Data privacy isn’t just a policy. It’s personal. It’s also political. And last week, it got expensive. VERY expensive.
In April, Ireland’s Data Protection Commission fined TikTok a whopping €530 million ($600M) for mishandling European users’ data… specifically for letting that data make its way to China, without clearly explaining it or protecting it to GDPR standards.
If you’re a developer, a business owner, or frankly just someone who uses the internet in the EU, this should give you pause.
But if you run infrastructure in Europe? It should be a wake-up call.
What Tiktok actually did wrong
This wasn’t about TikTok showing inappropriate videos. It was about data sovereignty: a word that sounds like it belongs in a whitepaper, but increasingly describes something very real.
The short version: TikTok let engineers in China access personal data of users in the EU. They didn’t make it obvious to users. They didn’t properly assess the legal risk of that data falling under Chinese surveillance laws. And they failed to verify that their safeguards were effective enough to meet GDPR requirements..
Under GDPR, that’s a big no-no. It violates core requirements about international transfers, transparency and legal risk management. So the Irish regulator (the EU’s lead authority on TikTok because its European HQ is in Dublin) hit them with one of the largest privacy fines in EU history.
HALF-A-BILLION EURO.
To make it worse, TikTok tried to calm everyone down by announcing something called Project Clover: a promise to localize data in Europe, delete anything stored in China and put an external cybersecurity firm in charge of oversight.
That may sound reassuring. But it came after the fact. The fine covers a period before these fixes existed. Which tells you something.
“We’ll fix it later” doesn’t fly when you’re dealing with people’s personal data.
What Tiktok didn’t disclose
In April 2025 (after the inquiry concluded) TikTok admitted that a small amount of EU user data had in fact been stored on servers in China, despite previous claims to the contrary. This wasn’t just a technical oversight. It meant that TikTok had submitted inaccurate information to European regulators during a live investigation, which TikTok later corrected.
The DPC hasn’t ruled out further regulatory action as a result. And that’s a reminder: compliance isn’t just about where the data is today… it’s about how honest and accountable your provider is when things go wrong.
Why this matters even if you’re not Tiktok
You might be reading this thinking, “Okay, but I’m not running a social media app with a billion users.”
Fair. But the implications go way beyond TikTok.
This is about trust, jurisdiction and control. It’s about where your data lives, who can access it and under what legal system.
If your cloud provider is based in the US, China, or anywhere with government access laws that conflict with GDPR, you’re potentially exposed. Even if the data stays in Europe. That’s how the U.S. Cloud Act or China’s National Intelligence Law can reach potentially reach across borders (depending on how providers are structured). And regulators are starting to notice.
In other words: the infrastructure matters as much as the software.
If you run on cloud infrastructure, here’s the question to ask:
Can I tell my customers exactly where their data is stored, who can access it, and what laws apply?
If you’re relying on the big hyperscalers, the answer is usually: “Sort of.”
- Yes, your data might be “in Frankfurt” or “in a European region,” but the control plane? That could be in the U.S.
- Yes, the company might be “GDPR-compliant,” but they’re also subject to subpoenas from outside the EU.
- And yes, they offer encryption and certifications, but they hold the keys.
This is the paradox of public cloud: it gave us flexibility, but we traded away clarity.
And now, Europe’s regulators are asking us to get that clarity back.
What does sovereignty actually look like?
Let’s get concrete. A sovereign cloud isn’t just about flags or marketing claims. It means:
- Your data never leaves the EU
- The company that owns the infrastructure is European
- The software stack doesn’t have external dependencies with backdoors
- No hidden legal routes for foreign governments to access your stuff
- Real humans to talk to when you have to explain this to compliance
If you’re a developer or small team trying to do things the right way (by the law, by your customers) this stuff feels overwhelming. You didn’t sign up for geopolitics. You just want to run infrastructure that won’t land you in a compliance mess.
That’s why we built our cloud differently…
We run a smaller, developer-focused public cloud based in Europe. We own and operate our own data center in Bucharest, with additional availability zones in London and Frankfurt. Everything, from storage to support, is run by a team you can reach by name.
Yes, we’re small. That’s the point.
You won’t find a maze of support tickets. No vendor lock-in disguised as “optimization”. No sketchy data transfer fees that double your invoice – our egress pricing is transparent. And no third-country laws quietly overriding EU protections.
We’re not promising perfection. But we are promising honesty, control and actual locality.
The bigger picture: compliance shouldn’t be an afterthought
What the TikTok story shows is that Europe’s regulators are no longer content to just issue warnings. GDPR enforcement is real. And the cost of non-compliance now includes headlines, not just line items.
So if you’re:
- Hosting customer-facing applications
- Handling personal data
- Running services under EU compliance mandates
…you need to think about your cloud provider as part of your risk surface.
So… it’s your cloud. Own it.
There’s a reason regulators keep circling back to data sovereignty: it’s one of the last things we can actually control in an increasingly globalized stack.
And for European teams trying to build responsibly, the safest bet is to build locally: with infrastructure you understand, jurisdiction you trust and people who’ll answer your requests when things break.
TikTok may survive its fine. But the rest of us? We don’t have billions to burn on regulatory goodwill.
So I say start small. Stay sovereign. Pick a cloud that shares your values.
This post reflects the author's personal views and is intended as commentary on data privacy and cloud infrastructure developments.
