Where does your data live? GDPR, Schrems II and Europe's sovereign cloud

Europe wrote the most demanding data protection law in the world — and then discovered that the law is not enough: it also matters where your data lives and under which jurisdiction. This is the story of that discovery, told through the sources.

Corridor of a modern data centre with server racks lit in blue and violet

In 2019, a European Commission survey of roughly 27,000 citizens — Special Eurobarometer 487a — found a number that sums up our era: 62% of Europeans are concerned about not having complete control over the personal data they provide online [8]. It is not an abstract worry. The data we generate every day — where we are, what we search for, what we buy — makes up the most faithful portrait that exists of each of us. And, for a long time, that portrait travelled the world without anyone asking us.

Europe's answer has a name and teeth. The General Data Protection Regulation (GDPR), applicable since May 2018, gave citizens concrete rights — access, portability, erasure — and gave the authorities the power to fine in earnest: according to the annual survey by law firm DLA Piper, cumulative GDPR fines in Europe reached €7.1 billion by January 2026, with €1.2 billion imposed in 2025 alone [6]. Over the same period, data breach notifications rose to an average of 443 per day. As Ross McKean, chair of DLA Piper's UK data, privacy and cyber security practice, put it, "Most evident in this year's report is the validation that the cybersecurity threat landscape has reached an unprecedented level" [6].

Schrems II: the day location became law

But the law, on its own, had a blind spot — and it took a citizen to expose it. Maximillian Schrems, an Austrian lawyer, spent a decade asking the courts one simple question: what good is European protection if your data ends up in a country whose surveillance laws override it?

On 16 July 2020, the Court of Justice of the European Union agreed with him. In its judgment in Case C-311/18 — known as Schrems II — the Court struck down the "Privacy Shield", the agreement that legitimised transfers of personal data from the EU to the United States. The Court's official press release leaves no room for doubt: "The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield", because "the surveillance programmes based on those provisions are not limited to what is strictly necessary" [1].

The following day, the European Data Protection Board (EDPB) — the body that brings together all of the EU's data protection authorities — welcomed the decision, underlining "the fundamental right to privacy in the context of the transfer of personal data to third countries" [2]. And Schrems himself summed up the reach of the judgment in two sentences that still frame the debate today: "The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law", and "This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws" [3].

Since 2023 there has been a new agreement — the EU-US Data Privacy Framework — but noyb, Schrems's organisation, has already announced that it intends to challenge it. The structural lesson of Schrems II stands: the jurisdiction the infrastructure is subject to matters as much as the physical location of the servers.

From residency to sovereignty

This is the context in which the word "sovereignty" leapt from political speeches into cloud contracts. The European Commission's official definition is unambiguous: "Tech sovereignty is Europe's ability to act independently in the digital world by developing and controlling key technologies, data, and infrastructure, while reducing reliance on non-EU providers" [4] — and it estimates that the EU today depends on third countries for more than 80% of its key digital products, services and infrastructure [4]. As far back as 2020, a briefing by the European Parliament's research service warned of "growing concern that the citizens, businesses and Member States of the European Union (EU) are gradually losing control over their data" [5].

In practice, this created a distinction every user should know:

  • Data residency only means the servers are on European soil. The entity operating them can still be subject to another country's extraterritorial laws.
  • Sovereign cloud goes further: infrastructure operated by legal entities incorporated in the EU, by EU-resident staff, in regions separated from the provider's global commercial regions.

The big providers have started to respond. Oracle, for example, has operated the EU Sovereign Cloud since June 2023, with two dedicated regions — Frankfurt, in Germany, and Madrid, in Spain. The official documentation is explicit about the isolation: "The isolation of the Oracle EU Sovereign Cloud realm from the commercial public cloud realm allows Oracle to restrict support and operations personnel to EU residents, including physical and logical access to the realm" [7]. Hardware and assets are owned and managed by EU legal entities, separate from the company's global entities.

And what does this have to do with you?

Everything — because this legal debate lands directly in the apps you use every day. And there is one category where it weighs more than any other: the tools that handle your financial data. Bank transactions are not "just more data": they tell where you live, how much you earn, what you prioritise, when things get tight. If 62% of Europeans worry about control over their data in general, the bank statement should sit at the top of that worry.

When you evaluate a personal finance app — any of them — the European regulatory framework hands you the script of the right questions:

  1. In which country — and, more importantly, under which jurisdiction — is my data hosted?
  2. Is the infrastructure merely "resident" in Europe, or is it operated by European entities (sovereign)?
  3. Who are the sub-processors, and are they identified in the privacy policy?
  4. Does the business model depend on exploiting my data — or on serving me?
  5. Can I export and erase everything, whenever I want (Articles 17 and 20 of the GDPR)?
Hands holding a smartphone protectively, conveying privacy and trust

How AtivaMoney answers these five questions

We built AtivaMoney inside this framework — not for marketing, but because we handle the most sensitive category of data there is and we believe the standard has to be the highest available:

  • Jurisdiction and sovereignty: your data is hosted and processed in the Oracle EU Sovereign Cloud, in the Madrid (EU Sovereign South) and Frankfurt (EU Sovereign Central) regions — 100% European, operated by EU entities [7].
  • Regulated, read-only bank access: the connection to your bank uses European Open Banking (PSD2), through a regulated entity; you authenticate with your bank, you never hand us credentials, and you can revoke access whenever you want.
  • Documented sub-processors: the complete list — infrastructure, email, SMS — is published in our Privacy Policy, with locations and transfer safeguards.
  • A business model aligned with you: we live on subscriptions. We do not sell data, we do not run behavioural advertising, and the AI that organises your finances learns only from you, for you.
  • Control and portability: export of your data and erasure on request — and coming soon (August 2026), the option to keep your data in your own cloud. We do the processing; you decide where it lives.

Europe spent a decade turning privacy from a promise into architecture: first the law (GDPR), then the case law (Schrems II), now the infrastructure (sovereign cloud). The question "where does your data live?" has stopped being technical — it is the trust question of the decade. We prefer to answer it in writing, with names, regions and references.

Start for free — no card required

References

  1. Court of Justice of the European Union — Press Release No 91/20, judgment in Case C-311/18 (Schrems II), 16 July 2020.
  2. European Data Protection Board — Statement on the CJEU Judgment in Case C-311/18, 17 July 2020.
  3. noyb — European Center for Digital Rights — CJEU Judgment: First Statement (Max Schrems), 16 July 2020.
  4. European Commission — Strengthening Europe's Tech Sovereignty.
  5. European Parliamentary Research Service — Digital sovereignty for Europe (PE 651.992), 2020.
  6. DLA Piper — GDPR Fines and Data Breach Survey: January 2026.
  7. Oracle — Oracle EU Sovereign Cloud — official documentation; see also the announcement.
  8. European Commission — Special Eurobarometer 487a: data protection, June 2019 (summary by the Luxembourg CNPD).
Start for free — no card required →