CNIL fines Discord 800,000 euros

Dispute does not escape sanction, but makes corrections: National Commission for Computing and Freedom (CNIL) It announced on Thursday 17 November that it had imposed a fine of €800,000. to IP equipment via messaging and voice. In its press release, CNIL explains that it has found several violations of the obligations imposed by the General Data Protection Regulations (GDPR) and has therefore decided to fine the US company publishing the Discord application.

In confirmed complaints, the CNIL found that the company did not delete the accounts of its inactive users and did not have a clear policy on retaining user data. This was revealed in the team’s study “2,474,000 French user accounts that have not used their account for more than three years and 58,000 accounts that have not been used for more than five years”, i.e. data that Discord holds without specifying a deletion date. However, the GDPR specifies in its policies that a service can retain personal data collected. “for no longer than is necessary for the purposes for which they are processed”.

Following the same logic, CNIL also criticizes the messaging app for failing to inform users about these same data retention periods. However, Discord brought itself into compliance during the process and now has a written data retention policy and provides for automatic deletion of accounts after two years of inactivity.

An app that opens without warning

In addition to the retention issue, the CNIL also found that Discord breached its data protection obligation. At issue: Application behavior when a user clicks a button “X” At the top right of the screen. In most Windows applications, clicking this button closes the application, but this does not apply to Discord, which simply minimizes the window in the background, without alerting the user that the application is still running. “Users can be led to hear it when other members in the voice channel think they’ve left it.”, the CNIL notes. Discord fixed this behavior by adding a pop-up window that alerts the user that the microphone is still active.

The CNIL considers that Discord’s requirements for creating a password are insufficient to protect access to the account and that the application has not carried out an impact analysis related to data security. Two points that Discord fixed by increasing the security of passwords and conducting two impact analyses, concluded that data processing was carried out by Discord. “Not likely to create a significant risk to the rights and freedoms of individuals”CNIL reports.

Discord is an American platform that offers a messaging tool combined with voice rooms. Mainly used in the world of online video games, the tool, launched in 2015, is increasingly used by online communities for exchange. With 140 million active users on the platform, the number of registered accounts on the app is estimated to exceed 300 million by 2021.