The CNIL has just imposed a heavy fine on Discord. The communication platform, which did not comply with the GDPR for the retention and protection of personal data, however quickly corrected its errors.
Discord, the instant messaging system that allows group discussions in writing, audio and video via private rooms, is being pulled by the ears! The National Commission for Computing and Liberties (CNIL) announced this Thursday, November 17 have noted no less than five breaches of the obligations imposed by the General Data Protection Regulation (GDPR), in particular regarding the retention period and the security of users’ personal data. The platform, which has several hundred thousand members following its explosion in popularity during the Covid-19 crisis, has however shown goodwill and cooperation during the procedure by correcting what it was accused of, which has led the CNIL to impose a fine of “only” 800,000 euros.
Discord: personal data kept too long
The first problem pointed out by the CNIL concerns the data retention period, which must be adapted to the purpose, as indicated in article 5.1 of the GDPR. However, she discovered that Discord did not delete the accounts of its inactive users and had not even really thought about the question! During her investigation, she found nearly 2.5 million accounts that had been inactive for three years, plus 58,000 accounts that had been inactive for more than five years. It starts to do a lot, especially since the GDPR specifies that the personal data collected can only be kept “for a period not exceeding that necessary for the purposes for which they are processed”.
However, since Discord did not have a written data retention policy at all at the time of the inspection, the firm also breached Article 13 of the GDPR concerning the information obligation. The data retention periods were not precise and did not even have criteria to determine them. Discord, however, made amends by solving the problem. The platform now has a written data retention policy, which provides for the automatic deletion of accounts after two years of inactivity.
Personal data on Discord: protection considered too light
The other large black point raised by the CNIL concerns the protection of personal data from the platform users. Article 25.2 of the GDPR provides for the obligation to guarantee the protection of default data. However, in some cases, the operation of the application contravenes this, because it does not always close completely despite appearances. Also, when the user, connected to a voice channel, closes the application window by clicking on the cross at the very top right of the desktop software, he generally expects to quit everything. The window actually disappears and goes into the background, so the user is still connected to the voice chat and can be heard without being aware of it. The CNIL believes that the firm had to inform the user. This is now done, since a pop-up window appears to warn that the application is still running and that it is therefore still connected to the voice channel.
Discord requirements for the creation of a password have also been deemed insufficient. Indeed, the platform required only a minimum 6 -character password including letters and numbers. However, if we base ourselves on article 31 of the GDPR, it is not strong enough or binding to guarantee the safety of user accounts. Again, the company has taken measures. It now requires a minimum 8 -character password with at least three of the four categories of characters – tiny, capital letters, figures and special characters. In addition, after ten unsuccessful attempts to connect, it requires the resolution of a Captcha, via a check box – to prove that it is not a robot – or a selection of images – As click on all images showing a lion. Finally, the firm had never carried out an impact analysis relating to data protection, simply judging that it was not necessary. However, as article 35 of the GDPR indicates, it should have carried out such an impact analysis, given the volume of data processed and the use of its services by minors. It therefore carried out not one, but two impact analyzes, which concluded that the processing of data operated by Discord is not likely to generate a high risk for the rights and freedoms of people. Phew!
In the end, it was more about failures and errors on the part of the company than a real desire to harm and play tricks on users. The CNIL has decided on a fine that is both dissuasive and proportionate, taking into account the company’s income, the nature of its activity, the seriousness, nature and duration of the violation, the measures taken to correct everything , as well as the degree of cooperation with the supervisory authority and the categories of personal data affected by the breach. She underlines the goodwill of Discord Inc. and its cooperation with the various services, and the fact that its business model is not based on the exploitation of the personal data of its users. This is why she reduced the sentence, with a rather moderate fine.