On November 10, 2022, French data protection authority – CNIL fined Discord €800,000 for failing to comply with several GDPR requirements, in particular concerning the data retention periods, transparency principle, and security of personal data.
Discord is a US-based instant messaging platform with over hundred million users, especially popular with the gaming community. It allows users to create servers, text, voice, and video rooms, and chat via instant messaging, microphone, or webcam.
In 2020, the CNIL carried out an investigation on the “discord.com” website and the Discord mobile application, followed by a document inspection of the company in the form of a questionnaire, which resulted in numerous back and forths with the company.
The CNIL finally concluded the company had failed with several obligations under the General Data Protection Regulation (GDPR)regarding breaches of Articles 5 (1)(e), Articles 12, 13, 21(1), Articles 25(2), 32, and 35.
❌Failure to define and implement a data retention policy
During the investigation, Discord stated that it did not have a defined data retention policy and its register of processing activities did not mention any retention period for the personal data processed.
As a result, the data has been kept for more than six years (the date on which the Discord service was launched), and the company did not carry out any erasure or regular archiving of the data at the end of a defined period.
CNIL discovered that the Discord database holds 2,474,000 accounts of French users who have not used their account for more than three years and 58,000 accounts that have not been used for more than five years, without the company providing any specific explanation or justification for keeping these inactive accounts.
After the user creates an online account, it is intended to keep data until the account is deleted by the user. However, it is common for users to no longer use these accounts without deleting them.
❌Failure to comply with the obligation to provide information
Article 13 of the GDPR lists the information that needs to be communicated when users’ personal data is collected directly from them.
Discord was obligated to provide users with information about the period for which the personal data will be stored or where this is not possible, the criteria used to determine this period which is necessary to ensure fair and transparent processing.
CNIL found that the storage periods were stated in a generic way, without specific periods or criteria for determining them, and therefore concludes that a breach of the obligation to inform is established.
❌Failure to ensure data protection by default
The investigation uncovered that the user must perform several actions to exit the Discord application by clicking on the “X” icon.
However, the application is configured to remain active even when the user closes the main window, which makes it possible to continue to communicate by voice.
However, in Microsoft Windows, clicking on the “X” at the top right of the last visible application window will exit the application for the vast majority of applications.
Only a small indicator makes it possible to notice that the application is active. This indicator was present in the taskbar, which is located at the bottom right of the screen in Microsoft Windows, which was considered “hidden”.
This led to the conclusion that this configuration of the application was not built to ensure data protection by default and led to the user’s personal data being communicated to third parties through the voice channel when users thought they had left.
❌Failure to ensure the security of personal data
At the time of the online investigation, when creating a Discord account, a password of six characters, including letters and numbers, was accepted.
CNIL evaluated Discord’s password management policy as not sufficiently strong to ensure the security of users’ accounts.
❌Failure to carry out a data protection impact assessment
Discord considered that it was not necessary to carry out a data protection impact assessment.
CNIL considered that the company should have carried out such an assessment, given the volume of data they process and the use of its services by minors.
The company took action during the procedure by carrying out two impact assessments for its processing related to its service and its core services, which concluded that the processing is not likely to result in a high risk to individuals’ rights and freedoms.
CNIL explained that the branches committed relate to the fundamental principles of the protection of personal data and that five breaches have been established.
The amount of the fine was defined taking into consideration the breaches identified and the number of people involved (including minors) and the efforts made by the company throughout the procedure to reach compliance and the fact that its business model is not based on the exploitation of personal data.
Read the entire deliberation here: Deliberation of the restricted committee no SAN-2022-020 of November 10, 2022 concerning the company DISCORD INC.