What Professionals Bound by Confidentiality Need to Know About Cloud Use

As of 18 August 2026, the eEvidence Regulation (EU) 2023/1543 will fully enter into force. It fundamentally changes how law enforcement authorities within the EU can access electronic data — including data stored with cloud service providers.

For professionals bound by confidentiality such as doctors, psychotherapists, lawyers, or tax advisors, this represents a significant shift that raises both data protection and professional law concerns. As a provider of a secure cloud solution, we would like to clarify what is changing and what the practical implications are.

What Does the eEvidence Regulation Govern?

The Regulation creates a procedure that allows authorities in one EU Member State to directly request data from cloud and communications providers in another EU country. The previously required mutual legal assistance process is no longer necessary.

The following types of data may be requested:

Protection Against Seizure and Professional Confidentiality: Where It Becomes Critical

In Germany, patient data is subject to special protection.

Under Section 97 of the German Code of Criminal Procedure (StPO), documents covered by medical confidentiality are generally protected from seizure.

However, this protection applies to documents in the custody of the physician — traditionally within the medical practice.

What About Data Stored in the Cloud?

Anyone storing patient data in:

  • a practice cloud

  • a document management system

  • or the electronic patient record (ePA)

entrusts that data to an external service provider. This is where legal uncertainty arises:

Authorities in other EU Member States could argue that protection against seizure does not apply to data stored with a cloud provider.

Additionally, a cloud provider is generally unable to assess whether the requested data is subject to professional secrecy.

  • Subscriber data (e.g., name, email address)

  • Traffic and metadata (e.g., IP addresses, timestamps)

  • Content data (documents, messages, files)

This shifts responsibility to the cloud provider, who becomes the direct addressee of official orders.

What Obligations Do Cloud Providers Have?

The Regulation obliges providers to cooperate. This means:

  • Data must be disclosed upon valid order

  • Substantive legal review is usually not possible for the provider

  • Metadata is often stored in plaintext and is therefore particularly sensitive

For professionals bound by confidentiality, the risk therefore shifts toward the technical architecture of the chosen cloud solution.

What Does This Mean for Choosing a Cloud Service?

Anyone processing sensitive data should pay even closer attention to technical protection mechanisms in the future. In our view, three factors are decisive:

1. Strict End-to-End Encryption (E2EE)

Only if the provider has no technical access to content can confidentiality be ensured. Encryption keys must remain fully under the user’s control.

2. Protection of Metadata

File names, folder structures, or patient record references must not be visible in plaintext.

3. Security as an Integral Part of the Architecture

Security functions must not be optional or deactivatable. Misconfigurations must be technically prevented.

How TeamDrive Addresses the eEvidence Regulation

We are also subject to the Regulation and must cooperate within the legal framework. The decisive question, however, is which data we actually know — and which we do not.

Our architecture ensures that:

  • All content is consistently end-to-end encrypted

  • Encryption keys remain exclusively with the user

  • Requested content can only be handed over in encrypted form

  • We are technically unable to decrypt user data

What Data Can We Disclose?

Only information we actually know, such as:

  • Customer email address

  • Time of last login

  • IP address of last login

We do not know:

  • File contents

  • Names of patient files or documents

  • Relationships between users or sharing structures

An Important Point for Professionals Bound by Confidentiality

Our security architecture is not optional. It cannot be disabled and therefore protects not only against external access but also against accidental misconfiguration.

This significantly reduces personal liability risks — an aspect often underestimated in daily practice.

Conclusion: eEvidence Changes the Requirements for Cloud Compliance

The eEvidence Regulation marks a paradigm shift in European law enforcement. For professionals bound by confidentiality, this means:

Legal safeguards alone are no longer sufficient.

Technical security becomes the decisive factor.

Anyone using cloud services should verify whether their solution:

  • Provides genuine end-to-end encryption

  • Effectively protects metadata

  • Allows only technically limited disclosure even in the event of official orders