New legal opinion shows way out of the cloud dilemma

In a new legal opinion, Prof. Dr. Heckmann from the Technical University of Munich analyzes the Schrems II ruling, its implications for the use of public cloud services and the extent to which the cloud security solution R&S®Trusted Gate by IT security expert Rohde & Schwarz Cybersecurity represents a way out of the current cloud dilemma.

On July 16, 2020, the European Court of Justice declared the Privacy Shield data protection agreement invalid. The decision makes clear that European data held by US providers is not safe from access by American authorities, either in the US or in Europe. In a new legal opinion, Prof. Dr. Heckmann, holder of the Chair for Law and Security of Digitalization at the Technical University of Munich, explains what the general principles of data transfer to third countries consist of, what the previous legal bases for data transfer to the USA were until the Schrems II ruling, and how R&S Trusted Gate represents a privacy-compliant way out of the cloud dilemma for public authorities and companies.

Uncertainty due to Schrems II ruling

In increasingly digitalized, networked and automated work environments, cloud computing plays a central role. Companies and public authorities predominantly use applications and services from US providers such as Microsoft, Google or Amazon for their cloud computing needs, as these are convincing with high functionality and scalability. The Schrems II ruling has left many users uncertain about the extent to which the use of such cloud services is still possible under data protection law.

In the opinion of the European Data Protection Board (EDPB), there is currently no permissible way in cloud computing for data to be transferred to the US. However, the EDPB does not rule out the possibility "that future technical developments could make measures possible that fulfill the intended business purposes without requiring access to the unencrypted data."

Secure data exchange through multi-level system

According to the legal opinion, the cloud security solution R&S Trusted Gate offers such a technical innovation. The special feature of this solution lies in the secure design of a multi-level system: according to this, the (personal) contents of the encryption level are separated from the cloud services on the business level. In this way, the benefits of external cloud services can be enjoyed without transferring personal data to an "insecure third country". Companies and public authorities retain data governance and comply with GDPR requirements.

R&S Trusted Gate can be seamlessly integrated into storage systems of popular public clouds such as Microsoft Azure, Google, AWS and collaboration tools such as Microsoft 365 or SharePoint, and legal requirements and compliance rules can be easily implemented even in global cloud environments. The solution runs transparently in existing applications so that workflows remain unchanged. A special search function enables a secure full-text search even in encrypted documents. In addition, important functions such as document versioning continue to work without restrictions.

About the author

Prof. Dr. Dirk Heckmann holds the Chair of Law and Security of Digitalization at the Technical University of Munich. His legal opinion, which is made available here, clarifies many important questions regarding the use of cloud solutions such as Microsoft 365 or Microsoft Teams in compliance with data protection requirements and also shows a clear way out of the "cloud dilemma" that has arisen following the Schrems II ruling of the European Court of Justice on the subject of data protection.

Request information

Do you have questions or need additional information? Simply fill out this form and we will get right back to you.

I want to receive information from Rohde & Schwarz via

Marketing permission

What does this mean in detail?

I agree that Rohde & Schwarz GmbH & Co. KG and the Rohde & Schwarz entity or subsidiary company mentioned in the imprint of this website, may contact me via the chosen channel (email or postal mail) for marketing and advertising purposes (e.g. information on special offers and discount promotions) related to, but not limited to, products and solutions in the fields of test and measurement, secure communications, monitoring and network testing, broadcast and media, and cybersecurity.

Your rights

This declaration of consent may be withdrawn at any time by sending an email with the subject "Unsubscribe" to Additionally, a link to unsubscribe from future email advertisements is contained in each email sent. Further details on the use of personal data and the withdrawal procedure are set out in the Statement of Privacy.

Your request has been sent successfully. We will contact you shortly.
An error is occurred, please try it again later.