Is Dropbox actually GDPR-compliant?
In the last part of our series on cloud services, third-country transfers and the Data protection Let's take a look at the provider Dropbox. This is also a US-American company, which is why before the first use Standard contractual clauses and supplementary measures should be determined. The implementation of a Data protection impact assessment urgently recommended, as is the conclusion of a Company agreement. After our previous articles focused primarily on the legal framework, today we are focusing on the technical details. We ask ourselves the question: Dropbox and data protection, data protection and Dropbox - do they go together?
Dropbox Inc.
Dropbox is a file hosting service that has existed since 2007. Dropbox offers online data storage and the exchange of data between two or more users. Access to Dropbox is browser-based or via apps on various operating systems. Dropbox uses its own data centers for 90 percent of its storage capacity, while the remaining 10 percent is purchased from AWS.
Dropbox and the GDPR
According to Dropbox, all uploaded data is encrypted with AES encryption (256-bit key length) before being stored and is also encrypted in transit. However, the key remains in the hands of Dropbox, meaning that Dropbox theoretically and practically has full plain text access to the user's data. Every Dropbox user should therefore take data protection into their own hands and check their data themselves in advance according to the State of the art encrypt. This would achieve end-to-end encryption, but it would no longer be possible to share data with business partners.
To make it more difficult to hijack user accounts, Dropbox supports two-factor authentication. A serious Data breach occurred in 2016, when unknown persons published more than 68 million Dropbox access data.
If a company decides to use Dropbox, a paid version (Dropbox Business) should definitely be selected. This offers a significant advantage in terms of data protection and Data security. Otherwise you decide to pay in data. Who wants to do that with their business secrets?
Anyone seriously considering using Dropbox should also take a look at the white paper published by Dropbox itself on Dropbox Business security. This 47-page document explains the technical background, as well as statements on product and infrastructure security, data protection and data security. Compliance met. Companies should not be afraid to ask Dropbox critical questions. For example, the white paper still refers to an existing Certification after the Privacy Shield which, as is well known, was overturned by the ECJ a year and a half ago.
Conclusion
Dropbox can be used in compliance with the GDPR. In addition to the legal challenges (Standard contractual clauses, Implementation of a Data protection impact assessment) special attention should be paid to the Encryption be placed. On Dropbox's own Encryption companies should not rely on this and should also encrypt themselves. The ideal solution is to separate Encryption and storage. Only with so-called zero-knowledge encryption can Dropbox, data protection and GDPR harmonized.
2B Advice will be happy to provide you with expert advice on how to reliably protect your data and business secrets from unauthorized access with Dropbox or other providers: +49 (228) 926165-100.
German 
English 
Italian 
French