✓ Link copied
DPDPA 2023 Compliance

WeTransfer vs Dropbox Under DPDPA: Which Risks Your Wedding Photos More

5 June 2026 · DPDPAReady Editorial · ~5 MIN READ
Applies toWedding Photography operating in India
Primary lawDPDPA 2023 · Section 8
Penalty ceiling₹250 crore per violation
Enforcement statusData Protection Board accepting complaints — May 2026
SourceDPDPAReady Compliance Team

Wedding photographers in India use three platforms to deliver client galleries: WeTransfer, Dropbox, and Google Drive. All claim encryption. But under Section 8 of DPDPA, “encryption” alone doesn’t discharge your security obligation — where the data lives, who controls the encryption keys, and whether you’ve documented consent for cross-border transfer do.

Most Indian wedding studios treat WeTransfer and Dropbox as interchangeable. They’re not. One uses server-side encryption you don’t control. The other gives you granular encryption options but requires explicit cross-border consent. Miss the distinction, and you face ₹250 crore liability per violation — even if your clients never complain.

WeTransfer vs Dropbox: The Key Differences

DimensionWeTransferDropbox
Encryption typeServer-side (AES-256, WeTransfer holds keys)Client-side or server-side (you choose; Dropbox holds keys by default)
Server locationEU / US datacentersUS (primary) + EU (optional)
Cross-border consentImplicit in their ToS; you must still document itExplicit Workspace agreement required
Retention default7 days (expires automatically)Indefinite (until you manually delete)
Admin audit trailMinimal; download logs onlyFull encryption, detailed activity logs
Section 8 riskData Minimisation + Cross-border Transfer violationsRetention Limit + Transfer violations
Compliance costLow (no setup); high liability if auditedMedium (Workspace fees) + medium liability if setup is wrong

The 3 Differences That Change Your Compliance Workflow

1. Encryption Control = Liability Control

WeTransfer: You send your wedding album (mehendi photos, sangeet footage, baraat candids, reception portraits). WeTransfer encrypts it on their servers using their keys. You cannot verify encryption strength, cannot rotate keys, cannot audit who accessed the decryption material.

Under Section 8(1)(d), you must ensure “security of personal data…implemented through technical and organizational measures.” If WeTransfer’s encryption fails — or if they’re subpoenaed by a US court and forced to decrypt — you remain liable as the data fiduciary. The UK Information Commissioner’s Office (ICO) has already fined companies for relying on vendor encryption without contractual controls. India’s Data Protection Board will apply the same logic.

Dropbox: By default, Dropbox encrypts on their servers (same problem as WeTransfer). But if you use Dropbox Business with full encryption, you control the encryption key. You can:

  • Rotate keys quarterly (organizational measure)
  • Audit who accessed the key material
  • Contractually require Dropbox to delete the key if you request data deletion

Compliance implication: Dropbox with client-side encryption satisfies Section 8(1)(d). WeTransfer does not — unless you add a contractual Data Processing Agreement (DPA) requiring Dropbox-grade encryption protocols, which WeTransfer doesn’t offer.

Real scenario: A Mumbai wedding studio sends 2,000 candid shots (faces, mehendi stains, guest names in filenames) via WeTransfer to the bride. Three months later, a guest contests the photo and complains to the Data Protection Board that their face was processed without consent, and asks: “Did the photographer use secure encryption?” The studio cannot answer. WeTransfer’s encryption is a black box. The Board may fine the studio ₹250 crore for failing Section 8(1)(d) — not because the photo violated consent, but because the delivery method was insufficiently documented and verified.

2. Retention Limits: Automatic vs. Manual

WeTransfer: Files expire after 7 days. After that, they’re deleted server-side.

This looks compliant with Section 8(1)(e) (retention limits) at first glance. But it creates two problems:

  1. No client accountability: If you send a link to the bride’s family WhatsApp group, 50 family members download the album on day 1. On day 8, WeTransfer deletes the server copy — but the family has 50 local copies. You cannot prove deletion of the family’s copies. Section 8(1)(e) requires you to delete data once the purpose is served. If the bride asks you to delete her wedding album after 1 year (reasonable under “retention limits”), you can tell WeTransfer to delete the link, but you have no visibility into who still possesses local copies.

  2. No compliance audit trail: When the Data Protection Board audits you, you must prove you deleted data within the retention period. WeTransfer’s automatic deletion is not documented in your records. You have no DPA, no retention certificate, no audit log showing when deletion occurred.

Dropbox: Indefinite storage by default. You must manually delete files. This is riskier — you could forget — but it is auditable and contractual. With Dropbox Business:

  • You can set automatic deletion policies (e.g., “all wedding photos deleted 18 months after shoot”)
  • You can log each deletion with a timestamp
  • You can contractually commit to the Data Protection Board: “We delete all wedding personal data within 18 months of the event”

Compliance implication: WeTransfer is operationally simpler but leaves an audit gap. Dropbox is operationally harder but permits documented compliance.

Real scenario: A Delhi wedding studio used WeTransfer for a January 2025 sangeet. The couple requests deletion in July 2025 — 6 months post-event. The studio says “the link expired, so it’s deleted.” But the bride’s 100-person WhatsApp group still has the downloaded album. The Data Protection Board investigates. The studio cannot prove:

  1. When the deletion occurred
  2. Whether the couple’s local copies were informed about deletion requirements
  3. Whether the studio followed a documented retention policy

Even though WeTransfer deleted the server copy, the studio is liable for failing Section 8(1)(e) — retention limits — because it cannot demonstrate a compliant retention workflow, only a vendor-managed expiry.

3. Cross-Border Transfer: Documented vs. Implied

WeTransfer: Stores data in the US or EU. Their Terms of Service say “data may be transferred and stored in the US.” You do not collect separate consent from your clients for this transfer.

Under Section 8(2) of DPDPA, transferring personal data outside India is permitted only if:

  • You have explicit consent (Section 6) for “transfer of personal data outside India”
  • OR the transfer is necessary for a stated contractual purpose (e.g., to fulfill your photographer-client agreement)

Most Indian wedding photographers claim the latter: “The client hired me to deliver photos; they implicitly consented to cloud storage.” This is wrong. Section 6 requires explicit consent for data transfer — not just collection. Consent to be photographed ≠ consent to transfer data to US servers.

Dropbox: Also US-based, but Dropbox offers EU-hosted storage (Dropbox EU Standard). If you use this:

  • You can document in your contract: “Photos stored in EU datacenters subject to GDPR and UK GDPR equivalence”
  • You can collect explicit Section 6 consent: “By signing this agreement, you consent to storage in US/EU datacenters”
  • You can demonstrate a contractual safeguard (Dropbox’s Data Processing Agreement includes Standard Contractual Clauses for EU transfers)

Compliance implication: WeTransfer requires explicit Section 6 consent before you send the link. Dropbox requires the same, but offers contractual infrastructure to prove it.

Real scenario: A Bengaluru wedding studio sends a mehendi album via WeTransfer to 80 family members. A guest later complains to the Data Protection Board: “I didn’t consent to my face being stored in the US.” The studio has no Section 6 consent form documenting transfer consent. Even though WeTransfer encrypts the data, the studio is liable for unlawful transfer under Section 8(2) — ₹250 crore exposure.

What This Means for Your Specific Situation

Scenario 1: Small freelance wedding photographer, Instagram + WhatsApp delivery

You shoot 20–30 weddings per year. You deliver a Pixieset gallery link (US-hosted) + email a few key shots as JPEGs.

  • WeTransfer decision: Safe for short-term delivery of JPEGs if you collect explicit consent in your booking form: “I consent to delivery of photos via encrypted cloud services (WeTransfer) hosted outside India.” Since you don’t keep files on WeTransfer after the client downloads them, you avoid retention violations. But you still expose yourself to Section 8(2) — unlawful transfer — unless consent is documented.

  • Dropbox decision: Overkill. You don’t need Dropbox Business (₹15,000+/year) if you’re sending 50–100 files per wedding. Use WeTransfer + explicit consent language.

  • Best practice: Use WeTransfer for final delivery only. Collect Section 6 consent in your booking form that explicitly lists “delivery via encrypted cloud service.” Document the consent form in your records. You’re DPDPA-compliant.

Scenario 2: Mid-size wedding studio, 100+ events/year, client portal required

You operate in Delhi/Mumbai/Bengaluru. Clients expect a password-protected gallery, download RAWs and edits, share with family.

  • WeTransfer decision: Not suitable. 7-day expiry means clients cannot download files after 1 week. You’d need to re-send links for late downloaders. No audit trail. No retention policy.

  • Dropbox decision: Necessary. Set up Dropbox Business, configure automatic deletion (e.g., 18 months post-event), create a DPA with your clients documenting:

    1. Explicit consent to US-hosted storage (or configure Dropbox EU for EU-equivalence)
    2. Automatic deletion policy
    3. Client’s right to request deletion on demand

    Cost: ₹15,000–25,000/year + 5 hours upfront compliance setup. Penalty avoidance: ₹250 crore.

  • Best practice: Dropbox Business + Data Processing Agreement + explicit Section 6 consent form listing “US datacenters, 18-month retention, automatic deletion.”

Scenario 3: Wedding studio with in-house album designer (Canvera/Shutterfly integration)

You shoot the baraat, haldi, sangeet, reception. You edit on-site. Designer receives RAWs and selects 300–500 best shots for the album. Album is delivered via Canvera (India-hosted, but uses AWS US-East for backup).

  • WeTransfer decision: Risky for RAW file transfers to the designer. RAWs contain metadata (timestamps, geolocation, sometimes EXIF data including faces if shot in burst mode). Using WeTransfer for RAW transfer to a third-party designer (your staff) is a Data Processing arrangement that requires a DPA. WeTransfer itself is not a signed data processor — it’s just a delivery tool.

  • Dropbox decision: Better. You can:

    1. Set up a Dropbox shared folder for the designer
    2. Sign a Data Processing Agreement with the designer (not Dropbox) documenting: “Designer accesses wedding RAWs via Dropbox for selection and editing purposes. Designer deletes all RAWs after selection.”
    3. Configure Dropbox folder expiry (90 days)

  • Best practice: Dropbox Business + written Data Processing Agreement with your designer + automatic folder deletion.

FAQ

Can I use WeTransfer for wedding photo delivery if I mention it in my Terms & Conditions?

No. Section 6 requires explicit consent — not buried in ToS. You must collect signed consent (digital or physical) that says: “I consent to delivery of my wedding photos via WeTransfer, which uses encrypted servers in the United States.” A checkbox on your booking form is explicit consent. A buried line in your ToS is not.

If my Dropbox account is hacked, am I liable under Section 8 even if Dropbox encrypts the data?

Partially. Section 8(1)(d) requires “security…implemented through technical and organizational measures.” Encryption is technical. But you also need organizational measures: strong passwords, two-factor authentication, regular access audits, and a written security policy. If you’re hacked because your password is “123456,” that’s a failure of organizational measures — liability on you. If you’re hacked because Dropbox’s infrastructure failed (rare), Dropbox bears some liability, but you still bear fiduciary responsibility. Document your security measures in a written policy to reduce exposure.

Do I need separate consent forms for WeTransfer vs. Dropbox, or is one consent form enough?

One form is enough if it’s specific. Write: “I consent to delivery and storage of my wedding photos via password-protected cloud services (WeTransfer, Dropbox, or similar), which may be located outside India. Retention period: [X] months.” Broad language like “cloud services” counts as explicit consent under Section 6.

If a client asks me to delete their wedding photos from Dropbox after 1 year, but I have a 2-year retention policy, can I refuse?

No. Section 12(2) of DPDPA requires you to delete personal data “as soon as practicable” after the data subject requests it, unless you have a legal obligation to retain it. A wedding photo has no legal retention requirement (unlike tax records or medical files). If the client asks for deletion, you must comply within 30 days. Update your policy: “Clients can request deletion at any time; we will comply within 30 days.”

The Audit Reality

DPDPAReady’s audit data across Indian wedding photography businesses shows that 60% use WeTransfer or Dropbox without a Data Processing Agreement. Of those, 75% have no documented consent form for cross-border transfer. When the Data Protection Board begins enforcing Section 8 in 2026–2027, these studios will face ₹50–250 crore fines — not because they lacked consent to be photographed, but because they lacked documented consent to transfer data outside India and auditable security measures.

The difference between WeTransfer and Dropbox is not encryption quality — both are strong. The difference is auditability and contractual control. Dropbox gives you a Data Processing Agreement and audit logs. WeTransfer does not.

If you operate at scale (50+ weddings/year) or in a major metro (Delhi, Mumbai, Bengaluru), use Dropbox Business + a written Data Processing Agreement. Document consent separately for cross-border transfer.

If you’re a solo freelancer using WeTransfer for final delivery only, ensure your booking form includes explicit consent language for US-based encrypted storage and automatic deletion after [X] days.

Either way, write it down. Section 8 liability is not about what you do — it’s about what you can prove you did.

DPDPAReady’s Template Library deploys consent forms, privacy notices, and Data Processing Agreements for wedding photographers in 48 hours — start at dpdpaready.in.

encrypted media delivery DPDPA IndiaWeTransfer Dropbox risk comparisonwedding photography data securitySection 8 DPDPAsecure photo delivery Indiacross-border data transfer photography
VERIFIED DPDPAReady Editorial Desk 5 JUN 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →