DISCORD INC. fined 800 000 euros

17 November 2022

On 10th November 2022, the CNIL fined DISCORD INC. 800,000 euros for failing to comply with several obligations of the GDPR, in particular with regard to the data retention periods and security of personal data.

The context

DISCORD is a voice over IP (technology that allows users to chat via their microphone and/or webcam over the Internet) and instant messaging service, in which users can create servers, text, voice and video rooms. The service is published by DISCORD INC, a company based in the United States.

On the basis of the findings from the investigations, the restricted committee - the CNIL body responsible for issuing sanctions - considered that the company had failed to comply with several obligations under the General Data Protection Regulation (GDPR). It imposed a fine of 800,000 euros on DISCORD INC. which was made public.

The amount of the fine was decided regarding the breaches identified, the number of people concerned, but also taking into account the efforts made by the company throughout the procedure to reach compliance and the fact that its business model is not based on the exploitation of personal data.

Sanctioned breaches

Failure to define and respect a data retention period appropriate to the purpose (Article 5.1.e of the GDPR)

During the investigation procedure, the company stated that it did not have a written data retention policy. The findings of the CNIL confirmed that there were 2,474,000 French user accounts in the DISCORD database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years.

However, the restricted committee noted that the company has complied with this obligation under the GDPR during the procedure, as it now has a written data retention policy, which includes deleting accounts after two years of user inactivity.

Failure to comply with the obligation to provide information (Article 13 of the RGPD)

At the time of the online investigations, the information regarding data retention periods was incomplete: there were no specific periods or criteria for determining them.

The company has also complied with this obligation during the procedure.

Failure to ensure data protection by default (Article 25.2 of the GDPR)

When a user logged into a voice room closes the DISCORD application window by clicking on the "X" icon at the top right of the window in Microsoft Windows, they actually just put the application in the background and stay logged into the voice room. However, in Microsoft Windows, clicking on the "X" at the top right of the last visible application window will exit the application for the vast majority of applications.

DISCORD's behavior is different and may lead to users being heard by other members in the voice room when they thought they had left. The restricted committee considered that DISCORD should specifically inform users by making them aware that their words are still being transmitted and heard by others.

However, as part of the procedure, DISCORD INC.set up a pop-up window to alert people connected to a voice room, when the window is closed for the first time, that the DISCORD application is still running and that this setting can be changed directly by the user.

Failure to ensure the security of personal data (Article 32 of the GDPR)

At the time of the online investigation, when creating an account on DISCORD, a password of six characters including letters and numbers was accepted.

The restricted committee considered that DISCORD's password management policy was not sufficiently strong and restrictive to ensure the security of users' accounts.

However, the company took steps during the procedure to secure access to accounts: it now requires users to set a password of at least eight characters, with at least three of the four character types (lower case, upper case, numbers and special characters) and, after ten unsuccessful login attempts, the company requires a captcha (question and answer, e.g. via a checkbox or an image selection) to be solved.

Failure to carry out a data protection impact assessment (Article 35 of the GDPR)

DISCORD INC. considered that it was not necessary to carry out a data protection impact assessment.

The restricted committee considered that the company should have carried out such an impact assessment, given the volume of data processed by the company and the use of its services by minors.

The company took actions during the procedure by carrying out two impact assessments for its processing related to the DISCORD service and its core services, which concluded that the processing is not likely to result in a high risk to individuals' rights and freedoms.