Processing of EU user PII after EU-US Privacy Shield invalidation

The “EU-US Privacy Shield” was one of the legal mechanisms used by certified organizations to transfer PII (personally identifiable information) from the European Union to the US without violating the GDPR. Emphasis on was - see “The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield”.

Considering that Cloudflare’s DDOS protection suite sees (thus “processes”) each and every HTTP request and response in it’s unencrypted form, it’s unavoidable that at least some of it will contain PII. Since Cloudflare is a US company that (according to the privacy policy) used to (at least partially) rely on this scheme, the question arises “what’s next?”.

How is Cloudflare going to comply (and by extension allow website owners to continue using its service while complying) with the new legal landscape in terms of processing EU user PII?

I’m sure Cloudflare’s extensive legal team is going to comply with the legal landscape entirely, however, this is not a legal forum you can use to ask CF legal any questions, and I’m not aware of anyone from Legal ever posting here on the forum (doing so would probably increase liability if anything).

If you’re a pay-as-you-go Cloudflare customer, you can view the current DPA at CLOUDFLARE DATA PROCESSING ADDENDUM, which is as far as you’ll get in official info. If you’re an Enterprise customer, you can contact either your representative or support for a direct answer.

1 Like

Thank you for reaching out about the Court of Justice of the European Union’s (“CJEU’s”) recent decision invalidating the EU-US Privacy Shield paradigm in the “Schrems II” case (Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems). First, we want to assure you that this decision does not change the strong data privacy protections Cloudflare has in place for the personal data that we process on your behalf.

Following the Schrems II decision, Standard Contractual Clauses (SCCs) remain unaffected and a valid transfer mechanism under GDPR. Consequently, Cloudflare will continue to utilize the SCCs mechanism, which are included in our standard Data Processing Addendum (DPA) to transfer personal data outside the EEA and adequate countries. So, if you haven’t already, we recommend you accept the current Cloudflare DPA that we have made available in the customer Dashboard. When you are in your Dashboard, please go to the Configurations tab, and then Preferences. Please review and accept the DPA there. You can find more information about our DPA here.

Respect for privacy and protection of personal data are at the core of our business, and we take our obligations under GDPR very seriously. We are continuing to monitor ongoing developments in this space and will ensure our ongoing compliance with the EU GDPR Articles 44 and 46. During this time, we will continue to follow our commitments under existing DPAs and our commitments under the SCCs.


This topic was automatically closed after 14 days. New replies are no longer allowed.