[greggman]

opting-out is not OK via the GDPR. Only Opt-In is allowed or at least that's my reading

GDRP section 32

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=15323486...

Am I mis-understanding?

[trampypizza]

You are correct, however this is for when consent is relied upon as the legal basis for processing.

My guess is that they are using provision of service as the legal basis for processing, whilst relying upon the "public interest" clause in the ToS to justify the sub-processing by the third party.

[detaro]

That doesn't work, you need to have a legal basis for all processing. It's hard to argue that operating the service requires this sort of research, so you need another basis.

There's some public interest exceptions, but from my knowledge it's not established that stuff like this would work under it.

[trampypizza]

Yes, you are correct. I think it would be extremely difficult to justify that this kind of processing was necessary for the provision of service.

It seems to me that an organisation the size of Dropbox would have a fairly watertight justification. However if the legal basis for processing is neither consent nor provision of service, then they must have done a pretty good job of obfuscating all PII (as the article says "...we and Dropbox employees could view no personally identifiable information.". If this is the case then this sharing of information may not even be in-scope of GDPR.

I'm not sure if the public interest exceptions would be a safe route to go down. The EU has made it clear that, like 'Legitimate Interest', the get-out-of-jail-free justification is going to be highly scrutinised.

EDIT: I have just seen that the article has been edited to say that the anonymisation and aggregation was carried out by Dropbox before being transferred to the third party, which kind of kills the discussion.