Hybrid and Post-Quantum Computing
The WeTransfer Case: When Sharing a File Could Cost You Your Data
A recent issue with WeTransfer’s rules showed how easily your data, privacy, and ideas can be at risk when using file-sharing services.. In this piece, we unpack exactly what happened, the dangers of relying on third-party file-sharing services for corporate material, and how the right tools, such as OneDrive, SharePoint, Purview, DLP and sensitivity labelling offer the security your organisation is probably already paying for, but may not be using to its full potential.
The blind spot in “quick and easy” collaboration
Digital collaboration makes it fast and easy to work online. In minutes, hefty files can be sent to clients, partners or colleagues without the faff of couriers or clunky attachments. It’s no wonder services like WeTransfer have become the go-to: fast, simple and-on the surface-free.
But here’s the rub: in the race for convenience, we often sidestep due diligence. As we have discussed before, security is rarely just about firewalls and antivirus, it lives in the small print. And the recent WeTransfer saga is a textbook example.
In July 2025, WeTransfer changed its rules and added a section that gave it broad rights over your files. Cue uproar from the creative community. The backlash was swift, prompting WeTransfer to amend the wording and state categorically that it does not train AI models on user content.
For many, what had been an unconscious tick-box exercise agreeing to terms without a glance suddenly became a cautionary tale: one hasty click could compromise your data, your IP and your legal footing.
What happened with WeTransfer and why it set alarm bells ringing
The change and the chain reaction
The revised 6.3 clause granted WeTransfer a perpetual, worldwide, royalty-free, transferable and sublicensable licence to user content. It included rights to modify, reproduce, create derivative works and contentiously use that content to “improve our AI models”.
The reaction was instant:
- Filmmakers, photographers, designers and illustrators voiced their dismay on Reddit threads, LinkedIn posts and creative forums.
- Lawyers and privacy specialists flagged potential conflicts with copyright and data protection laws.
- Media outlets including The Guardian, El País and TechRadar covered the story, with headlines about “licence overreach” and “user content as AI training fodder”.
The public climb-down, but a lasting lesson
WeTransfer responded by:
- Removing the contentious AI references from clause 6.3.
- Stating publicly that it does not use customer content to train AI models or sell that content to third parties.
- Clarifying that any “derivative works” language applies solely to user feedback, not the files themselves.
Yet the damage was done. The episode reinforced a blunt truth: terms can change overnight, and those subtle edits can have significant legal and operational implications. If your business relies on external platforms for sensitive material, you need a process to spot and assess these shifts.
The structural risks of third-party platforms
- Mutable and ambiguous terms of service
A vaguely worded clause, accepted without scrutiny, can grant a provider rights you’d never knowingly sign away. The WeTransfer incident made that risk tangible.
- Lack of corporate-grade audit trails
Many consumer-oriented sharing services don’t offer unified audit logs, central reporting or fine-grained access histories all essentials for compliance, forensics and incident response.
- Uncontrolled link sharing
Links are often open by default, with no expiry date and no requirement for authentication. That’s the polar opposite of the “least privilege” principle and undermines a Zero Trust posture.
- Misalignment with the UK GDPR (and other regimes)
Under UK GDPR and similar legislation, principles such as purpose limitation, data minimisation and integrity and confidentiality demand you control who can access data, why, how and for how long. Third-party services outside your governance perimeter make this harder to enforce and evidence.
The better alternative: your own cloud isn’t just convenient, it’s secure
If your organisation runs on Microsoft 365, you already have powerful, secure file-sharing options built-in. And they’re worlds apart from public file-drop services.
OneDrive and SharePoint as your “digital vaults”
- Encryption: Data is encrypted both in transit and at rest, ensuring confidentiality even in the event of unauthorised server access.
- Sensitivity labels (Purview): Classify files as “Confidential”, “Internal” or “Public”, with automatic application based on content detection and direct integration into Word, Excel, PowerPoint and PDF workflows.
- Label-based protection: Restrict printing, downloading, forwarding; enforce encryption even beyond your network.
Data Loss Prevention (DLP)
- Identify and block sensitive patterns such as card numbers, NI numbers or bank details.
- Prevent accidental (or deliberate) sharing of regulated data outside approved channels.
- Enforce compliance without relying on user discretion.
Unified audit logging
- Track who accessed, edited or shared files, when and from where.
- Critical for audits, investigations and demonstrating compliance.
Controlled external sharing
- Share via named-recipient links with defined expiry dates.
- Set granular permissions (“view only”, “edit”, “specific people”).
- Disable anonymous links on sensitive sites.
- Require MFA or compliant devices for access.
- Practical policy and rollout guide
- Recommended corporate policy
- Avoid third-party sharing platforms for corporate content unless approved by InfoSec or Compliance.
- Default to OneDrive/SharePoint for all sharing, with expiry dates and restricted recipients.
- Classify files with sensitivity labels, applying encryption as required.
- Implement DLP to detect and block inappropriate sharing.
- Audit sharing activity on a routine basis.
- Educate staff, especially creative and operational teams on secure sharing practices and contractual risks.
Quick-win IT checklist
- Publish a label taxonomy (Public, Internal, Confidential, Restricted).
- Enable auto-labelling for sensitive data patterns.
- Configure DLP to block high-risk sharing.
- Tighten site-level sharing settings.
- Enable alerts for mass downloads or creation of “anyone” links.
- Share a simple “how to share securely” guide with all staff.
- Review third-party tool usage and archive current T&Cs for reference.
Key takeaways from the WeTransfer saga
- Monitoring terms matters: Changes to service terms can open new risk channels overnight.
- Free and “frictionless” isn’t free: The cost might be hidden in the fine print.
- Process and culture are as important as tech: You can’t firewall your way out of poor governance.
- You’re already paying for world-class tools: It’s a false economy to risk your data on ungoverned platforms.
End of the Story
The WeTransfer affair isn’t about “bad actors”; it’s about digital maturity. Corporate security blends technology, process and awareness. If you’re already licensed for Microsoft 365, don’t take unnecessary risks: keep file sharing within your tenant, apply governance controls and maintain an audit trail.
Before you hit “send” or “share”, ask yourself:
- Who else could see this file?
- For how long will it be accessible?
- Do the terms genuinely protect my content?
- Or could I keep it within my organisation’s cloud, with encryption, labelling, tracking and DLP?
At Asygma, we believe security is productivity with smart governance. If you need to implement sensitivity labels, DLP, secure link policies or train your teams to meet UK GDPR standards we’re here to help.
References
The Guardian – “WeTransfer says user content will not be used to train AI after backlash” (16/07/2025) – https://www.theguardian.com/technology/2025/jul/16/wetransfer-user-content-ai-artificial-intelligence
El País – “WeTransfer usará los documentos de los usuarios para entrenar su IA” (15/07/2025) – https://elpais.com/tecnologia/2025-07-15/wetransfer-usara-los-documentos-de-los-usuarios-para-entrenar-su-ia.html
TechRadar – “WeTransfer issues flurry of promises that it’s not using your data to train AI models after backlashed new terms of service” (17/07/2025) – https://www.techradar.com/computing/artificial-intelligence/wetransfer-issues-flurry-of-promises-that-its-not-using-your-data-to-train-ai-models-after-its-new-terms-of-service-aroused-suspicion
WeTransfer – Terms of Service (PDF, 15/07/2025) – clause 6.3 and Feedback section – https://wetransfer.com/legal/terms
Microsoft Learn – Purview, OneDrive, SharePoint documentation – https://learn.microsoft.com/en-gb/microsoft-365/compliance/
UK GDPR – principles of purpose limitation, data minimisation, integrity and confidentiality – https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/
Glossary
- Clause 6.3 (Terms of Service) – The section defining rights granted to the provider over uploaded content.
- Perpetual licence – A right that does not expire.
- Royalty-free – Use without ongoing payments or royalties.
- Derivative works – New creations based on existing material.
- AI/ML models – Artificial Intelligence / Machine Learning systems that learn from data.
- Sensitivity labels – Classifications that enforce encryption and access control.
- Data Loss Prevention (DLP) – Policies that detect and block the sharing of sensitive data.
- Unified audit log – A central record of user and admin actions across Microsoft 365.
- UK GDPR – UK’s data protection framework, retained from EU GDPR post-Brexit.
- Zero Trust – A security model assuming no user or device is inherently trustworthy.
Want to know if your business is ready for what’s next?
Let’s talk. The future is coming, but you don’t have to face it alone.
