Can Cloudflare be used permissibly?

The issue of whether US SaaS providers can be used permissibly or whether products such as Jira, Zendesk, various CRM systems and others do not violate data protection law has actually been clear since the ECJ’s Schrems II decision(see here).

Key Facts

The Schrems II decision against US SaaS providers is crucial for data protection in Germany.
Cloudflare could violate the GDPR if users' personal data is affected.
Cologne Higher Regional Court found that Cloudflare is liable for copyright infringements when using temporary DDoS.
Data encryption is a key point that Cloudflare mentions in its privacy policy.
Zendesk offers extensive encryption standards such as HTTPS/TLS for secure working.
It is currently not possible to select the storage location of the data with Cloudflare.
The use of Cloudflare should be carefully checked by data protection officers.

As things stand, you can find out how to offer SaaS system as a US provider in Germany in a longer article here.

By the way, this issue affects many popular WordPress plugins and services like Cloudflare. In the case of Cloudflare, it is especially true that the OLG Cologne has just ruled that the provider would be liable for copyright infringement(see this post). Because Cloudflare, at least if you use more than just the services to possibly prevent DDoS attacks, stores the content itself on their servers to provide caching and CDN services. What is not very problematic for a normal website that ONLY provides content, such as a blog or similar (apart from the copyright infringements relevant in the OLG Cologne case), is no longer so unproblematic for dynamic content and personal user data. This would affect, for example, forums, communities, and sites that you can log into. Although a CDN does not log user data as such, it does log the personal data that is entered when using the portal. At least, if the provider does not configure CDN usage properly and excludes dynamic user content.

In all places where Cloudflare’s caching or CND services are used, the storage on whichever Cloudflare servers is used is not only for the transmission of the requested information. However, due to the missing Privacy Shield requirements, this probably leads to the fact that a GDPR-compliant use of Cloudflare is not possible, at least if, as explained above, personal data of the users are affected. This is because a contract processing agreement is out of the question. And as pointed out in my article on offering SaaS services, the strict view is that corporate binding rules or standard contractual clauses are probably not possible either.

It might be possible to fully encrypt all data, as Amazon is apparently currently doing with AWS in the European data centers, but I couldn’t find anything about this at Cloudflare at the moment. The link to the privacy policy there does not work. A closer look reveals an English-language privacy statement that explains that the Privacy Shield is no longer used, but is very vague about the alternatives.

Thus, the only point to the encryption

10. DATA SECURITY, DATA INTEGRITY AND ACCESS

We take all reasonable steps to protect information we receive from you from loss, misuse or unauthorized access, disclosure, alteration and/or destruction. We have put in place appropriate physical, technical and administrative measures to safeguard and secure your information, and we make use of privacy-enhancing technologies such as encryption. If you have any questions about the security of your personal information, you can contact us at privacyquestions@cloudflare.com.

It may be doubted whether this is sufficient for an official data protection officer to scrutinize particularly strictly. Providers such as Zendesk are already much further ahead in this respect from their own testing for clients and regulate, for example:

Data-in-Transit encryption

All communications with Zendesk’s user interfaces and APIs are encrypted using industry-standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Zendesk is secure. For email, we use opportunistic TLS by default. Transport Layer Security (TLS) is a protocol for secure encryption and delivery of email that prevents eavesdropping between mail servers as long as peer services support this protocol. Exceptions to encryption include, but are not limited to, use of product-integrated SMS features and third-party applications, integrations, or services that Subscribers use at their discretion.

Data-at-Rest Encryption

Service data is encrypted on AWS using data-at-rest encryption (AES-256).

There is also the problem that, as far as I know at the moment, Cloudflare, unlike AWS etc., does not allow you to choose where the data is stored. While a website operator would have to provide this information, he will probably not receive an answer from Cloudflare.

Conclusion: The use of Cloudflare should be well thought through by your own data protection officer.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.