While Playstation players are still waiting to be able to use Discord on PS5, the famous VoIP service has just had its suspenders lifted by the CNIL. Indeed, the National Commission for Computing and Freedoms announced this Thursday, November 17 that it had imposed a fine of €800,000 on Discord. In its official press release, the institution specifies that the American company is guilty of several breaches of obligations under the GDPR (General Data Protection Regulation).
The CNIL specifies that this amount has been determined “with regard to the shortcomings identified, the number of people concerned, but also taking into account the efforts made by the company to comply throughout the procedure”. But precisely, what are the discrepancies of which Discord is accused?
Inactive accounts kept for years
First of all, the CNIL found during its investigation that the service does not delete the accounts of inactive users. Additionally, Discord lacked a clear policy regarding the storage and retention of user data. Upon examination, authorities found that the data of 2,474,000 French user accounts inactive for three years was still saved on the Discord database. Same observation for 58,000 dormant accounts for 5 years.
On this same domain, the CNIL also criticizes Discord for not providing users accurate information on the retention period of personal data (violation of article 13 of the GDPR). During the investigation, however, the service brought itself into compliance by incorporating a clear and detailed handwritten policy, specifying that account data is automatically deleted after two years of inactivity.
Also to read : Discord brings forums back to life for nostalgic gamers
Closing the app does not disconnect from a voice channel
Another grievance, the CNIL claims that Discord has cruelly failed in its obligation to guarantee data protection by default. Explanations. The institution noted with bewilderment that when a user connected to a voice channel closed the Discord application by clicking on the X icon on Windows, the app does not close completely.
On the contrary, it remained active in the background and icing on the cake, the user was not disconnected from the voca channelI. “Discord’s behavior is different and can lead to users being overheard by other members in the voice channel when they thought they had left. writes the CNIL. From now on, a pop-up window appears during the 1st closing for warn the user that the app is still running in the background. Note that it is possible to change this setting from.
Discord required passwords that were too weak
We continue this overview of reproaches against Discord with far too weak a requirement around passwords. Indeed, the CNIL considers that the “Discord’s password management policy was not robust and restrictive enough to guarantee the security of user accounts”. As the CNIL specifies, when creating a Discord account, a password consisting of only six characters is suitable. Insufficient for the CNIL. From now on, users will need to create a password that exceeds the minimum eight characters, with the presence of at least three different character categories (lowercase, uppercase, numbers, special characters). Moreover, after ten failed connections, solving a captcha is required.
We now come to the last point. A breach of the obligation to carry out a data protection impact analysis (Article 35 GDPR). Here, nothing complicated, Discord did not see fit to carry out this analysis. An error in the eyes of the CNIL, insofar as Discord processes a huge amount of data, some of which belongs to minors. In good faith, the American company finally carried out two tests. At the end of the analyses, it was confirmed that the processing of data from Discord “is not likely to create a high risk for the rights and freedoms of individuals”.