Is Cloudflare a secure Content Delivery Network?

No, Cloudflare is vulnerable to malware and can be held liable for content stored on the CDN. Furthermore, Cloudflare does not take responsibility for customer violations of the law.

How is Cloudflare legally classified?

Cloudflare is classified as a service provider according to §2 para. 1 no. 1 of the TMG (German e-Commerce Act) by courts, as it stores content from its customers on its servers and does not merely transmit it. This makes compliant use under the GDPR, from my point of view, impossible.

Why is the use of Cloudflare problematic from a privacy perspective?

Cloudflare stores content for longer than necessary and could therefore be held responsible for it. There is also the risk that data is passed on to US intelligence agencies, which would violate data protection regulations.

What are the concerns regarding consent to use Cloudflare?

It is questionable whether a legally compliant consent for the use of Cloudflare can be obtained, as the data protection obligations under GDPR may not be fulfilled. The transfer of data to US intelligence agencies also poses a problem.

How does Cloudflare's location affect data privacy?

Because Cloudflare is a U.S. company, U.S. intelligence agencies potentially have access to the data, which would violate European data protection standards. The U.S. parent company has authority over its EU subsidiaries, which complicates control.

Cloudflare Content Delivery Network: Usage and data protection

Cloudflare is a so-called Content Delivery Network (CDN). It is often used for reasons of convenience, but also to possibly load content faster. This requires consent, as current case law shows.

I don't intend to investigate how much faster content loads with Cloudflare compared to local file storage or retrieval from other servers, as this is not crucial. Rather, I want to know if Cloudflare can be used lawfully. By my previous comfort statement, I mean the following: Many prefer to link a file rather than storing it locally. Local storage is often possible and would then be data protection compliant in itself.

The motivation for this post is the following judgment of the OLG Cologne (German court). It shows that Cloudflare is more than just a short-term cache. Furthermore, it appears that Cloudflare is not interested in clarifying unlawful activities by customers.

As the OLG Cologne determined on 09.10.2020 (Case No.: 6 U 32/20), the service provider Cloudflare is liable for the provided Content Delivery Network (CDN). Contents stored on the CDN that infringe copyright are therefore also attributable to Cloudflare. The conditions of § 8 TMG regarding exemption from liability did not apply. In this regard, neither § 9 TMG could be applied, which enables an exemption from liability for temporary data storage.

Cloudflare is therefore more of a service provider pursuant to § 2 S. 1 Nr. 1 TMG. For Cloudflare does not limit itself to mere transmission, but undoubtedly stores contents of websites of its customers on their own servers in between.

On 28 April 2021, the European Data Protection Board announced that the Portuguese data protection authority had suspended the data transfer via Cloudflare in the context of the Census (census) due to the data transfer to the USA.

Cloudflare stores content from customer websites not only as long as it is necessary for transmission. The CDN operator itself considers storing this data because it reduces the number of requests on their customers' pages. Also, accelerating page loads and protecting customer websites are confirmed as reasons. Especially malicious visitors should be blocked. Therefore, a short-term data storage cannot be spoken of.

From this it is clearly evident that storing on Cloudflare's servers does not serve solely for the transmission of the requested information. This is correct, because Cloudflare is a so-called Reverse Proxy.

A CDN is not a pure telecommunications service, but also performs significantly different tasks than pure message transmission. See Section 3 No. 61 TKG.
My realization.

The court believes that Cloudflare operates so-called mirror servers (Mirror) in order to keep information redundant. This corresponds to my knowledge of the facts.

Cloudflare operates a DNS Resolver to convert a domain address into an IP address. This is however not specific to a CDN like this, but happens always.

The court finds that Cloudflare according to its own advertising will not pursue legal violations by customers who upload content to the CDN. The so-called Trusted Reporter Program mentioned by Cloudflare is not credible and would also not have been enforced in the aforementioned lawsuit to report the IP address of a provider of illegal content. A blocking of illegal content through a word filter on domain level is according to Cloudflare not possible, which the court rightly considered to be incorrect.

In total, Cloudflare apparently takes no responsibility for hosted contents and does not bother clarifying whether a provider or content is legally compliant or not.

With this, a GDPR-compliant use of Cloudflare CDN is not possible in my view. An AVV at least does not apply. Agreeing on joint liability would be suicidal. Suitable guarantees (such as Corporate Binding Rules or Standard Contract Clauses) cannot be legally concluded.

Those who want to know from which server with which server location a file was accessed will probably not receive any information at Cloudflare. This would have to be provided by a website operator (or the responsible authority) in order to possibly prove that no data transfer has taken place to insecure third countries.

If the server from which a file for a website was retrieved is not located in an insecure third country, the question of the provider itself still needs to be answered:

When I accessed a website that uses Cloudflare for testing, the IP address 104.16.148.64 was retrieved. According to an IP location service, the following information is provided (as of March 31, 2021):

Location information for an IP address operated by Cloudflare

Apparently, a data transfer is taking place that is related to an unsecure third country. This is only permitted in accordance with Article 44 of the GDPR upon consent. On the meaning of the entry:

The location of servers cannot usually be reliably determined via their IP address. However, it is sufficient for the operator of the server to have a US connection in order to run into the Privacy Shield problem. The provider Cloudflare is mentioned here. Cloudflare is an American company whose data can be accessed by American intelligence services. The secret service does not care where Cloudflare has its servers. After all, any server in the world for which the access data is known can be accessed via a terminal. Even Cloudflare's European subsidiaries (if there are any) do little to change this because the assets are located in the USA. The US parent company is authorized to issue instructions to the EU subsidiaries. If this were otherwise, the American parent would have to and could prove it. Such evidence has not yet been provided by Google, Microsoft or Cloudflare.