Felicitas Pojtinger 🌅Sep 25, 2025
Whenever you see someone recommend Cloudflare or something else that decrypts and re-encrypts TLS for something, esp. for something related to open social media or media storage etc., reply with this picture from the Snowden leaks
Show threadPhil
@pojntfx Doesn't this mean that every single business that's using CloudFlare is likely in breach of GDPR?

Am I misreading something?
Sep 28, 2025 at 6:51pmWeb
Show threadWolf480plOct 3, 2025

@phil @pojntfx
why?

If you pay another company to process your customers' data, and they promise in a legally binding contract that they will not look at the data, and will only do the processing that you requested, why would you be in breach of GDPR?

Show threadPhilOct 4, 2025
@wolf480pl @pojntfx
Article 13 and 14. Passing data off to a third party requires that the data subject be explicitly notified about where the data is going, for what purpose, what the legal basis for the processing is, how long it's stored, how it's protected, etc.

Also it's a transfer outside of the EU, which necessitates additional scrutiny and reporting (Transfer Impact Assessment).

Article 7 requires that requests for consent must be presented in a way that's clearly different from other matters - this means that putting your GDPR language in a ToS or Privacy Policy where it's not likely to be read isn't sufficient.

CloudFlare and its customers, if they don't notify affected individuals, are very clearly in breach of GDPR, if Cloudflare really is tapping into their customers traffic.

However, even if CF isn't tapping into their customer's traffic, they're still in breach of GDPR. As a US company, Cloudflare is subject to FISA 702 and the CLOUD Act, which give the US government power to secretly request access to data about any CF customer.

Not to mention, being part of the Data Privacy Framework doesn't absolve US companies from ensuring compliance with GDPR. DPF only means that transfers to certain companies don't require a transfer impact assessment - it doesn't reduce any other obligations.
Show threadWolf480plOct 4, 2025
@phil @pojntfx
hmm ok but those are the same concerns you'd have to deal with when hosting your website on AWS, correct?
Show threadPhilOct 4, 2025
@wolf480pl @pojntfx
Yeah, of course. That's why I don't use US-based services if I can avoid it. The American government has been very clear that it's hostile to both their own citizens, and even more hostile to foreigners.
Show threadWolf480plOct 4, 2025

@phil @pojntfx
Right.
But many EU-based companies host their websites on AWS and show the consent poups, and some of these popups even have a "reject" button right next to the "accept" button, so I think it's possible to be compliant?

Another way is to, like

not collect personal data

Show threadPhilOct 5, 2025
@wolf480pl @pojntfx
You're thinking about the cookies.
That's a different thing entirely - cookies are for tracking, not internal processing of that data.

IP addresses are personal data under GDPR, as they can be used to identify the person who is accessing the service.

Even if a business chose to not collect personal data, if they host their services on AWS or other US-based hosting providers, those providers still get that information.

"Not collecting personal data" is something you have to proactively do and enforce across your entire business, including business partners and vendors.