Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

France: CNIL fines Discord €800,000 for data security and retention failures under GDPR

The French data protection authority ('CNIL') announced, on 17 November 2022, that it had issued, on 10 November 2022, deliberation SAN-2022-020, in which it imposed a fine of €800,000 against Discord Inc., for violations of Articles 5(1)(e ), 13, 25(2), 32, and 35 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an audit of the same.

Background of the case

In particular, CNIL outlined that it carried out an online inspection of discord.com and the Discord mobile application on 17 November 2020, which it followed with a questionnaire.

Findings of CNIL

As a result of its investigation, CNIL determined that the following failures in Discord's compliance programme constituted violations of the GDPR, among others:

  • lack of a written data retention policy, violating Article 5(1)(e) of the GDPR;
  • lack of information regarding retention periods provided to data subjects, violating Article 13 of the GDPR;
  • failure to inform users of voice channel connections and transmissions to third parties, or utilise the appropriate technical measures to ensure this was not possible without said information, violating the obligation to guarantee Data Protection by Default under Article 25(2) of the GDPR;
  • accepting a password consisting of six characters, including letters and numbers, violating Article 32 of the GDPR; and
  • determining it was not necessary to carry out a Data Protection Impact Assessment ('DPIA'), violating Article 35 of the GDPR.

In calculation of the fine, CNIL considered the nature of the breaches, number of data subjects involved, that Discord's business model is not based on processing personal data, and considering the efforts made by Discord to cooperate during the enforcement proceedings with CNIL.

Outcomes

Accordingly, CNIL imposed a fine of €800,000 on Discord and published the deliberation, which will no longer identify Discord after two years.

You can read the press release here and the decision here, both only available in French.

UPDATE (6 February 2023)

EDPB publishes summary in English of decision against Discord

The European Data Protection Board ('EDPB') published, on 3 February 2023, CNIL's decision to fine Discord €800,000.

You can read the summary here.