January 7 2023

CloudFlare and GDPR. How are things?

Let's find out together what the current situation is regarding CloudFlare and the GDPR.

CloudFlare GDPR

UPDATE : On 10 July 2023 the European Commission adopted the new agreement on data transfer between the European Union and the United States.

The Data privacy framework will officially come into force on 11 July 2023. According to the European Commissioner for Justice, Didier Reynders, who presented the new regulatory framework, the United States will guarantee an adequate level of protection for all personal data transferred from the Union European Union to US companies, in a similar way to that guaranteed within the Union itself.

From 11 July onwards, personal data collected in the European Union can begin to be transferred freely again to US companies participating in the initiative, without the need for further data protection guarantees. The data can therefore be shared only with those companies that undertake, by signing it, to respect the agreement.

In this regard and as a consequence of this, CloudFlare is to be understood as compliant with the GDPR regulation unlike what emerges from the following text which is now obsolete.

CloudFlare is a performance optimization solution that works in reverse proxy, ie it acts as an intermediary between the website and the visitors who request it. CloudFlare provides a worldwide distributed proxy network that allows you to deliver content to visitors faster, reducing latency and data transfer time.

Pingora Reverse Proxy Scheme

However, using CloudFlare as a reverse proxy might raise some issues in relation to the GDPR regulation on the protection of personal data. In particular, there is a risk that site visitor data will be exported to non-European countries which may have less stringent data protection regulations than European ones.

The GDPR, or the General Data Protection Regulation, is a European regulation that aims to protect the personal data of citizens of the European Union. The GDPR establishes a set of rules for the processing of personal data that must be respected by anyone who processes this type of information, regardless of their location or activity.

One of the fundamental principles of the GDPR is that of the protection of personal data even outside the European Union. For this reason, the GDPR expressly prohibits the export of data to non-European countries that do not guarantee an adequate level of protection of personal data.

The GDPR considers the level of personal data protection of a non-European country adequate only if this country has adopted laws and regulations that guarantee a level of protection comparable to that provided for by the GDPR. In the absence of these guarantees, the GDPR prohibits the export of data to these countries in order to protect the personal data of citizens of the European Union.

This has also raised doubts and concerns on the part of some personal data protection supervisors and European courts of justice. For example, the Austrian Data Protection Authority has expressed concern that data from visitors to Austrian sites may be processed outside the European Union through CloudFlare

Furthermore, the Court of Justice of the European Union has raised doubts on the compatibility of using CloudFlare as a reverse proxy with the GDPR regulation, underlining that there may be risks for the protection of visitors' personal data.

A brief personal critical analysis.

There is no doubt that the GDPR, or the General Data Protection Regulation, has introduced a series of stringent rules for the processing of personal data, in order to guarantee an adequate level of protection of the personal data of citizens of the European Union. However, some companies argue that these rules are penalizing European companies for using US services such as CloudFlare.

The reason for this penalty lies in the provision of the GDPR which prohibits the export of data to non-European countries that do not guarantee an adequate level of protection of personal data. The United States, for example, is not considered a country with a level of data protection comparable to that required by the GDPR, which means that European companies cannot use US services such as CloudFlare for the processing of their customers' personal data.

This arrangement could be a problem for some businesses, especially those that need services like CloudFlare to protect against DDOS attacks or hackers. In these cases, in fact, the use of CloudFlare could be prohibited by the GDPR, even if this service would represent the only effective solution to protect yourself.

We hope that it will be possible to find a meeting point between the European Union and the United States to restore the Privacy Shield. The Privacy Shield was an agreement between the EU and the US that regulated the transfer of personal data from the EU to the US. The agreement was signed in 2016 to replace the Safe Harbor agreement, which had been invalidated by the Court of Justice of the European Union.

Europe USA Privacy Shield Logo

The Privacy Shield ensured an adequate level of protection for the personal data of citizens of the European Union even when this data was transferred to the United States. However, in 2020 the Court of Justice of the European Union declared the Privacy Shield invalid, arguing that the level of protection of personal data guaranteed by the agreement was not high enough.

The reintroduction of the Privacy Shield could represent an important step towards ensuring greater protection of the personal data of citizens of the European Union even when this data is transferred to the United States.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.

0256569681

Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.

INFORMATION

Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds owns the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Facebook, Inc. owns the rights to Facebook®; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV This site is not affiliated, sponsored, or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a registered trademark at European level by MANAGED SERVER SRL Via Enzo Ferrari, 9 62012 Civitanova Marche (MC) Italy.

Back to top