Akamai Blog | Akamai’s Compliance with Cross-border Transfer Laws

Akamai is compliant with applicable data privacy regulations in countries where we and our customers conduct business. This is a fundamental tenet of our company core values.  After all, when you make life better for billions of people, billions of times a day, there’s an expectation that you will also protect their life online. And that is exactly what we do. 

Recently, several court decisions, including a recent decision by an administrative court in Germany, have raised concerns among some EU customers regarding Akamai’s transfer of data outside the EU and whether those transfers comply with the General Data Protection Regulation (GDPR). We believe that they do and I will address these concerns directly by sharing how Akamai complies with the law in handling customer and end-user data.

First, it is important to note that the German administrative court’s decision, including the injunction on transfers, has since been dismissed on appeal. Thus, there is currently no injunction against the data transfers under consideration. While proceedings are continuing, we believe strongly that our data practices will be deemed compliant.

Next, let me assure you that Akamai is now, and always has been, committed to full compliance with the GDPR, and with other data protection regulations in the jurisdictions in which we operate. This commitment is fundamental to the position of trust that we maintain with our customers. We continually analyze new legal developments and adapt as necessary to maintain compliance.  

How Akamai complies with GDPR

At issue in these recent cases is the transfer of certain transaction and log data, including the IP addresses of end users, to systems in the United States. Akamai transfers such data for the purposes of service delivery, traffic and security analytics, and support. Akamai does not process this data in a manner to identify any individual. Indeed, Akamai does not collect in these logs data that identifies end users -- identification of the end user is not required for these purposes. Thus, the privacy risk to individuals associated with these transfers is low. On the other hand, the performance and security services available to the customer as a result of these transfers help to eliminate internet risks to the end user and assist Akamai’s customers in compliance with their obligation to protect online personal data, as required by Art. 32 of the GDPR.

In addition, Akamai has taken the necessary steps to ensure that transfers of log data outside of the EU comply with GDPR obligations (e.g. compliance with Standard Contractual Clauses) and that our customers can safely conclude under the findings in the Schrems II case and the European Data Protection Board’s (EDPB) recommendations 01/2020 that transfer of the data to the United States does not present an undue risk to the rights and freedoms of any individuals.  Following these EDPB recommendations, Akamai conducted a review of the safeguards we have in place to protect data transferred to the U.S., as well as the applicability of specific government surveillance laws to Akamai.   

Government surveillance of personal data

Akamai is not generally subject to the laws discussed in Schrems II, in particular with respect to personal data that is part of a transaction between our customer and their customer (customer content data), and challenges law enforcement requests where they do not apply or are not legally sufficient. In the majority of cases, even when a request is legally appropriate, Akamai does not have the data requested. Law enforcement typically seeks to identify individuals associated with traffic to a given web site or application. Because we do not process data to identify individuals and do not collect data that would identify individuals, we simply respond that we do not have the data they seek, which normally concludes the request.

Beyond transaction and log data, Akamai handles customer content data, which may include personal data, as noted above. Customer content, however, is processed only to optimize and secure the traffic between our customer and their end user.  Akamai does not collect, access or store customer content other than as minimally necessary to deliver and secure the traffic.  Also, if a customer believes that customer content must be restricted to the EU, Akamai can provide appropriate solutions.  Specifically, Akamai’s custom mapping solutions can be deployed to ensure that customer content data is transmitted only on Akamai servers deployed in the EU.

Appropriately handling data and ensuring privacy is a complex and critical process, and goes beyond the points I’ve described here. Much more about Akamai’s global data protection program and our approach to privacy and international data transfers is available in our Privacy Trust Center. 

Maintaining our customers’ continued trust and confidence is our priority, and we encourage you to reach out to the Akamai Global Data Protection Office, privacy@akamai.com, with any questions or concerns.