Discord Inc fined EUR 800,000 by French Regulator

Discord was given a strong reprimand and significant fine from the French regulator last month. CNIL carried out an online inspection of discord.com and the Discord mobile application in November 2020 and found its systems to be significantly lacking.

Discord Inc is a US based company which provides online voice, video and text communication services. CNIL confirmed that it had jurisdiction to investigate Discord’s activities as Discord had no establishment in Europe, making the ‘exception’ relating to cross border processing and the designation of the Lead Supervisory Authority inapplicable.

Discord’s breaches were many and surprisingly obvious. It did not have a written data retention policy (as required by Art 5(1)(e) of the GDPR) nor did it have transparent information regarding its data retention periods (as required by Art 13 of the GDPR). CNIL was particularly concerned by these breaches as Discord appeared to be holding data from over 2 million French data subjects that had been inactive for over three years.

CNIL determined Discord’s password requirements to be insufficient (in breach of Art 32 of the GDPR) and disagreed with its decision that a Data Protection Impact Assessment was unnecessary (Art 35 of the GDPR).

The breach that made most headline news was Discord’s failure to inform users of voice channel connections and transmissions to third parties (in breach of Art 25(2) of the GDPR) – to put it plainly, users remained logged into the voice room (and their voices could still be heard) even after closing the Discord application window.

CNIL also determined that an “on/off” slider regarding the use of personal data should not be considered a valid way to exercise the right to object –only a “parameter”. CNIL was clear that a data subject would still be expected to contact Discord and confirm they are exercising their right to object with their specific justification.

Discord have been swift to make changes, including stronger passwords, deleting inactive accounts and adding a pop-up warning to users that the voice feature is still running when the window is closed. CNIL noted Discord’s ongoing cooperation with the procedure as a reason for the relatively low fine. That Discord’s business model does not rely on the exploitation of personal data was also noted as a relevant factor. Read the decision here.

A Discord spokesperson has told media outlets that its systems and practices were from 2020 – in the fast-moving area of data protection, companies need to ensure that they are continually reviewing and updating their processes. Are your data protection policies in need of a refresh? Contact us to find out more about our Data Breach Framework and how we can help.