Whether one agrees with the policy aims of the OSA or not, there are some complex jurisdictional and enforceability issues at play here. Unfortunately it’s not as simple as you make out.
Still, not quite.
Servers in the UK ≠ targeting the UK – courts on both sides of the pond will ask whether the operator directed activity at the forum. Merely serving content from UK edge nodes because a CDN optimises latency is usually incidental and does not, by itself, show a «manifest intent» to engage with UK users. There is an established precedent in the US[0].
If a UK-established CDN processes personal data at UK nodes, the CDN itself may be subject to UK GDPR. That does not automatically drag a non-UK website operator into UK GDPR unless it offers services to or monitors people in the UK. Accessibility or passive CDN caching alone is insufficient. And modern UK statutes mirror this; for example, the Online Safety Act bites where a service has a significant number of UK users or targets the UK – not simply because a CDN happens to serve from UK equipment. From the horse's mouth: https://www.ofcom.org.uk/online-safety/illegal-and-harmful-c...
Then there is a nuance – explictly configured Cloudflare (1) vs automatic «nearest-edge» (2) selection:
1. Explicit UK-favouring config (for example, rules that prioritise UK-only promotions, UK-specific routing or features tailored for UK users) is a relevant signal of targeting, especially when combined with other indications such as UK currency, UK-specific T&C's, UK marketing or support. In EU/UK consumer cases the test is whether the site is directed to the state – a holistic, fact-sensitive enquiry where no single factor is decisive.
2. Automatic «nearest-edge» selection provided by a CDN by default is a weak signal. It shows global optimisation, not purposeful availment of the UK market. US targeting cases say much the same: you need directed electronic activity with intent to interact in the forum; mere accessibility and generic infrastructure choices are not enough.
[0] https://law.justia.com/cases/federal/appellate-courts/F3/293...
I am no fan of the OSA but this spat is also not showing 4chan or its fan-base to be particularly mature or legally savvy (quelle surprise).
I.e., if a machine (the Cloudflare control plane) elects to route traffic through an edge node within the UK as an optimisation measure, such an act does not, in itself, constitute the possession of equipment within that jurisdiction — nor would it be readily ascertainable before a court of law.
Historically speaking, the Ofcom/UK approach is orthodox rather than novel. Ofcom’s sequence – information notices, process fines for non-response, then applications to court for service-restriction and access-restriction orders that bind UK intermediaries – is a modern, statute-bound version of a very old playbook. If a service has no UK presence and refuses to engage, the realistic endgame is to pressure UK-based points of access rather than to extract cash from an foreign entity.
What is new is the medium and the safeguards, not the underlying logic: regulate the domestic interface with out-of-jurisdiction speakers.
