By: Paul Lanois
The French National Commission on Informatics and Liberty (CNIL) announced on 17 November 2022 that they issued a fine of 800,000 euros on 10 November 2022 against Discord, Inc., for failure to comply with several GDPR obligations, particularly the data retention periods and security of personal data.
Discord offers an instant messaging service as well as voice over IP (to chat via their microphone and/or webcam over the Internet), in which users can create servers, text, voice and video rooms. Discord is a company based in the United States. It does not have any establishment in the EU but does have an EU representative.
The issues identified by the CNIL are as follows:
- No retention period appropriate to the processing purpose (Article 5.1.e of the GDPR): According to the CNIL, the company did not have a written data retention policy and the record of processing activity (ROPA) had no information on retention periods. Company stated that its policy was to delete inactive accounts when the company is of the view that the user has abandoned their account. According to the CNIL, there were 2,474,000 French user accounts in the Discord database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. The company has now remedied this by putting in place a data retention policy, which includes deleting accounts after two years of user inactivity.
- Failure to provide data protection by default (Article 25.2 of the GDPR): When a user logged into a voice room and closes the Discord application window by clicking on the “X” icon at the top right of the window in Windows, they actually just put the application in the background and stay logged into the voice room. However, in Windows, clicking on the “X” at the top right of the last visible application window will exit the application for the vast majority of applications. Because Discord app’s behavior is different from other apps, the CNIL has stated that Discord should specifically inform users by making them aware of this.
- Failure to ensure the security of personal data (Article 32 of the GDPR): The password management policy was not sufficiently strong and restrictive according to the CNIL to ensure the security of users’ accounts. A password of six characters including letters and numbers was previously accepted. This has now been changed to at least 8 characters and the use of a captcha after 10 unsuccessful requests.
- Failure to carry out a data protection impact assessment (Article 35 of the GDPR): The company considered it unnecessary to carry out a data protection impact assessment. But the CNIL disagreed given the volume of data processed by the company and the use of its services by minors.