Cloudflare is disappointed with the Senate’s actions, as we feel strongly that consumer privacy rights need to be at the forefront of discussions around how personal information is treated. The new regulations would have steered the U.S. closer to the privacy standards enjoyed by citizens in many other developed countries, rather than away from such rights.

Defaulting to an “opt-in” rather than “opt-out” standard would provide consumers with greater controls over how, when, and with whom their personal information is used and shared. We believe that individuals should have the last say on what is done with their personal information, rather than corporations.

Regardless of whether Washington ultimately decides to approve rolling back these regulations, Cloudflare will continue to prioritize the sensitivity and privacy of the data we handle from and on behalf of our customers, and to comply with applicable privacy regulations worldwide.

Beginning this summer, the U.S. Department of Commerce began accepting submissions to certify under the EU-U.S. Privacy Shield framework, a new mechanism by which European companies can transfer personal data to their counterparts in the United States. By certifying under Privacy Shield, Cloudflare is taking a strong and pro-active stance towards further protecting the security and privacy of our customers.

Since 1998, following the European Union’s implementation of EU Data Protection Directive 95/46/EC, companies in Europe wishing to transfer the personal data of Europeans overseas have had to ensure that the recipient of such data practices an adequate level of protection when handling this information. Until last October, American companies were able to certify under the U.S.-EU Safe Harbor Accord, which provided a legal means to accept European personal data, in exchange for assurances of privacy commitments and the enactment of specific internal controls.

However, after having been in effect for roughly fifteen years, in October 2015 the European Court of Justice overturned the Safe Harbor and declared that a new mechanism for transatlantic data transfers would need to be negotiated in light of changes in the way the Internet is used around the world. Authorities in Europe and the U.S. quickly accelerated discussions that had already been in process, with the result being the new Privacy Shield framework. This framework expands significantly upon the former Safe Harbor, improving and bolstering the privacy protections that Europeans can enjoy with respect to the handling of their personal data. While many of the obligations mandated by the Privacy Shield were already covered by the Safe Harbor, Privacy Shield greatly clarifies and builds upon the existing obligations of U.S. companies.

As a security company, the trust and safety of our customers is of paramount importance to Cloudflare. As such, we take our responsibility for, and commitment to, the privacy of our customers extremely seriously, and have strengthened our internal processes and controls to meet the new heightened requirements mandated by the European Commission. This includes updating our Privacy and Security Policy to provide additional details on what personal data we may collect and how it’s used. Although we’re a CDN, in many cases acting merely as a conduit for information inserted into our network by others, Cloudflare was certified under the U.S.-EU Safe Harbor Accord and complies with the new Privacy Shield Framework. In the event that you have any specific questions about the new Privacy Shield, more details can be found at privacyshield.gov/welcome or by reviewing our updated Privacy and Security Policy at cloudflare.com/security-policy.