Discord, not very careful with your personal data? This is why the CNIL sanctions the app

The CNIL has just sanctioned Discord. The authority imposed a fine on the software approaching one million euros, for various breaches of the GDPR on the protection of personal data users.

Discord, caught by the patrol. The National Commission for Computing and Liberties (CNIL) announced on Thursday that it had sanctioned the voice over IP (VoIP) service with a fine of 800,000 euros. The French authority has raised several breaches of the General Data Protection Regulation (GDPR), in particular on issues of retention periods and security of personal data. The American company has apparently shown cooperation during the procedure, which mitigates the sanction. But let’s see what the CNIL reproached him for precisely.

Discord, pushed by the CNIL to have a written data retention policy

The first breach noted relates to the obligation to define and comply with a data retention period adapted to the intended purpose, set by article 5.1.e of the GDPR. The CNIL found, within the Discord database, the presence of 2.5 million accounts of French users who had not set foot on the application for three years. Add to that the other 58,000 accounts that have been inactive for more than five years.

For the authority, there was a breach here in that at the time of the inspection, the company did not have a written data retention policy. An error now repaired, with a service that formally provides for the deletion of an account when it exceeds two years of inactivity.

Discord also violated Article 13 of the GDPR, relating to the obligation to inform. During the passage of the CNIL, the Californian company was rather incomplete on the question of retention periods. In fact, it did not present precise durations or criteria making it possible to obtain clear information on the subject. But since then, the Californian company has come into compliance.

Leaving a voice channel on Windows did not actually disconnect the user from the channel

The CNIL has also fallen from its chair on the question of the obligation to guarantee data protection by default (consecrated by article 25.2 of the GDPR). Let’s take the example of a Discord user, connected to a voice channel, who closes the app window by clicking on the X icon in Windows. In reality, it only puts the application in the background, and thus remains connected in the voice room. Which obviously poses a problem in the eyes of the data constable.

” Discord’s behavior can lead to users being overheard by other members in the voice channel, even though they thought they had left it “, underlines the CNIL, which considers that the company had to inform the user, by specifying to him that by leaving the window, he could nevertheless always be heard by other people.

In addition to the French authority’s procedure, Discord has therefore set up a pop-up window which, when the window is closed, alerts the user connected to a voice channel that the application is still running and can directly change this setting.

Password Requirements Were Way Too Low, Discord Fixes It

When you create an account on Discord, a password of only six characters, including letters and numbers, was enough to go through the process, which alerted the CNIL at the time of its control, then brandishing article 32 of the General Data Protection Regulation. For the data constable, password management was not strong and restrictive enough to guarantee the security of user accounts.

The authority says Discord has taken steps to better secure accounts. Users must effectively define a password of at least eight characters, with the requirement of three categories of characters among lowercase, uppercase, numbers and special characters. In addition, after ten unsuccessful login attempts, Discord requires its users to solve a captcha. Efforts deemed reassuring and satisfactory by the CNIL.

A discord now attenuated

Last breach raised by the CNIL: that relating to the obligation to carry out an impact analysis relating to data protection (article 35 of the GDPR). What happened ? Discord considered that it was simply not necessary to carry out such an analysis. The restricted formation of the CNIL, for its part, considered that the company was wrong, insofar as it processes a considerable volume of data, and that its service is used by many minors.

Discord ended up seeing reason, on this point too, by carrying out during the procedure not one but two impact analyzes for its treatment linked to the Discord service and its essential services. At the end of the analyses, the processing of the data was not likely to create a high risk for the rights and freedoms of individuals.

The Discord company therefore reported multiple shortcomings, without any real desire to harm users, and the CNIL underlines this, emphasizing the good cooperation of the firm with its services.

Source : CNIL