Sweden’s Integritetsskyddsmyndigheten (IMY), the national data protection authority, has published a final report providing detailed legal guidance on the use of Trusted Execution Environments (TEEs) for processing personal data outside an organization’s own infrastructure. The report, released through IMY’s innovation sandbox programme, is the first European regulatory assessment of TEEs grounded in a real operational deployment scenario, conducted in collaboration with Volvo Group, Ericsson, and CanaryBit. It represents a significant step forward for Confidential Computing adoption across regulated industries.
The Use Case: Vehicle Telemetry and the Data Sovereignty Problem
The project centered on a concrete challenge in the connected vehicle space. Trucks equipped with cameras and sensors generate continuous streams of video, positioning, and telemetry data. Processing this data onboard is not technically feasible, but transmitting it to an external cloud environment raises an immediate GDPR question: once data leaves a controlled environment, does the data controller retain the technical control that Article 32 requires?
IMY examined whether TEEs – hardware-enforced enclaves in which code executes and data is processed in cryptographic isolation from the surrounding infrastructure – could provide a legally sufficient answer. The conclusion: yes, under specific architectural conditions.
What IMY Found
IMY’s report establishes several findings of broad relevance to the Confidential Computing community:
TEEs qualify as a technical safeguard under GDPR Article 32. Unlike contractual controls alone, properly implemented TEEs provide cryptographic rather than merely contractual assurance. The enclave’s isolation is enforced by hardware; it cannot be overridden by the infrastructure provider. IMY describes this as shifting the basis of trust from promises to verifiable proof.
The verifier (attestation function) is where GDPR accountability lives. IMY’s most significant finding concerns the role of remote attestation, the mechanism, standardized in IETF RFC 9334, by which a relying party verifies that a TEE is genuine and operating in an approved state. When the data controller retains control of the attestation function and the encryption keys, IMY concludes the infrastructure provider cannot be considered a data controller or joint controller, and may not even meet the traditional definition of a data processor. Effectively, the provider supplies compute, and nothing more, because it has no technical pathway to the data.
Architectural choices determine legal outcomes. IMY’s analysis makes clear that the specific implementation matters: who controls attestation, who holds keys, and how frequently integrity checks occur all affect how GDPR roles and obligations are assigned. This provides actionable guidance for architects designing TEE-based systems in regulated environments.
Why This Matters for the Confidential Computing Ecosystem
Regulatory uncertainty has been one of the persistent friction points slowing Confidential Computing adoption. Organizations in healthcare, financial services, automotive, and other sectors understand the technical value of TEEs but have faced difficulty mapping that value onto compliance frameworks written before hardware-enforced confidentiality was practical at scale.
The IMY report, alongside prior assessments such as Germany’s BSI guidance, begins to fill that gap. It provides a jurisdiction-specific, use-case-grounded framework that compliance teams can reference, and it does so in terms that speak directly to how TEE architectures function in practice, drawing on established standards like RFC 9334.
For CCC projects and the broader open source Confidential Computing ecosystem, this kind of authoritative regulatory clarity is a meaningful accelerant. It reduces the cost and complexity of compliance analysis for organizations evaluating TEE-based architectures and establishes a precedent that other regulators across Europe and beyond may follow.
Read the Report
The full IMY publication, “Use of Trusted Execution Environment,” is available in English at imy.se.
This post was contributed by CanaryBit, a CCC member and participant in the IMY innovation sandbox project that produced the guidance described above.
AI Disclosure
This post used artificial intelligence tools for research, structural assistance, or grammatical refinement. The final content was reviewed, edited, and validated by human contributors to CCC to ensure accuracy and alignment with our community standards. We remain committed to transparency in the use of generative technologies within the open source ecosystem.
