In a decision SAN-2022-020 of November 10, 2022, made public on November 17, 2022, the French data protection authority (CNIL) considered that the company Discord Inc. had failed to comply with several obligations under the GDPR. It has pronounced a fine of 800,000 euros.
Discord is a voice over IP service (technology that allows users to chat via their microphone and/or webcam via the Internet) and instant messaging, in which users can create servers, text, voice and video chat rooms.
Following controls carried out by the CNIL, the authority considered that this company had failed in several of its obligations:
- Retention period (Article 5.1.e of the GDPR):
Discord has indicated that it does not have a written data retention policy. Findings by the CNIL confirmed that there were 2,474,000 French user accounts that had not been used for more than 3 years and 58,000 accounts that had not been used for more than 5 years. The company has complied with the procedure on this point.
- Information obligation (Article 13 of the GDPR):
The information regarding retention periods did not include specific periods or criteria for determining them. Discord also complied with this point during the CNIL control.
- Data protection by default (Article 25.2 GDPR):
The third breach concerns default data protection. In the course of the procedure, Discord nevertheless set up a “pop-up” window to alert those connected to a voice chat room, when the window was first closed, that the Discord application is still running and that this setting can be directly changed by the user.
- Data Security (Article 32 of the GDPR):
When creating an account on Discord, a password consisting of six characters including letters and numbers was accepted. The panel considered that the password management policy was not sufficiently robust and binding to ensure the security of users’ accounts. However, the company did take steps during the proceeding regarding securing access to the accounts.
- Privacy Impact Analysis (Article 35 of the GDPR):
The final breach concerns the obligation to conduct a privacy impact analysis (“PIA”); the company having considered that it was not necessary to conduct one. However, the CNIL considers that the company should have carried out such an impact analysis in view of the volume of data processed and the use of its services by minors. The company took actions during the procedure by conducting two PIAs which concluded that the processing is not likely to give rise to a high risk for the rights and freedoms of individuals.
What to take away from this decision:
it is important to:
- Define and apply a data retention policy;
- Follow CNIL’s recommendations on passwords;
- Keep and update a record of processing activities;
- Delete inactive customer accounts;
- Comply with the principle of “Privacy by Design”.