Because we believe earning and maintaining customer trust is essential, Cloudflare has had data protection safeguards in place since well before the “Schrems II” case (Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems), including many of the additional safeguards recommended by the EDPB in its post- Schrems II guidance (Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data adopted on 18 June 2021).
Cloudflare has a strong commitment to transparency and accountability regarding processing of personal data as described above, and our DPA makes many of these commitments contractually binding. When we issued our very first transparency report in 2014 for legal process received in 2013, we pledged that we would require legal process before providing any government entity with any customer data outside of an emergency and that we would provide our customers with notice of any legal process requesting their customer or billing information before disclosure of that information unless legally prohibited. We publicly stated that we have never turned over encryption keys to any government, provided any government a feed of content transiting our network, or deployed law enforcement equipment on our network. We also committed that if we were asked to do any of those things, we would “exhaust all legal remedies in order to protect our customers from what we believe are illegal or unconstitutional requests.” Since those days early in Cloudflare’s history, we have restated those commitments twice a year, and even expanded on them, in our Transparency Reports .
We have also demonstrated our belief in transparency and our commitment to protecting our customers by filing litigation when necessary. In 2013, with the help of the Electronic Frontier Foundation, we legally challenged an administratively issued U.S. national security letter (“NSL”) to protect our customer’s rights because of provisions that allowed the government to restrict us from disclosing information about the NSL to the affected customer. Cloudflare provided no customer information in response to that request, but the non-disclosure provisions remained in effect until a court lifted the restrictions in 2016.
We have frequently stated our position that any government requests for personal data that conflict with the privacy laws of a person’s country of residence should be legally challenged. (See, for example, our Transparency Report and our white paper, Cloudflare’s policies around data privacy and law enforcement requests , on government requests for data.) The EDPB recognized that GDPR might pose such a conflict in this assessment . Our commitment to GDPR compliance means that Cloudflare would pursue legal remedies before producing data identified as being subject to GDPR in response to a U.S. government request for data. Consistent with existing U.S. case law and statutory frameworks, Cloudflare may ask U.S. courts to quash a request from U.S. authorities for personal data based on such a conflict of law.
Our standard data processing addendum (“DPA”) for our customers incorporates the above-described supplementary measures and safeguards as contractual commitments. You can view these contractual commitments in section 7 of our DPA . Last but not least, we have in place robust security measures and encryption protocols, which can be viewed in Annex 2 of our DPA.
We will continue to apply these supplementary measures and safeguards in addition to the additional safeguards afforded under EO14086.
As always, we are continuing to monitor ongoing developments in this space and will ensure our ongoing compliance with the EU GDPR Articles 44 and 46. During this time, we will continue to follow our commitments under existing DPAs, and our commitments under the current SCCs, and our commitments under our certification to the Data Privacy Frameworks certification.