CNIL (France) - SAN-2022-020: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=Délibération SAN-2022-020...")
 
No edit summary
Line 81: Line 81:
}}
}}


The French DPA fined an online communication platform €800,000 for several GDPR violations. Among other things, the controller did not have a data retention period in its privacy policy, provided incomplete information and failed to ensure data protec
The French DPA fined an online communication platform €800,000 for several GDPR violations. Among other things, the controller did not have a data retention period in its privacy policy, provided incomplete information and failed to ensure data protection by default.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The French CNIL (DPA) started an investigation into a company, which was based in the United states (controller). The controller provided a free of charge online service that allowed users to communicate online in real time. The service also included an option for instant messaging and options to create servers, text, voice - and video rooms.  
The French CNIL (DPA) started an investigation into a company, which was based in the United states (controller). The controller provided a free of charge online service that allowed users to communicate online in real time. The service also included an option for instant messaging and options to create servers, text, voice - and video rooms.  
The investigation service of the DPA (investigation service) determined several shortcomings at the side of the controller.  
The investigation service of the DPA (investigation service) determined several shortcomings at the side of the controller.  
• The controller stated that it did not have a written data retention policy. The investigation service confirmed that there were 2,474,000 French user accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. During the procedure for this decision, the controller added a written data retention policy, which included deleting accounts after two years of user inactivity.
 
• The investigation service found that the information regarding data retention periods was incomplete: there were no specific periods or criteria for determining these retention periods. The controller had also complied with this obligation during the procedure.
•During the investigation, the controller stated that it did not have a written data retention policy. The investigation service confirmed that there were 2,474,000 French user accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. During the procedure for this decision, the controller added a written data retention policy, which included deleting accounts after two years of user inactivity.
• The investigation service also found that when a user, logged into a voice room, closed the controller’s application window by clicking on the "X" icon at the top right of the window in Microsoft Windows, they actually just put the application in the background and stayed logged in. However, in Microsoft Windows, clicking on the "X" at the top right of the last visible application window will exit the application for the vast majority of applications.
 
• At the time of the online investigation, when creating an account, the controller accepted a password of six characters including letters and numbers. The controller adjusted this during the proceedings: it required users use a password of at least eight characters, with at least three of the four character types (lower case, upper case, numbers and special characters). Also, after ten unsuccessful login attempts, the controller now required a captcha (question and answer, e.g. via a checkbox or an image selection) to be solved.
•The investigation service found that the information regarding data retention periods was incomplete: there were no specific periods or criteria for determining these retention periods. The controller had also complied with this obligation during the procedure.
• The investigation service had also determined that the controller considered that it was not necessary to carry out a data protection impact assessment.
 
•The investigation service also found that when a user, logged into a voice room, closed the controller’s application window by clicking on the "X" icon at the top right of the window in Microsoft Windows, they actually just put the application in the background and stayed logged in. However, in Microsoft Windows, clicking on the "X" at the top right of the last visible application window will exit the application for the vast majority of applications.
 
•At the time of the online investigation, when creating an account, the controller accepted a password of six characters including letters and numbers. The controller adjusted this during the proceedings: it required users use a password of at least eight characters, with at least three of the four character types (lower case, upper case, numbers and special characters). Also, after ten unsuccessful login attempts, the controller now required a captcha (question and answer, e.g. via a checkbox or an image selection) to be solved.
 
•The investigation service had also determined that the controller considered that it was not necessary to carry out a data protection impact assessment.


=== Holding ===
=== Holding ===
Competence of the DPA  
<u>Competence of the DPA</u>
 
The DPA determined that the controller processed personal of French data subject and held that the GDPR was applicable pursuant of [[Article 3 GDPR#2a|Article 3(2)(a) GDPR]] by considering several factors. Amongst other factors, The DPA considered for example that almost all pages on the controller’s website and in the controller’s application were available in French, except in the controller’s privacy policy.  
The DPA determined that the controller processed personal of French data subject and held that the GDPR was applicable pursuant of [[Article 3 GDPR#2a|Article 3(2)(a) GDPR]] by considering several factors. Amongst other factors, The DPA considered for example that almost all pages on the controller’s website and in the controller’s application were available in French, except in the controller’s privacy policy.  
The DPA determined that it was competent to handle because the one-stop shop" mechanism (Article 56 GDPR) did not apply in this case, since the controller did not have an establishment on the territory of an EU Member State. Therefore, each national supervisory authority was competent to monitor GDPR compliance on the territory of this member state (Article 55 GDPR), for processing operations carried out by the controller on data subjects residing in that member state.  
The DPA determined that it was competent to handle because the one-stop shop" mechanism (Article 56 GDPR) did not apply in this case, since the controller did not have an establishment on the territory of an EU Member State. Therefore, each national supervisory authority was competent to monitor GDPR compliance on the territory of this member state (Article 55 GDPR), for processing operations carried out by the controller on data subjects residing in that member state.  
Failure to define and respect a data retention period appropriate to the purpose (Article 5(1)(e) GDPR)
 
<u>Failure to define and respect a data retention period appropriate to the purpose (Article 5(1)(e) GDPR)</u>
 
The DPA confirmed that the controller did not have a written date retention policy at the time of the investigation. The DPA also confirmed that there were 2,474,000 French user accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. The DPA held that this was a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], because the controller could not rely in this case on the maintenance of a contractual relationship to indefinitely keep the accounts of users who were totally inactive but who had not unsubscribed. Since the account had been created free of charge and an inactive user who wished to use the service again could do so by recreating an account at any time.
The DPA confirmed that the controller did not have a written date retention policy at the time of the investigation. The DPA also confirmed that there were 2,474,000 French user accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. The DPA held that this was a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], because the controller could not rely in this case on the maintenance of a contractual relationship to indefinitely keep the accounts of users who were totally inactive but who had not unsubscribed. Since the account had been created free of charge and an inactive user who wished to use the service again could do so by recreating an account at any time.
Failure to comply with the obligation to provide information (Article 13 GDPR)  
 
The DPA stated that at the time of the investigation, the information regarding data retention periods was incomplete: there were no specific periods or criteria for determining these periods. The DPA held that this was a violation of [[Article 13 GDPR|Article 13 GDPR]], because retention periods were stated in a generic manner, without being sufficiently explicit.
<u>Failure to comply with the obligation to provide information (Article 13 GDPR)</u>
Failure to ensure data protection by default (Article 25(2) GDPR)
 
The DPA stated that at the time of the investigation, the information regarding data retention periods was incomplete: there were no specific periods or criteria for determining these periods. The DPA held that this was a violation of [[Article 13 GDPR]], because retention periods were stated in a generic manner, without being sufficiently explicit.
 
<u>Failure to ensure data protection by default (Article 25(2) GDPR)</u>
 
The DPA also found a violation of [[Article 25 GDPR#2|Article 25(2) GDPR]] when it was analyzing the controllers “X” icon at the top right corner of its Windows application. The DPA determined that the controller’s behavior was different in comparison with other Windows applications.  The fact that users would click the “X” button in the controller’s application could lead to a situation where this user is being heard by other members in the voice room when the user thought he/she had closed the application. The DPA considered that the controller should specifically inform users by alerting them that their voice can still be heard by other members. The DPA stated that the user's personal data was communicated to third parties without the user necessarily being aware of this. The DPA noted that such this setting, in the absence of sufficiently clear and visible information, presented significant risks for users, in particular of intrusion into their private life. The DPA stated that the user should either be informed in advance of this setting, or the user should enable this setting himself/herself.  
The DPA also found a violation of [[Article 25 GDPR#2|Article 25(2) GDPR]] when it was analyzing the controllers “X” icon at the top right corner of its Windows application. The DPA determined that the controller’s behavior was different in comparison with other Windows applications.  The fact that users would click the “X” button in the controller’s application could lead to a situation where this user is being heard by other members in the voice room when the user thought he/she had closed the application. The DPA considered that the controller should specifically inform users by alerting them that their voice can still be heard by other members. The DPA stated that the user's personal data was communicated to third parties without the user necessarily being aware of this. The DPA noted that such this setting, in the absence of sufficiently clear and visible information, presented significant risks for users, in particular of intrusion into their private life. The DPA stated that the user should either be informed in advance of this setting, or the user should enable this setting himself/herself.  
During the procedure, the controller implemented a pop-up window to alert users when the window is closed for the first time, that the application is still running. The controller also informed the user that this setting can be changed.  
During the procedure, the controller implemented a pop-up window to alert users when the window is closed for the first time, that the application is still running. The controller also informed the user that this setting can be changed.  
Failure to ensure the security of personal data (Article 32 of the GDPR)
 
<u>Failure to ensure the security of personal data (Article 32 of the GDPR)</u>
 
At the time of the online investigation, when creating an account on DISCORD, a password of six characters including letters and numbers was accepted.
At the time of the online investigation, when creating an account on DISCORD, a password of six characters including letters and numbers was accepted.
The restricted committee considered that DISCORD's password management policy was not sufficiently strong and restrictive to ensure the security of users' accounts.
The restricted committee considered that DISCORD's password management policy was not sufficiently strong and restrictive to ensure the security of users' accounts.
However, the company took steps during the procedure to secure access to accounts: it now requires users to set a password of at least eight characters, with at least three of the four character types (lower case, upper case, numbers and special characters) and, after ten unsuccessful login attempts, the company requires a captcha (question and answer, e.g. via a checkbox or an image selection) to be solved.
However, the company took steps during the procedure to secure access to accounts: it now requires users to set a password of at least eight characters, with at least three of the four character types (lower case, upper case, numbers and special characters) and, after ten unsuccessful login attempts, the company requires a captcha (question and answer, e.g. via a checkbox or an image selection) to be solved.
Failure to carry out a data protection impact assessment (Article 35 of the GDPR)
 
<u>Failure to carry out a data protection impact assessment (Article 35 of the GDPR)</u>
 
The controller considered that it was not necessary to carry out a data protection impact assessment.
The controller considered that it was not necessary to carry out a data protection impact assessment.
The restricted committee considered that the company should have carried out such an impact assessment, given the volume of data processed by the company and the use of its services by minors.
The restricted committee considered that the company should have carried out such an impact assessment, given the volume of data processed by the company and the use of its services by minors.
The company took actions during the procedure by carrying out two impact assessments for its processing related to the DISCORD service and its core services, which concluded that the processing is not likely to result in a high risk to individuals' rights and freedoms.
The company took actions during the procedure by carrying out two impact assessments for its processing related to the DISCORD service and its core services, which concluded that the processing is not likely to result in a high risk to individuals' rights and freedoms.
Fine  
 
On the basis of the findings from the investigations, the restricted committee - the CNIL body responsible for issuing sanctions - considered that the company had failed to comply with several obligations under the General Data Protection Regulation (GDPR). It imposed a fine of 800,000 euros on DISCORD INC. which was made public.
<u>Fine</u>
 
On the basis of the findings from the investigations, the restricted committee - the CNIL body responsible for issuing sanctions - considered that the company had failed to comply with several obligations under the General Data Protection Regulation (GDPR). It imposed a fine of 800,000 euros on the controller .
The amount of the fine was decided regarding the breaches identified, the number of people concerned, but also taking into account the efforts made by the company throughout the procedure to reach compliance and the fact that its business model is not based on the exploitation of personal data.
The amount of the fine was decided regarding the breaches identified, the number of people concerned, but also taking into account the efforts made by the company throughout the procedure to reach compliance and the fact that its business model is not based on the exploitation of personal data.
Comments
The DPA also investigated breaches of Articles 12 and 21 GDPR, which were not upheld by the DPA.


== Comment ==
== Comment ==

Revision as of 11:06, 2 December 2022

CNIL - Délibération SAN-2022-020
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 3(2)(a) GDPR
Article 5(1)(e) GDPR
Article 12 GDPR
Article 13 GDPR
Article 13(2)(a) GDPR
Article 21 GDPR
Article 25(2) GDPR
Article 32 GDPR
Article 35(1) GDPR
Article 55(1) GDPR
Article 56 GDPR
Type: Investigation
Outcome: Violation Found
Started: 17.11.2020
Decided: 10.11.2022
Published:
Fine: 800,000 EUR
Parties: Discord
National Case Number/Name: Délibération SAN-2022-020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: n/a

The French DPA fined an online communication platform €800,000 for several GDPR violations. Among other things, the controller did not have a data retention period in its privacy policy, provided incomplete information and failed to ensure data protection by default.

English Summary

Facts

The French CNIL (DPA) started an investigation into a company, which was based in the United states (controller). The controller provided a free of charge online service that allowed users to communicate online in real time. The service also included an option for instant messaging and options to create servers, text, voice - and video rooms. The investigation service of the DPA (investigation service) determined several shortcomings at the side of the controller.

•During the investigation, the controller stated that it did not have a written data retention policy. The investigation service confirmed that there were 2,474,000 French user accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. During the procedure for this decision, the controller added a written data retention policy, which included deleting accounts after two years of user inactivity.

•The investigation service found that the information regarding data retention periods was incomplete: there were no specific periods or criteria for determining these retention periods. The controller had also complied with this obligation during the procedure.

•The investigation service also found that when a user, logged into a voice room, closed the controller’s application window by clicking on the "X" icon at the top right of the window in Microsoft Windows, they actually just put the application in the background and stayed logged in. However, in Microsoft Windows, clicking on the "X" at the top right of the last visible application window will exit the application for the vast majority of applications.

•At the time of the online investigation, when creating an account, the controller accepted a password of six characters including letters and numbers. The controller adjusted this during the proceedings: it required users use a password of at least eight characters, with at least three of the four character types (lower case, upper case, numbers and special characters). Also, after ten unsuccessful login attempts, the controller now required a captcha (question and answer, e.g. via a checkbox or an image selection) to be solved.

•The investigation service had also determined that the controller considered that it was not necessary to carry out a data protection impact assessment.

Holding

Competence of the DPA

The DPA determined that the controller processed personal of French data subject and held that the GDPR was applicable pursuant of Article 3(2)(a) GDPR by considering several factors. Amongst other factors, The DPA considered for example that almost all pages on the controller’s website and in the controller’s application were available in French, except in the controller’s privacy policy.

The DPA determined that it was competent to handle because the one-stop shop" mechanism (Article 56 GDPR) did not apply in this case, since the controller did not have an establishment on the territory of an EU Member State. Therefore, each national supervisory authority was competent to monitor GDPR compliance on the territory of this member state (Article 55 GDPR), for processing operations carried out by the controller on data subjects residing in that member state.

Failure to define and respect a data retention period appropriate to the purpose (Article 5(1)(e) GDPR)

The DPA confirmed that the controller did not have a written date retention policy at the time of the investigation. The DPA also confirmed that there were 2,474,000 French user accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. The DPA held that this was a violation of Article 5(1)(e) GDPR, because the controller could not rely in this case on the maintenance of a contractual relationship to indefinitely keep the accounts of users who were totally inactive but who had not unsubscribed. Since the account had been created free of charge and an inactive user who wished to use the service again could do so by recreating an account at any time.

Failure to comply with the obligation to provide information (Article 13 GDPR)

The DPA stated that at the time of the investigation, the information regarding data retention periods was incomplete: there were no specific periods or criteria for determining these periods. The DPA held that this was a violation of Article 13 GDPR, because retention periods were stated in a generic manner, without being sufficiently explicit.

Failure to ensure data protection by default (Article 25(2) GDPR)

The DPA also found a violation of Article 25(2) GDPR when it was analyzing the controllers “X” icon at the top right corner of its Windows application. The DPA determined that the controller’s behavior was different in comparison with other Windows applications. The fact that users would click the “X” button in the controller’s application could lead to a situation where this user is being heard by other members in the voice room when the user thought he/she had closed the application. The DPA considered that the controller should specifically inform users by alerting them that their voice can still be heard by other members. The DPA stated that the user's personal data was communicated to third parties without the user necessarily being aware of this. The DPA noted that such this setting, in the absence of sufficiently clear and visible information, presented significant risks for users, in particular of intrusion into their private life. The DPA stated that the user should either be informed in advance of this setting, or the user should enable this setting himself/herself. During the procedure, the controller implemented a pop-up window to alert users when the window is closed for the first time, that the application is still running. The controller also informed the user that this setting can be changed.

Failure to ensure the security of personal data (Article 32 of the GDPR)

At the time of the online investigation, when creating an account on DISCORD, a password of six characters including letters and numbers was accepted. The restricted committee considered that DISCORD's password management policy was not sufficiently strong and restrictive to ensure the security of users' accounts. However, the company took steps during the procedure to secure access to accounts: it now requires users to set a password of at least eight characters, with at least three of the four character types (lower case, upper case, numbers and special characters) and, after ten unsuccessful login attempts, the company requires a captcha (question and answer, e.g. via a checkbox or an image selection) to be solved.

Failure to carry out a data protection impact assessment (Article 35 of the GDPR)

The controller considered that it was not necessary to carry out a data protection impact assessment. The restricted committee considered that the company should have carried out such an impact assessment, given the volume of data processed by the company and the use of its services by minors. The company took actions during the procedure by carrying out two impact assessments for its processing related to the DISCORD service and its core services, which concluded that the processing is not likely to result in a high risk to individuals' rights and freedoms.

Fine

On the basis of the findings from the investigations, the restricted committee - the CNIL body responsible for issuing sanctions - considered that the company had failed to comply with several obligations under the General Data Protection Regulation (GDPR). It imposed a fine of 800,000 euros on the controller . The amount of the fine was decided regarding the breaches identified, the number of people concerned, but also taking into account the efforts made by the company throughout the procedure to reach compliance and the fact that its business model is not based on the exploitation of personal data.

Comment

The DPA also investigated breaches of Articles 12 and 21 GDPR, which were not upheld by the DPA.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.