Content Delivery Networks (CDNs) and the GDPR
Content Delivery Networks (CDNs) are designed to help deliver content to internet users in a faster and more reliable way. Some CDN providers also offer security tools to help detect and prevent malicious activity.
But CDNs also raise data protection and privacy issues. If you’re subject to the EU or UK General Data Protection Regulation (GDPR), you should carefully consider whether you can use a CDN in a legally-compliant way.
This article explores the key GDPR and ePrivacy to consider when deciding whether to use a CDN or when choosing a CDN provider.
Content Delivery Networks and Personal Data
Here’s the basics of how a CDN works, in simple terms.
When a user accesses a website, the website’s content must be delivered to that user’s device. But the content might be delivered from servers thousands of miles from the user’s location. This can result in a slow and unreliable online experience.
A CDN provider owns a network of servers across the world. If a website operator uses a CDN, the CDN provider can determine the fastest way to deliver web content to each visitor based on their location.
Anything involving personal data raises privacy, data protection, and legal compliance questions. Sometimes these questions can get complicated.
Content Delivery Networks as Data Processors
The GDPR applies mainly to “data controllers” (or “controllers”)—organisations that decide how and why to process personal data. A company operating a website or delivering online services directly to customers is normally a controller for these purposes.
A controller can use a “data processor” (or “processor”) to process personal data on its behalf. Data processors can include CDNs, and also providers of analytics, customer services, and many other services that require personal data.
The GDPR governs the relationship between controllers and processors—in this context, website operators and CDN providers.
The law’s rules ensure that the controller remains accountable even when a processor is working on the controller’s behalf. You cannot outsource accountability under the GDPR.
The GDPR’s rules on processors, set out at Article 28 of the GDPR, mean you must conduct due diligence before using a CDN.
You must ensure that the CDN provider can comply with the GDPR, including by keeping data secure and helping you facilitate people’s rights.
Among other things, the CDN provider must show it can meet the GDPR’s security requirements at Article 32 of the GDPR, including the following:
- Pseudonymizing or encrypting personal data where appropriate.
- Ensuring the ongoing confidentiality, integrity, and availability of personal data.
- Regularly testing data processing systems.
You must be able to demonstrate that you have taken security considerations into account when deciding to use a CDN. Don’t use a CDN provider unless you’re sure it will meet the GDPR’s requirements.
Case study: A public body in Portugal was fined €4.3 million over its use of a CDN (Cloudflare), partly because it had signed up to use the CDN without conducting due diligence or negotiating terms with the provider.
Data Processing Agreement
You must have a “data processing agreement” in place with a CDN provider that acts as your processor. A data processing agreement is a binding contract that includes a set of mandatory data protection clauses.
Article 28 (3) of the GDPR lists the necessary elements of a data processing agreement. Among other things, the data processing agreement must require the CDN provider to do the following things:
- Only process personal data under your written instructions.
- Implement the GDPR’s security requirements.
- Only hire a “subprocessor” (another processor working on the CDN’s behalf) with your written permission.
CDN providers normally have standardised data processing agreements for use with their customers. Don’t sign a data processing agreement without carefully reviewing it and negotiating any necessary changes.
Content Delivery Networks and International Data Transfers
The GDPR contains strict rules on “international data transfers” that are relevant to using a CDN.
Generally speaking, these rules apply whenever a controller or processor subject to the GDPR makes personal data accessible to another organisation located outside of the European Economic Area (EEA).
These rules also apply in the UK—but in a slightly different way. We’ll focus on how the rules apply in the EU and the wider EEA.
CDNs and International Data Transfers
If you’re considering using a CDN provider based outside of the EEA—or a CDN with servers located outside of the EEA—you must consider how you will comply with the GDPR’s international data transfer rules.
We need to introduce the following two terms to explain how international data transfers work:
- Data exporter: You (in this scenario), as the customer of a CDN based outside of the EEA.
- Data importer: The non-EEA-based CDN.
The GDPR only allows an international data transfer to take place using what is sometimes called “transfer mechanism”.
We’ll now look at two of the most common transfer mechanisms to help you understand which one might apply if you’re considering using a CDN provider based outside of the EEA.
If a country has an “adequacy decision”, this means that the European Commission has investigated the country’s data protection, privacy, and national security laws and declared that they are “essentially equivalent” to those of the EU.
The Commission has adopted several adequacy decisions—you can see a list here.
Transferring personal data to a company based in an “adequate” country is easy. You still need to comply with the GDPR, but you can effectively treat the company as though it was in the EEA.
However, not many countries have an adequacy decision. And one country in particular has a somewhat volatile relationship with the EU’s adequacy process.
On 10 July 2023, the US received an adequacy decision for the third time, the previous two US adequacy decisions having been overturned by the EU’s top court.
The US adequacy decision is different from the others. The decision only covers companies that are signed up to a scheme called the EU-US Data Privacy Framework (EU-US DPF). Most US-based CDN providers are likely to certify under the EU-US DPF.
However, like the US adequacy decisions that came before it, the EU-US DPF might not last forever.
When the EU-US DPF’s predecessor was invalidated, many European businesses continued transferring personal data to US companies. Some received fines or other sanctions for breaching the GDPR’s data transfer rules.
The latest EU-US DPF will be challenged in court, too—so businesses could end up in this same legal limbo within a few years.
Case study: In 2021, after the EU’s previous US adequacy decision had been overturned, a German website used a CDN (Akamai) to manage cookies. A court initially found that the website operator using the US-based CDN violated the GDPR’s data transfer rules.
Standard Contractual Clauses (SCCs)
There are other options for transferring personal data to CDNs based outside of the EEA. The most common alternative transfer mechanism is known as “standard contractual clauses” (SCCs).
SCCs are pre-written clauses that can be inserted into a contract between a data exporter and a data importer.
SCCs are legally binding and require the data importer to protect imported personal data to EU-equivalent standards. This includes only using the personal data for specific purposes, upholding people’s data protection rights, and keeping the data secure.
But there’s a problem with SCCs, too.
One of the main reasons for the GDPR’s international data transfer rules is to keep people in the EU safe from surveillance by foreign governments.
SCCs cannot always prevent this risk of surveillance. Contracts do not override national law and will not relieve a CDN of any legal obligations to allow its home government access to users’ data.
The EU’s data protection regulators have proven to have a very low tolerance for risk when it comes to data transfer to countries without an adequacy decision. If a CDN provider can “see” personal data, your users could be vulnerable to surveillance.
As such, a lot of due diligence, risk assessment, and technical safeguards are necessary before using a CDN based outside of the EEA or the EU’s network of “adequate” countries.
Content Delivery Networks and Security
CDNs can improve network security—particularly protection against distributed denial of service (DDoS) attacks, which attempt to overwhelm a website with traffic to render services or data inaccessible.
But like practically any online tool or service, CDNs are vulnerable to a range of security threats, including:
- Data breaches: CDNs store large amounts of data in caches, which is potentially vulnerable to loss and unauthorised access.
- Domain hijacking: Malicious actors can take control of a legitimate domain for use in phishing and other social engineering scams. CloudFront, a CDN provided by Amazon Web Services (AWS), has been subject to widespread domain hijacking attacks.
- Cache poisoning: A sophisticated cyberattack that exploits how web servers access data in caches to distribute harmful resources.
As noted, careful due diligence can help protect against CDN-related security threats. But you are also responsible for implementing and using a CDN securely.
Case study: A UK government department published the home addresses of a list of high-profile individuals on its website. Although the government took the like down, its CDN had stored the data in caches, meaning that the data was still accessible to anyone with the URL.
Content Delivery Networks and Cookies
Under an EU law called the ePrivacy Directive, setting most cookies requires the user’s informed consent. There are exceptions for cookies necessary to facilitate communications over a network or provide a service requested by the user.
Some of the cookies set by CDNs will fall under one of the ePrivacy Directive’s exceptions, meaning that they do not require consent. These include cookies used for load balancing and some security purposes—provided they are not stored for longer than necessary.
However, the EU’s cookie laws are relatively strict. All marketing cookies, most analytics cookies, and even some functional or security cookies require consent.
The GDPR also applies to cookies that collect personal data. This comes with some important implications, including the following:
- A cookie that collects unnecessary personal data could violate the GDPR’s “data minimisation” principle, even if the cookie is only set with consent.
- A cookie that transfers personal data outside of the EEA could violate the data transfer rules.
- Cookies should not be used for multiple incompatible purposes (e.g. “security” cookies that are also used to track users for analytics).
Case Study: Cloudflare’s __cfuid Cookie
CDN provider Cloudflare used the
__cfduid cookie to detect bots on its customers’ sites. This cookie collected users’ IP addresses and sent them to Cloudflare.
Bot detection can be a legitimate security measure—if done correctly. The French regulator recently decided that Google’s reCAPTCHA bot detection tool requires consent because of how it collects and transfers personal data.
In 2021, Cloudflare announced it would stop using the __cfduid due to privacy concerns. The company said it would seek a way to detect bots without collecting IP addresses.
Content Delivery Networks: Five Crucial GDPR Considerations
- Conduct thorough due diligence to ensure the CDN provider can comply with the GDPR.
- Check the CDN provider’s data processing agreement and negotiate the terms if necessary.
- Consider whether you can mitigate any issues under the GDPR’s international data transfer rules.
- Use the CDN in a secure and compliant way.