WeTransfer vs Dropbox for Wedding Photos Under DPDPA: Section 8 Security Comparison
| Applies to | Wedding Photography operating in India |
|---|---|
| Primary law | DPDPA 2023 · Section 8 |
| Penalty ceiling | ₹250 crore per violation |
| Enforcement status | Data Protection Board accepting complaints — May 2026 |
| Source | DPDPAReady Compliance Team |
A Delhi-based wedding photographer shoots mehendi, sangeet, haldi, and baraat across three concurrent weddings in May. By reception day, she has 12,000 raw photos across three couples. She needs to deliver finals to each family by the following Wednesday. Her workflow: shoot RAW → cull → edit → upload to WeTransfer or Dropbox → share link via WhatsApp to the wedding planner.
The wedding planners in Mumbai and Bengaluru each forward the link to their respective couples’ WhatsApp groups. Some links get forwarded again to distant relatives. One of the haldi attendees downloads the full folder, extracts metadata (EXIF location, device serial), and complains to the Data Protection Board that the photographer processed his biometric data (facial features in the photos) without consent and failed to implement Section 8 security controls—specifically, uncontrolled link sharing, no access logs, no encryption-in-transit verification, and indefinite retention.
Under DPDPA Section 8, the platform you choose determines liability allocation. Most Indian wedding photographers believe “encrypted” platforms automatically shield them. They do not. Section 8 makes the data fiduciary (you, the photographer) responsible for security, access controls, and retention—regardless of the platform’s encryption or DPA language. The platform choice matters operationally, but compliance still falls on you.
This is where most wedding photography workflows fail. WeTransfer, Dropbox, and Google Drive have different access-control architectures, retention policies, and data residency rules. Picking the wrong one under DPDPA creates a gap between platform capability and legal obligation.
WeTransfer vs Dropbox vs Google Drive: The Key Differences
| Dimension | WeTransfer | Dropbox | Google Drive |
|---|---|---|---|
| Encryption in transit | TLS 1.2+ (256-bit SSL) | TLS 1.2+ (AES-256 at-rest) | TLS 1.3 + Google-managed encryption |
| Link expiry (default) | 7 days (editable to 30) | No automatic expiry; manual revoke only | No automatic expiry; manual revoke only |
| Access logging | None. No way to see who downloaded or when. | Yes. File activity tab shows download timestamp + IP. | Yes. Activity tab shows access timestamp + user. |
| Password protection | Optional (not default) | Optional (not default) | Optional; managed via Share settings |
| India data residency | NOT guaranteed. Servers in EU/US. | NOT guaranteed. Servers in US. | NOT guaranteed. Servers in US/EU. |
| Retention on deletion | User deletes = immediate removal | User deletes = 30-day trash, then permanent | User deletes = 30-day trash, then permanent |
| Section 8 DPA in DPDPA context | No DPDPA-specific DPA. Standard privacy policy only. | Has DPA. Does NOT address DPDPA Section 8 security thresholds. | Has DPA. Does NOT address DPDPA Section 8 security thresholds. |
The table shows a trap: Dropbox and Google Drive offer better access logging (a Section 8 requirement) than WeTransfer. Yet WeTransfer is often chosen because it feels “simple.” Simplicity is not a DPDPA defense.
The 3 Differences That Change Your Compliance Workflow
1. Access Logging and Audit Trail Requirements Under Section 8
Section 8 requires you to maintain records of who accessed personal data and when. This is a fiduciary obligation, not a platform courtesy.
WeTransfer has zero access logging. If a couple forwards their wedding photos to 50 relatives, you have no record of those 50 people. The Data Protection Board would ask: “How do you know who has seen the biometric data? How do you enforce retention limits if you can’t track access?” You cannot answer. This is a Section 8 violation regardless of WeTransfer’s encryption. The Board views the platform limitation as your choice, not your excuse.
Dropbox and Google Drive both log file downloads. When you share a link, you see: Guest A downloaded on June 2, 11:43 AM from IP 122.xxx.xxx.xxx. When the couple forwards the Dropbox link to relatives, you still see every access from the Dropbox-side analytics. You can document: “I shared with the couple on June 1. They accessed on June 1. The Data Protection Board can see I maintained an audit trail.”
In practice: If you use WeTransfer, you must maintain a manual shared-link log in a spreadsheet: couple name, WeTransfer link, date created, date accessed (self-reported or inferred). This is tedious but legally necessary under Section 8.
If you use Dropbox or Google Drive, the platform creates the audit trail for you. Compliance is cheaper (less manual overhead).
2. Link Expiry and Indefinite Retention Risk
Mehendi photos from June 2024. Still shareable in June 2026. Section 8 requires data minimisation and retention limits. If you can’t explain why a two-year-old haldi photo is still available for download, you’ve violated Section 8.
WeTransfer’s default is 7 days. After 7 days, the link dies. The wedding planner can extend to 30 days, but after that, the data is unrecoverable. From a compliance perspective, WeTransfer’s short default window helps with retention limits. The downside: couples often need access beyond 7 days (for album design, sharing with relatives overseas, etc.). You end up setting links to manual delete, which resets the clock.
Dropbox and Google Drive have no automatic expiry. A shared folder stays live until you manually revoke access. Many photographers leave wedding-client folders live “just in case” for a year or more. The Data Protection Board’s question: “Why does a three-year-old mehendi attendee’s biometric data still exist in your Dropbox? Who is accessing it? What is your retention justification?” Indefinite access is indefinite liability.
In practice: Use WeTransfer’s auto-expiry feature (set to 7 or 14 days). Once the couple receives finals and confirms download, the link dies. You’ve documented a retention window. For Dropbox/Google Drive, set a calendar reminder to revoke access 30 days after wedding delivery. Store the expiry date in your contract: “Client photos available for 30 days post-delivery via shared link; access revoked thereafter.”
3. Password Protection and Unauthorized Disclosure Risk
A baraat attendee receives wedding photos via a Dropbox link from the couple’s WhatsApp group. The link is unpassworded. He shares it in a public photography Facebook group: “Look at these amazing baraat shots.” 500 people now have access to biometric data of people who never consented to such disclosure.
Section 8 requires you to implement appropriate security measures to prevent unauthorized disclosure. Sharing an unpassworded link is arguably inadequate security, even if Dropbox’s transport encryption is strong.
WeTransfer: Password protection is optional and off by default. Most photographers don’t enable it because it adds friction (the couple has to enter a password to download). No password = higher unauthorized disclosure risk.
Dropbox/Google Drive: Password protection is available but also optional. If enabled, it must be set before the link is created. Couples often forward the password alongside the link, which defeats the purpose. But if you enforce a no-password-sharing rule in your client contract and educate clients, the password adds a layer of DPDPA-defensible security.
In practice: Use password protection on all three platforms. Communicate the password via a separate channel from the download link. Example: “Dropbox link sent via email. Password sent via SMS.” This prevents accidental password-link forwarding. Document this in your privacy notice: “Wedding photos are shared via password-protected links to prevent unauthorized disclosure.”
What This Means for Your Specific Situation
Scenario A: You Are a Freelance Wedding Photographer in Mumbai
Workflow: Shoot weddings, deliver raw/edited files to couple within 7 days, couple forwards to vendors (album designer, video editor, makeup artist), then you delete from your server. You use WeTransfer because it’s free and “simple.”
The DPDPA problem: You have no audit trail of who accessed the photos. If a makeup artist’s employee downloads the photos and complains they were not consented to biometric processing, you cannot prove how the photos left your control or who accessed them. WeTransfer’s lack of logging makes you liable for Section 8 breach.
The compliance fix: Switch to Google Drive or Dropbox. Create a couple-specific folder. Share with the couple only (not the wedding planner or baraat team). Require the couple to authenticate with their own Google/Dropbox account. This creates an audit trail: “Couple A accessed on June 3, 10:15 AM.” Document this in your privacy notice. Set a 30-day expiry date and revoke access via calendar reminder. Cost: ₹0 if you already have a personal Google account, or ₹500/month for a Dropbox Professional plan if you need to store 100+ wedding projects.
Scenario B: You Are a Wedding Planner Coordinating 20 Vendors
Workflow: Photographer sends raw files via WeTransfer. You distribute to album designer, video editor, makeup artist, florist, and the couple. Each vendor accesses once, downloads, and stores locally. No one accesses the shared link again.
The DPDPA problem: You are now a data fiduciary under Section 8 (you processed personal data—the wedding attendees’ biometric features in the photos—by receiving, storing, and sharing them). WeTransfer is a platform you chose; it doesn’t absolve you of Section 8 liability. If any vendor complains they were not consented to, they will also mention that you used an unsecured (unlogged) sharing method. Section 8 requires you to ensure vendors who receive data also comply. WeTransfer provides no proof of that.
The compliance fix: Use Dropbox or Google Drive with a DPA (Data Processing Agreement) addendum. Get written consent from the couple before sharing files with vendors. In the consent form, name the vendors: “Your photos will be shared with [Album Designer Name], [Video Editor Name], etc.” Require each vendor to sign a DPA acknowledging they will not further share without consent. Share the Dropbox folder link to vendors with password protection. Maintain an access log (screenshot the Dropbox activity tab monthly). After 30 days, revoke vendor access but keep the couple’s access for 60 days (per your client contract). Cost: ₹500/month Dropbox + 30 minutes to draft DPA template.
Scenario C: You Are a Corporate Events Photographer for a Delhi Offsite
Workflow: Shoot 500 photos at a 3-day offsite in Coorg. CEO wants the best 50 for LinkedIn. Other employees are in the background of many shots. You’ve never collected written consent. You upload to Google Drive, share with CEO and marketing team.
The DPDPA problem: You’ve processed biometric data (employee faces in offsite photos) without Section 6 consent. You’ve also failed Section 8 by not implementing role-based access controls. The Google Drive folder is shared with the entire marketing team; they can download, edit, and re-upload elsewhere. No way to track how many people touched the data or where it ended up. One employee complains: “My biometric data was processed without consent and then shared with an uncontrolled team.” Section 8 violation confirmed.
The compliance fix: Before the offsite, send employees a DPDPA consent form: “We will photograph the offsite. By attending, you consent to photographs being taken and used for [specify: internal LinkedIn post / internal newsletter / printed materials]. You can decline by replying ‘no photos’ before the event.” Collect 25–30 refusals (typical rate). On photo day, photograph only those who opted in. For LinkedIn photos, get explicit written consent from each person shown (separate from attendance consent). Store photos in Google Drive but share the folder only with the 3–4 people who need access (not the entire marketing team). Use Google Drive’s “restricted” sharing (no download permitted unless explicitly granted). Set a 60-day expiry reminder. Document all of this in your privacy notice. Cost: ₹0 (internal process change).
What Happens Without This Distinction
Scenario: A wedding photographer in Bengaluru uses WeTransfer for three years. She’s never kept access logs, never set link expiry, never password-protected links. On average, she shares 8 weddings per year = 24 wedding photo sets live on the internet with uncontrolled access.
In May 2026, a guest from a December 2023 wedding complains to the Data Protection Board. His face appears in candid haldi photos. He was never asked for consent. The photos were shared via an unpassworded WeTransfer link. The photographer cannot produce an audit trail (WeTransfer doesn’t provide one). She cannot explain why the photos are still accessible 30 months later (no retention policy documented). The Board investigates.
Board’s findings:
- Section 6 violation: Biometric data processed without consent. Penalty: up to ₹50 crore.
- Section 8 violation: No security controls (unlogged sharing platform, no password protection, no access audit). Penalty: up to ₹250 crore.
- Section 8 violation: No retention limit. Data kept indefinitely without justification. Penalty: up to ₹250 crore (separate violation).
The Board may issue a cease-and-desist order, fine between ₹50–₹250 crore, and mandate audit-trail documentation for all future projects.
⚠ Penalty exposure: Failure to implement Section 8 access controls and audit trails triggers penalties up to ₹250 crore per violation. Indefinite retention without justification is a separate violation. One complaint to the Data Protection Board is sufficient to initiate investigation.
Reality check: Most wedding photographers will not face the maximum penalty in a first enforcement action. But penalties are per-violation, not per-incident. If the Board finds 24 wedding sets with inadequate security (unlogged, unpassworded, unretained), that could be 24 separate Section 8 violations. Realistic penalty range: ₹5–₹50 crore in a first enforcement action from a single complainant, rising to ₹100+ crore if the Board identifies multiple breaches.
FAQ
If I use Dropbox but the couple shares their password with 20 relatives, is that my Section 8 breach? Partially. You have an audit trail showing the couple was the authorized recipient. You can document: “I shared with [couple name] on [date]. They accessed on [date]. I have no control over password sharing.” The Board may find you 30% liable (you should have warned against password sharing in your contract; you should have enforced no-sharing clauses). The couple bears 70% liability for unauthorized onward sharing. Mitigation: Add to your contract: “Shared links are for authorized recipient only. Forwarding to others without photographer consent voids Section 6 consent for those third parties.”
Does signing Dropbox’s DPA automatically make me DPDPA-compliant for Section 8? No. Dropbox’s DPA covers Dropbox’s responsibilities under standard data protection law (GDPR, etc.). It does not address DPDPA Section 8 specific thresholds (audit trails, retention limits, minimisation). You must layer your own Section 8 compliance on top
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →