Cloudflare response to the European Commissions Inception Impact

Assessment on Improving Cross-Border Access to Electronic Evidence in

Criminal Matters.

August 2017

Introduction

Cloudflare is an Internet security company working to help build a better Internet. We run a
Content Distribution Network and are the largest and fastest provider of Domain Name System
(DNS) services in the world. With 116 data centres in 57 countries, we serve approximately 10% of
global Internet requests. We also protect more than 6 million internet properties globally from
Distributed Denial of Service (DDoS) attacks. Our customers include major eCommerce websites,
Government agencies and financial institutions, as well as smaller web properties.

Cloudflare is pleased to respond to the European Commissions Inception Impact Assessment,

having also attended the stakeholder sessions during the first half of 2017.

Cloudflares approach to law enforcement requests

Cloudflare is a U.S. (San Francisco) headquartered company with customers around the world. We
fully respect the work carried out by law enforcement authorities and appreciate their assistance in
protecting the rights of our customers.

Cloudflare's approach to law enforcement requests for company records or non-public customer
information is that such requests must strictly adhere to the due process of law and be subject to
judicial oversight. Cloudflare is not currently subject to foreign legal jurisdictions and accepts
requests from foreign law enforcement agencies that are issued via a U.S. court either by way of a
mutual legal assistance treaty (MLAT) or a letter rogatory. Cloudflare will, however, engage directly
with verified law enforcement authorities, including EU authorities, by providing them with public
information for any domain name under investigation.

Since 2013, we have published a Transparency Report on a semi-annual basis, which outlines all law
enforcement requests that we receive. It is also our policy to notify our customers of a subpoena or

25 Lavington Street, London SE1 0NZ, United Kingdom www.cloudflare.com +44 (0)20 3713 4479


other legal process requesting their customer or billing information before any disclosure of
information unless a non-disclosure order is provided.

Specific comments on the Commissions proposals

At the outset, the Commission describes the difficulties associated with the MLA process,
which are in large part due to the length of time taken to process requests. While accepting
and appreciating that the process is currently very lengthy, disproportionately cumbersome
and can often frustrate law enforcement efforts, we would question if these delays and
bottlenecks could not be properly addressed before advancing with an ambitious and
complex legislative initiative. MLAT reform should be duly considered.

Cloudflare agrees with the European Commission that the authority to directly request or
compel a service provider located outside of the EU and/or involving data from outside the
EU [Legislative Option 1] creates a risk of triggering reciprocal reactions from third
countries, with possible implications for the protection of the fundamental rights of persons
in the European Union, for instance as regards due process, data protection and privacy.
For companies, such a reciprocal reaction would exacerbate the already difficult conflict of
laws questions raised by requests for cross-border access to information. Given this
possibility, Cloudflare is of the opinion that the Commission should not move forward with
any proposal to allow EU countries to directly request or compel the provision of data
from outside the EU unless the non-EU service provider or data is located in a country
having a legal arrangement with the EU that permits such a request.

It is also not a given that legislation as described will provide more legal certainty or indeed
that access should become become more efficient and faster. Any process that does not
have the intervention and oversight of a national judicial authority related to a providers
main seat of business risks causing confusion and increased legal uncertainty. U.S.
companies currently rely on the MLAT process to determine whether particular electronic
records located inside the United States can be produced to foreign governments consistent
with U.S. law. This arrangement ensures that the U.S. government rather than U.S.
companies makes assessments about the validity of requests for information from
countries around the world. This certainty is important to Cloudflare.

We would note that in recognition of the need to expedite the existing process to access
information across borders, the U.S. Congress is currently considering several pieces of
legislation that would allow more direct requests for access to information while still
maintaining the U.S. Governments critical role. Under these legislative proposals, an entity
2


within the U.S. Government would determine whether particular countries satisfy certain
legal requirements and may request records. Cloudflare encourages the Commission to
engage with the United States to ensure such a framework is in place before requiring U.S.
companies to comply with government requests for data.

Cloudflare has considerable concerns about Legislative Option 2 (a legal framework for law
enforcement to access eEvidence without the cooperation of a service provider through a
seized device or an information system). Notwithstanding the reference to safeguards,
more clarity is needed as to when and how this scenario could occur and with what
justification.

Reference is made to initiating negotiations with key partners such as the U.S in order to
enable reciprocal cross-border access to eEvidence. More information should be presented
on this aspect, including timing. For example, will the negotiations with key
partners commence before any legislative measure is tabled, or will they operate in parallel
- and what impact would an unsuccessful outcome have?). Further, a full assessment of
risks in relation to third countries should be undertaken at the outset.

Finally, several references are made to cost savings and efficiency gains for the public sector
while a cost and compliance / administrative burden is identified for the private sector, in
particular for SMEs. This would indeed be the case for Cloudflare, should it fall within the
remit of the proposal and in particular if appointment of a European legal representative
was necessary. It is not clear what mitigating measures could be deployed.