Essentially Dropbox is arguing that, due to the way they have implemented it, the feature does require this information sharing.
While it clearly could be implemented many different ways, and I agree Dropbox should do better in this case, I think this is one of the difficulties in enforcing something like GDPR. Almost anything could be made to work in an anonymous way, so where do you draw the line? When signing up for Facebook or an email account, for example, there is no reason they need my phone number. Sure, they say it is for password reset purposes, but there are other solutions for this, or I can simply agree not to be able to reset the password for that account... etc.
My point was that no, of course the feature doesn't require it, but their particular implementation of the feature does. For example, maybe they implemented per-user sharing first, which obviously would need to know who is accessing the document. Then they realized there are some use cases for sharing the document publically, but they basically just treated this (internally, i.e. according to their implementation) as a wildcard in the authentication portion. That is to say, the public sharing works exactly the same as the per-user sharing, but with a * in the "allowed users" field.
Clearly it doesn't have to and should not be this way. My point was that:
1. They are saying that their particular implementation did require it to be this way.
2. Almost every web app could be made to require less private data from the user, however if this is something that GDPR is going to enforce then there will end up being some subjective analysis (according to non-tech lawyers?) as to whether a particular implementation was in violation.
While it clearly could be implemented many different ways, and I agree Dropbox should do better in this case, I think this is one of the difficulties in enforcing something like GDPR. Almost anything could be made to work in an anonymous way, so where do you draw the line? When signing up for Facebook or an email account, for example, there is no reason they need my phone number. Sure, they say it is for password reset purposes, but there are other solutions for this, or I can simply agree not to be able to reset the password for that account... etc.