CNIL fines Discord €800,000 for non-compliance with GDPR

For Discord, the ax has fallen. The CNIL, the National Commission for Computing and Freedom, has decided to impose an 800,000 euro fine on a VoIP service. Questionably, violations are found in many GDPR obligations, particularly in the protection of users’ personal data.

Whereas PlayStation players are still waiting to use Discord on PS5, popular VoIP service has raised its braces by CNIL. In fact, the National Commission for Computing and Freedom announced this Thursday, November 17, that it imposed a fine of 800,000 euros. Difference of opinion. His Official statementThe company states that the US company is the culprit Violates several obligations under the GDPR (General Data Protection Regulation).

The CNIL notes that this amount is determined by “Taking into account the deficiencies identified, the number of people involved, but also the company’s efforts to adhere throughout the process. But what, precisely, are the contradictions that Discord is accused of?

Accounts that have been inactive for years

First, the CNIL found during its investigation that the service does not delete accounts of inactive users. Additionally, Discord does not have a clear policy regarding the storage and retention of user data. When the authorities investigated, they found it Data from 2,474,000 French user accounts was still stored after three years of deactivation In the Discord database. Same observation for 58,000 inactive accounts for 5 years.

In the same domain, CNIL criticizes Discord for not providing users Accurate information on the period of retention of personal data (Breach of Article 13 of the GDPR). However, during the investigation, the service brought itself into compliance by including a clear and detailed handwritten policy. Account data is automatically deleted after two years of inactivity.

Must read more : Reviving the Discord forums for nostalgic gamers

Closing the application does not disconnect the voice from the channel

Another flaw is that Discord has grossly failed in its duty to guarantee data protection by default, according to the CNIL. Explanations. The company noted with dismay that a user connected to a voice channel closed the Discord app by clicking the X icon in Windows, The application is not fully closed.

On the contrary, It was active in the background And the icing on the cake, User is not disconnected from Voca channelI am “Discord’s behavior is different and the voice is heard by other members of the channel when users think they’ve left. CNIL writes. Now, a pop-up window will appear on 1st close Alert the user that the app is still running in the background. Note that this setting can be changed from here.

Very weak passwords should be discarded

We continue this overview of the objections against Discord Very weak requirement around passwords. Indeed, the CNIL considers “Discord’s password management policy is not strong and restrictive enough to guarantee the security of user accounts. As CNIL points out, when creating a Discord account, a password of only six characters is appropriate. Not enough for the CNIL. henceforth, Users must create a password that is at least eight characters long, there are at least three different character categories (lowercase, uppercase, numbers, special characters). Also, after ten failed connections, Captcha needs to be solved.

We now come to the last point. Breach of duty Conduct a data security impact analysis (Article 35 GDPR). Here, there is nothing complicated, Discord is not suitable to carry out this analysis. An error in the view of the CNIL, Discord processes a large amount of data, some of which belongs to minors. In good faith, The American company finally conducted two tests. At the end of the analyses, the processing of data from Discord was confirmed “is not likely to create a high risk to the rights and freedoms of individuals”.