The CNIL issues a sanction against DISCORD a US VoIP service
Délibération SAN-2022-020 du 10 Novembre 2022
DISCORD INC. fined 800 000 euros
On 10 November 2022, the CNIL’s restricted panel imposed an administrative fine of 800,000 EUR against DISCORD Inc. a VoIP (Voice over Internet Protocol) and instant messaging social platform established in the US (“DISCORD”) which is especially popular with video game players. Through this platform, users can communicate with voice calls, video calls, text messaging, etc. The restricted panel found that DISCORD had infringed several basic requirements set out by the GDPR.
Scope of CNIL’s jurisdiction: The GDPR was applicable to the processing activities implemented by DISCORD under article 3(2)a of the GDPR, since DISCORD offers goods and services to data subjects residing in the EU. As DISCORD has no establishment in the EU, the one-stop-shop mechanism provided for by article 56 of the GDPR was not applicable. Consequently, by application of article 55 of the GDPR, the CNIL was competent to initiate an investigation and to impose a sanction based on the processing activities impacting users on the French territory. This point was not challenged by DISCORD.
Retention of inactive accounts: The CNIL’s guidelines on management of the commercial relationship dated 3 February 2022, states that accounts should be considered inactive after two years and must be deleted at the end of this period unless the user expresses the wish to keep his/her account active.
The Rapporteur observed that 2 474 000 French users’ accounts inactive for more than 3 years and 58 000 French users’ accounts inactive for more than five years were retained by DISCORD without justification. At the time of the controls, DISCORD had not implemented a data retention policy and nor did it mention the applicable retention periods in its record of processing.
In defense, DISCORD argued that data retention periods were directly coded onto its platform. It also argued that the CNIL’s guidelines were not enforceable at the time of the investigations. In addition, DISCORD stressed out that the CNIL expressed a reserve in its guidelines for certain activities such as social networks or dating websites, for which the data could be kept until the user deletes his/her account. DISCORD considered that its activities fall under this reserve. It also announced that a data retention policy is being implemented to delete inactive accounts after two years.
The restricted panel still considered that DISCORD was in breach with article 5(1)(e) of the GDPR as DISCORD did not define an applicable retention period for inactive user accounts. For the restricted panel, the nature of the services provided by DISCORD did not justify the retention of inactive accounts without a limitation. It recalls that the CNIL has consistently held that the retention of inactive online accounts created for free beyond a certain period leads to an indefinite data retention which is in breach of the GDPR.
DISCORD has since implemented a data retention policy, providing for the deletion of inactive accounts after two years.
Transparency and obligation to inform data subjects: During the controls issued by the CNIL’s agents, it was observed that DISCORD’s privacy policy was only displayed in English language and not accessible in French. It was argued in defense that this situation was due to a technical issue, which did not convince the restricted panel. The restricted panel considered that DISCORD was in breach of article 12 of the GDPR as it did not take as data controller appropriate measures to provide data subjects with the information referred in article 13 and 14 of the GDPR.
The restricted panel considered that DISCORD’s privacy policy was generic and not explicit regarding the applicable retention periods, as it stated: “We generally retain personal data for as long as necessary for the purposes set out in this document. To purge data, we may anonymize it, delete it or take other necessary measures. Data may persist for some time in the form of backup copies or for commercial purposes”. Consequently, DISCORD was found in breach of article 13 of the GDPR.
DISCORD has since complied, by implementing a data retention policy and adding a section referring to this document in its privacy policy.
Data protection by default: The Rapporteur observed that the user must make several actions to properly disconnect from DISCORD’s platform. Clicking on “x” at the right corner of the screen did not amount to a disconnection as it usually does on Windows or Linux. The platform was in fact placed in the background and users were still connected to their vocal salon from where their voice is recorded. The Rapporteur considered that users were not properly informed that their personal data were still communicated to other users connected to the same vocal salon and that they would comprehend that clicking on “x” would disconnect them from DISCORD’s platform. It constituted a breach of article 25 of the GDPR.
The restricted panel confirmed the Rapporteur’s rationale and considered that users should be provided with a specific information (through a pop-up window) indicating to users that clicking on “x” do not disconnect them from their vocal salon and that the platform is still active. DISCORD has since complied by implementing an informative pop-up window.
Data security – Passwords: When creating an account, a password composed of six characters including numbers and letters was accepted without any complementary security measure. This did not comply with the 2017 CNIL’s guidelines on passwords recommending a password composed of 8 characters including at least three of the four categories of characters (upper case, lower case and special characters). Despite of the remediation measures implemented by DISCORD to comply with the CNIL’s guidelines on passwords during the proceedings, the restricted panel considered that DISCORD was in breach of article 32 at the time of the controls.
Data Protection Impact Assessment (DPIA): DISCORD did not conduct a DPIA regarding its data processing activities. By application of article 35 of the GDPR DPIAs must be conducted by data controllers where a data processing activity is likely to result in a high risk to the rights and freedoms of data subjects. Data controllers must consider several factors notably the number of data subjects impacted, the volume of data, and the vulnerability of the data subjects.
The Rapporteur considered that the processing activities at stake qualified as large-scale processing operations considering the number of users in France and that it also impacted vulnerable persons such as minors since persons aged above 15 years old could create accounts. These two factors justified the conduct of a DPIA.
In the course of the proceedings, DISCORD carried out two DPIAs and concluded that the processing activities at stake were not likely to create a high risk for the data subjects’ rights.
Despite this remediation action, the restricted panel considered that DISCORD was in breach of article 35 of the GDPR for the past as the conduct of these assessments were imperative to conclude that there were no high risks for the data subjects’ rights.
It is worth noting that the Rapporteur initially proposed an administrative fine of 1.3 million EUR.
The sanction was eventually reduced by the restricted panel as two of the seven infringements alleged by the rapporteur (transparency and right to object) were rejected in consideration of DISCORD’s defense arguments.