Is Dropbox actually GDPR-compliant?
In the last part of our series on cloud services, third country transfers and data protection, we take a look at the provider Dropbox. This is also a US company, which is why standard contractual clauses should be concluded and supplementary measures determined before using it for the first time. It is also strongly advisable to carry out a data protection impact assessment and to conclude a company agreement. Having mainly looked at the legal framework in our previous articles, today we are focusing on the technical details. We ask ourselves the question: Dropbox and data protection, data protection and Dropbox, do they go together?
Dropbox Inc.
Dropbox is a file hosting service that has been in existence since 2007. Dropbox offers online data storage and the exchange of data between two or more users. Access to Dropbox is browser-based or via apps on various operating systems. Dropbox uses its own data centers for 90 percent of its storage capacity, while the remaining 10 percent is purchased from AWS.
Dropbox and the GDPR
According to Dropbox, all uploaded data is encrypted with AES encryption (256-bit key length) before being stored and is also encrypted in transit. However, the key remains in the hands of Dropbox, meaning that Dropbox theoretically and practically has full plain text access to the user's data. Every Dropbox user should therefore take data protection into their own hands and encrypt their data themselves in advance according to the state of the art. This would achieve end-to-end encryption, but it would no longer be possible to share data with business partners.
To make it more difficult to hijack user accounts, Dropbox supports two-factor authentication. A serious data breach occurred in 2016 when unknown persons published more than 68 million Dropbox login details.
If a company decides to use Dropbox, a paid version (Dropbox Business) should definitely be selected. This offers a clear advantage in terms of data protection and data security. Otherwise, the decision is made to pay in data. Who wants to do that with their business secrets?
Anyone seriously considering using Dropbox should also take a look at the white paper published by Dropbox itself on Dropbox Business security. This 47-page document explains the technical background and provides information on product and infrastructure security as well as data protection and compliance. Companies should not be afraid to ask Dropbox critical questions. For example, the white paper still refers to existing certification in accordance with the Privacy Shield, which the ECJ overturned a year and a half ago.
Conclusion
Dropbox can be used in compliance with the GDPR. In addition to the legal challenges (standard contractual clauses, carrying out a data protection impact assessment), particular attention should be paid to encryption. Companies should not rely on Dropbox's own encryption and should also encrypt their data themselves. Ideally, encryption and storage should be separated. Only with zero-knowledge encryption can Dropbox, data protection and GDPR be reconciled.
2B Advice will be happy to provide you with expert advice on how to reliably protect your data and business secrets from unauthorized access with Dropbox or other providers: +49 (228) 926165-100.