And the architecture is specifically designed so that confirmation is impossible: TCN gag orders, Five Eyes originator control, and classified minimization procedures ensure the question of whether this pipeline is active or dormant is one the public can never answer.

The Fourth Amendment Is Not For Sale Act would have closed the commercial purchase pathway. RELX lobbied against it eight times. FISA Section 702, reauthorized in April 2024, sunsets on April 20, 2026. That's the next legislative window where any of this could change. Nobody in that debate has publicly raised the UK jurisdiction question.