The General Data Protection Regulation came into force on May 25, 2018. Six years later, enforcement is more aggressive than ever. The Irish Data Protection Commission alone has issued over €4 billion in fines since 2018, with several cases directly involving cloud service providers and their data handling practices.
Yet most file sharing tools treat GDPR compliance as a checkbox exercise. They publish a privacy policy, offer a Data Processing Agreement on request, and point to their encryption page. The underlying architecture remains unchanged: the provider holds your encryption keys and can access your files at will.
Server-side encryption is not enough
GDPR Article 32 requires "appropriate technical measures" to protect personal data. Most providers interpret this as server-side AES encryption and TLS in transit. Technically accurate. Practically insufficient.
Server-side encryption protects against one specific threat: an attacker who steals hard drives from the data centre. It does not protect against a compromised admin account, an insider threat, or a government request to the provider. In all three scenarios, the provider decrypts the data and hands it over, because the provider has the keys.
Article 25 goes further, requiring "data protection by design and by default." A storage architecture where the provider can read customer files at any time is hard to square with that requirement. The Bavarian DPA made this argument explicitly in a 2023 advisory opinion on cloud services used by public sector bodies.
The data residency question
After the Schrems II ruling invalidated the EU-US Privacy Shield in 2020, data residency became a board-level concern for European organisations. Where are the servers? Which jurisdiction controls them?
Several major providers now offer "EU data residency" options, but the details matter. If the provider is a US-headquartered company, it may still be subject to FISA Section 702 or CLOUD Act requests, regardless of where the servers physically sit. The EU-US Data Privacy Framework, adopted in July 2023, addresses some of these concerns but has already drawn legal challenges.
For organisations handling sensitive data (medical records, legal files, financial documents), the safest position is to use a provider that is both EU-based and zero-knowledge. The first condition removes the jurisdictional risk. The second makes the jurisdiction question moot, because even if someone compels the provider to hand over data, there is nothing readable to hand over.
What a compliant architecture looks like
A file sharing provider that takes GDPR seriously should meet four criteria:
- Client-side encryption with keys the provider cannot access
- Data storage exclusively within the EU (or the customer's chosen jurisdiction)
- A signed DPA that specifies sub-processors, retention periods, and breach notification timelines
- Regular third-party audits (SOC 2 or ISO 27001) covering both the application and the infrastructure
We built Fileson to meet all four from day one, not because the market demanded it in 2019, but because the regulation required it. Six years later, the market is catching up. The fines are getting larger, the enforcement actions more frequent, and the questions from procurement teams more pointed.
If your current file sharing provider holds your encryption keys, you have a compliance risk. It may be an acceptable one for your organisation. But you should know it exists, and you should make that choice deliberately rather than by default.