It looks like you're new here. If you want to get involved, click one of these buttons!
In the light of Germany's latest GDPR stunt (tl;dr: court ruled using goolge fonts api to be violating gdpr and issued fine) are there any CDNs where you have the option to route traffic only through GDPR "safe" EU locations? Iirc BunnyCDN is EU based and KeyCDN is from Switzerland, but both still route your website's traffic also through non-EU countries in some cases, right?
"Luckily", I haven't been in the position where I actually "need" a CDN, as most of my website's visitors are germans and speeds have been good enough for that.
My use-case for CDNs has mostly been limited to retrieving content from bootstrapcdn/jsdelivr etc. ..
However, just wondering what options are out there (for the future)? I remember someone on the green forums has a Github Project with a DYO-CDN kinda script. Forgot who it was, though. Would (setting up/looking for) a CDN that only routes traffic through EU servers even make sense performance wise?
Comments
Most CDN's are using GeoDNS or Anycast or a combination of both.
None of these is accurate enough, to prevent someone in the EU to be routed to Murica.
However, I don't think that there is any GDPR issue if you put your stuff on a CDN, it was google related and I am sure if so the judge would not press any charges, since its Technically impossible* to make sure 100% of the connections from within Europe will be routed to a CDN Node within Europe.
*You could create a Europe only CDN, with only servers in Europe but this is fucking retarded.
Victor over at PushrCDN might be able to shed light on this- I have been in talks with him over a different matter, but worth a try in your case.
In Bunny you can select countries and redirect traffic to a specific zone/region. Or block countries altogether.
https://img.gaatha.net/EUyyUe
Or... create a subdomain on a EU shared host, pull the files from there.
I have been experimenting with image storage on Myw.pt and using Gumlet as CDN. Because I can play around with image parameters. Or scripts. Storage is on EU server, not sure about Gumlet POP.
Image at width=2oo, quality at 50%
Same image at width=500, quality at 80%
Same image with pad around
etc. Bunny also you can do the same but that is way more expensive than the USD 1 per month LE* price most of us pay
If you have the Shortpixel subscription you can get the same manipulations with images but not sure about POP for Gumlet.
Shouldn't you be able to select zones or areas with the CDN provider where your files would be served from?
Or do all CDN providers always give access to their complete CDN Network?
I've never used a CDN, so I don't know
I'd dare to say that the safest bet could be to use an European provider capable to give you a DPA; bunnycdn does that, many EU and non-EU (yet established in the EU) providers offer some data processing addendum if you request it (e.g. Hetzner). Now, many US entities have an EU dept. (Amazon just to name one) and I don't think they'll be ruled to be in breach of GDPR just because the EU-USA Privacy Shield 2 Electric Boogaloo has been considered void; so it could or should be safe to pick a provider, established somehow in the EU, capable of offering a DPA. Imagine if Cloudflare was ruled to be an "illegal data exporter" (despite the data processing addendum) just because their address is "101 Townsend Street - San Francisco, CA 94107 - USA"... hard to believe it
Some businesses have the additional request to have their data not just protected by DPO/DPA but physically hosted within the EU, with the guarantee it will never cross EU boundaries. That's anyway still a extravagant request for "soft PIIs" like IP addresses.
Given the extraterritorial scope of the GDPR, a GeoDNS configured to present visitors geolocated outside of the EU with a non-GDPR compliant website may be in breach of something, as long as there's no DPO/DPA considered "valid" if e.g. a German citizen visits
I didn't hear about PushrCDN before. Will have a look.
BunnyCDN has some nice option there. So basically, I could block CDN for all people from Europe lol.. Then again, a subdomain seems somewhat more convenient to do and is what I had in mind. Funny enough, I also thought to do this on MyW, since my website is hosted there anyway. Hetzner Prem location. I'll just dump Google Fonts, Bootstrap, TailwindCSS and other stuff there and pull it, I think.
ShortPixel CDN uses Stackpath which goes around the world iirc
GDPR surely is a pita lol.
Seems like BunnyCDN offers an option for selection (see @vyas post). Besides CF, I never really used a CDN either. And CF was for blocking bad traffic back then.7
Thanks for chiming in, mate. Yeah, I also would hope that this won't apply to Cloudflare and similar CDNs (not using it atm, but for the sake of sanity). BunnyCDN states they also anonymize any data/statistics/ips and use Matamo for any stats. Sounds even better tbh. We'll see where all this goes.
I use StackPath CDN & believe it's GDPR compliant, even for Germany.
http://www.stackpath.com/gdpr/
14 locations, what are you waiting for? Happy to test out MikhoCDN (or MrVMCDN) when ready