[kall]

Do you mean it was the processing by Akamai, not Cookiebot that was problematic?

If so, that's my point. As far as I understand what Akamai does, they where probably just the conduit for establishing a TCP/IP connection to the Cookiebot service. The court neither felt the need to establish that Akamai stored the data, nor that it left the EU. The mere fact a non-EU company was involved in the connection was enough. I'm probably wrong, and I would like to know how, to maintain my sanity.

[marcosdumay]

> conduit for establishing a TCP/IP connection

You mean an ISP? No, Akamai isn't an ISP.

Cookiebot is unambiguously using its own trustworthiness to let Akami access their users' personal data. There's nothing fuzzy or dubious here.

The only news is that what many people expected to be perfectly legal, that is doing that with a confidentiality clause and never having the data leave the EU actually wasn't, because of a different detail.

[kall]

It‘s a CDN, so it very well may be a "conduit". Maybe they offer edge computing services, I don‘t know. I‘m almost certain they don‘t offer data processing services though. They provide hosting-like services and process data in the normal course of that operation.

If I serve images from Akamai (or Cloudinary, FileStack…). Do you think that‘s problematic?

Do you think apple is is deceiving me when I download a song from iTunes?

[marcosdumay]

> It‘s a CDN

Yes, the GDPR has rules that very clearly apply to CDNs, hosting providers, and etc.

What is new is that Akamai breaks those rules. I don't know the situation of the other ones you cite.