News

🚚📦 WeTransfer: when a simple TOS update raises an GDPR tsunami

On 15 July, WeTransfer discreetly slipped the following statement into its new TOS:
‘We may use your content to improve our machine learning models.’

⏱️ 24 hours later, in the face of an outcry from creatives, the phrase was removed and the company swore it had never trained AI on its users' files.

🤔 What's the problem with the GDPR?

1. change of purpose
- Going from ‘simple file transfer’ to training AI models implies a new purpose.
- This requires clear information + explicit consent (art. 5 & 6).
2.         Licensing of processing
- The text implied a ‘worldwide, free, irrevocable’ licence. For a B2B/B2C service, it is difficult to support the ‘legitimate interest’ basis without a solid balancing test.
3.         Transfers outside the EU
- WeTransfer claims to use ‘trusted partners such as AWS’ to store files.
- If these servers are located or replicated at 🇺🇸, the publisher must:
1. rely on the Data Privacy Framework or up-to-date SCC + TIA,
2. encrypt end-to-end OR obtain explicit consent.
4.         Principle of minimisation & retention
- Modifying the GCU without reviewing the retention periods means running the risk of retaining data beyond what is necessary (art. 5-1-e).
5.         Transparency & trust
- Any ambiguous clause will scare off customers, and trust is built first and foremost on the fine print.

⚠️ Specific risks

- Breach of the obligation of transparency → art. 12; fines of up to 2% of worldwide turnover.
- Processing without legal basis → art. 6; up to 4% of worldwide turnover.
- Unlawful transfer outside the EU (Schrems II) → suspension + administrative penalties.
- Infringement of intellectual property → civil actions by creators if their works feed an AI without authorisation.

✅ Things to do on the business side / DPO
1.         Reread the GCU (and the history of versions).
2.         Check the subcontractors: where is the data stored? What cryptographic guarantees are there?
3.         Demand an E2E encryption option or use an EU-only service if your files are sensitive.
4.         Update the transfer risk analysis (TIA) if you are staying with WeTransfer.
5.         Inform your teams: a professional upload = a potentially non-compliant international transfer.