Discord, a popular voice over IP communication platform was fined 800 000 euros by French CNIL over GDPR violations in regard of data retention periods and personal data security. CNIL (Commission Nationale de l’Informatique et des Libertes) a French public authority conducted Investigations which led to discovery of 5 GDPR violations including: 

1. Failure to define and respect a data retention period appropriate to the purpose (Article 5.1.e of the GDPR)

Discord stated that it has no written data retention policy, investigation found 2,474,000 French user accounts in the DISCORD database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. Retention period according to CNIL’s Sheet n°14 of June 2020 should be from 6 months up to 2 years. Discord complied with the GDPR regulations and created its written retention policy. Data and accounts of users inactive for 2 years will be deleted. 

2. Failure to comply with the obligation to provide information (Article 13 of the RGPD)

Data retention period information was incomplete as no specific periods or criteria were determined.
Discord complied with the obligation during procedure. 

3. Failure to ensure data protection by default (Article 25.2 of the GDPR)

Clicking at “X” button at the top right corner of a screen closes and exits from majority of applications but press of a button Discord’s process closed the window but kept program running  in the background. That might lead to other people in the same voice room still listening to your microphone when you “closed” the application. CNIL’s concern was that people should be informed that their voice is still being transmitted and heard.
As a result, Discord implemented a pop-up window that informs user of that feature the first time they will try to close an application. That setting can be changed by user manually. 

 4. Failure to ensure the security of personal data (Article 32 of the GDPR)

CNIL found Discord’s password security policy too weak: 6 characters long password including numbers and letters was accepted. Minimum security of a GDPR compliant password policy should include following requirements: minimum of 8 characters long, with at least three of four character types (lower case, upper case, numbers, special symbols), ten unsuccessful login attempts lead to captcha to prevent brute force password cracking.
Company took steps during investigation process to set up such password requirements and asked users to strengthen existing passwords. 

5. Failure to carry out a data protection impact assessment (Article 35 of the GDPR)

Discord’s decision which found Data protection impact assessment unnecessary was considered by French’s restricted committee as unacceptable. Considering numerous users including minors and volume of data provided this issue had to be immediately addressed.
Discord conducted two impact assessments during investigation process for Discord service related data processing and its core services. Assessment concluded that processing is not likely to result in high risk to rights and freedoms of users. 

Fine penalty was calculated based on number of individuals concerned, severity of identified breaches and effort of company correcting gaps with GDPR requirements during investigation process. Another factor contributing in Discord’s favor was the fact that it’s business model was not based on exploitation of personal data. 

At HewardMills we offer guidance on data breaches and security incidents. We assess your security stance to determine potential security gaps and offer advice on appropriate and effective remedies. 

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.