France: CNIL fines Discord €800,000 for data security and retention failures under GDPR
The French data protection authority ('CNIL') announced, on 17 November 2022, that it had issued, on 10 November 2022, deliberation SAN-2022-020, in which it imposed a fine of €800,000 against Discord Inc., for violations of Articles 5(1)(e ), 13, 25(2), 32, and 35 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an audit of the same.
Background of the case
In particular, CNIL outlined that it carried out an online inspection of discord.com and the Discord mobile application on 17 November 2020, which it followed with a questionnaire.
Findings of CNIL
As a result of its investigation, CNIL determined that the following failures in Discord's compliance programme constituted violations of the GDPR, among others:
- lack of a written data retention policy, violating Article 5(1)(e) of the GDPR;
- lack of information regarding retention periods provided to data subjects, violating Article 13 of the GDPR;
- failure to inform users of voice channel connections and transmissions to third parties, or utilise the appropriate technical measures to ensure this was not possible without said information, violating the obligation to guarantee Data Protection by Default under Article 25(2) of the GDPR;
- accepting a password consisting of six characters, including letters and numbers, violating Article 32 of the GDPR; and
- determining it was not necessary to carry out a Data Protection Impact Assessment ('DPIA'), violating Article 35 of the GDPR.
In calculation of the fine, CNIL considered the nature of the breaches, number of data subjects involved, that Discord's business model is not based on processing personal data, and considering the efforts made by Discord to cooperate during the enforcement proceedings with CNIL.
Accordingly, CNIL imposed a fine of €800,000 on Discord and published the deliberation, which will no longer identify Discord after two years.
UPDATE (6 February 2023)
EDPB publishes summary in English of decision against Discord
The European Data Protection Board ('EDPB') published, on 3 February 2023, CNIL's decision to fine Discord €800,000.
You can read the summary here.