Freely subscribe to our NEWSLETTER

On July 16, 2020, the European Court of Justice declared the Privacy Shield data protection agreement invalid. The decision makes clear that European data held by US providers is not safe from access by American authorities, either in the US or in Europe. In a new legal opinion, Prof. Dr. Heckmann, holder of the Chair for Law and Security of Digitalization at the Technical University of Munich, explains what the general principles of data transfer to third countries consist of, what the previous legal bases for data transfer to the USA were until the Schrems II ruling, and how R&S Trusted Gate represents a privacy-compliant way out of the cloud dilemma for public authorities and companies.

Uncertainty due to Schrems II ruling

In increasingly digitalized, networked and automated work environments, cloud computing plays a central role. Companies and public authorities predominantly use applications and services from US providers such as Microsoft, Google or Amazon for their cloud computing needs, as these are convincing with high functionality and scalability. The Schrems II ruling has left many users uncertain about the extent to which the use of such cloud services is still possible under data protection law.

In the opinion of the European Data Protection Board (EDPB), there is currently no permissible way in cloud computing for data to be transferred to the US. However, the EDPB does not rule out the possibility "that future technical developments could make measures possible that fulfill the intended business purposes without requiring access to the unencrypted data."

Secure data exchange through multi-level system

According to the legal opinion, the cloud security solution R&S Trusted Gate offers such a technical innovation. The special feature of this solution lies in the secure design of a multi-level system: according to this, the (personal) contents of the encryption level are separated from the cloud services on the business level. In this way, the benefits of external cloud services can be enjoyed without transferring personal data to an "insecure third country". Companies and public authorities retain data governance and comply with GDPR requirements.

R&S Trusted Gate can be seamlessly integrated into storage systems of popular public clouds such as Microsoft Azure, Google, AWS and collaboration tools such as Microsoft 365 or SharePoint, and legal requirements and compliance rules can be easily implemented even in global cloud environments. The solution runs transparently in existing applications so that workflows remain unchanged. A special search function enables a secure full-text search even in encrypted documents. In addition, important functions such as document versioning continue to work without restrictions.