CNIL (France) - Délibération SAN-2022-020
|CNIL - Délibération SAN-2022-020|
|Relevant Law:||Article 3(2)(a) GDPR|
Article 5(1)(e) GDPR
Article 12 GDPR
Article 13 GDPR
Article 13(2)(a) GDPR
Article 21 GDPR
Article 25(2) GDPR
Article 32 GDPR
Article 35(1) GDPR
Article 55(1) GDPR
Article 56 GDPR
|National Case Number/Name:||Délibération SAN-2022-020|
|European Case Law Identifier:||n/a|
|Original Source:||CNIL (in FR)|
The French DPA imposed a fine of €800,000 on Discord, an online communication platform. Among other things, the controller had no data retention policy, did not secure the data with a password that was strong enough, and should have conducted a data protection impact assessment.
English Summary[edit | edit source]
Facts[edit | edit source]
The French DPA (CNIL) started an investigation into Discord, a company based in the United States (controller). This controller provided a free of charge online service that allowed data subjects to communicate online using text, voice - and video.
The investigation service of the DPA determined several shortcomings.
During the investigation, the controller stated that it did not have a written data retention policy. The investigation service confirmed that there were 2,474,000 French data subject accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. During the procedure, the controller added a data retention policy, which described that the controller would delete user accounts after two years of inactivity.
The investigation service also addressed a specific problem about the application for Microsoft Windows: when a data subject, logged in to a voice room, closed the controller’s application window by clicking on the "X" icon at the top right of the application, the application would continue to run in the background and the data subject would remain logged in. However, in the majority of Microsoft Windows applications, clicking on the "X" will close the application. This 'background minimization' was activated after the first install of the controller's software. The data subject was not informed about this background minimization. During the procedure, the controller implemented a pop-up window to alert data subjects that the application was still running, when the application window was closed for the first time. The controller also informed data subjects that this setting (remain logged in after closure of application) could be changed in the settings.
At the time of the online investigation, when creating an account, the controller accepted a password of six characters including letters and numbers. The controller also adjusted this during the proceedings: it now required data subjects to use a password of at least eight characters, with at least three of the four different character types. Also, after ten unsuccessful login attempts, the controller now required a captcha prompt to be solved, which was previously not the case.
The investigation service also determined that the controller had previously deemed it unnecessary to carry out a data protection impact assessment (DPIA). During the procedure, the controller carried out two impact assessments, in which the controller concluded that its processing was not likely to result in a high risk to individuals' rights and freedoms.
Holding[edit | edit source]
Competence of the DPA
The DPA determined that the controller processed personal data of French data subject and held that the GDPR was applicable pursuant of Article 3(2)(a) GDPR. The DPA determined that the controller offered services intended for data subjects in the European Union by considering several factors. Among other factors, The DPA considered for example that almost all pages on the controller’s website and in the controller’s application were available in French at the time of the investigation.
The DPA determined that it was competent to handle this case because the one-stop shop" mechanism (Article 56 GDPR) did not apply in this case, because the controller did not have an establishment on the territory of any EU Member State. Therefore, each national supervisory authority was competent to monitor GDPR compliance on the territory of this member state (Article 55 GDPR).
Failure to define and respect a data retention period appropriate to the purpose (Article 5(1)(e) GDPR)
The DPA confirmed that the controller did not have a written date retention policy at the time of the investigation. The DPA also confirmed that there were 2,474,000 French data subject accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. The DPA held that this was a violation of Article 5(1)(e) GDPR, because the controller could not rely on the contractual relationship to indefinitely keep storing accounts of data subjects who were inactive, but had not unsubscribed. The reason for this was because a new account could be created free of charge. Therefore, an inactive data subject who wished to use the service again, could do so by recreating a new account.
Failure to comply with the obligation to provide information (Article 13 GDPR)
The DPA stated that at the time of the investigation, the information regarding data retention periods was incomplete. There were no specific periods or criteria for determining these periods. The DPA held that this was a violation of Article 13 GDPR, because retention periods were stated in a generic manner and were not sufficiently explicit.
Failure to ensure data protection by default (Article 25(2) GDPR)
The DPA also found a violation of Article 25(2) GDPR regarding the controllers “X” icon at the top right corner of its Windows application. The DPA determined that the behaviour of the controller's application was different in comparison with other Windows applications. The DPA considered that the fact that data subjects would click the “X” icon in the controller’s application, without actually closing the application, could lead to a situation where this data subject could still be heard by other members in the voice room, when the data subject actually thought he/she had left the voice room.
The DPA stated that data subjects could not reasonably expect the application to keep running after clicking the 'X' icon, because communication apps in general either inform the data subject about this 'background minimization' or provide the option to data subjects to enable it themselves. The DPA stated that because of this situation, the data subject's personal data could be communicated to third parties without the data subject necessarily being aware of this. The DPA noted that this setting, without sufficiently clear and visible information, could present significant risks for data subjects, in particular for intrusion into their private life.
Failure to ensure the security of personal data (Article 32 GDPR)
At the time of the online investigation, the controller accepted a password of six characters including letters and numbers for creating a user account. The DPA considered that the controller's passwords were not strong enough, taking into account the undemanding password policy and the volume of personal data processed by the controller. This resulted in a risk of compromise for the user accounts in question, including the personal data these accounts contained. The DPA referred to its own recommendations for passwords (in deliberation No. 2017-012 of 19 January 2017), which entailed that passwords should compromise at least eight characters, containing at least three or four categories of characters (upper case, lower case, numbers and special characters) and that authentication should include a limitation on access of the user account, such as a timeout of access after several failed requests to login.
Failure to carry out a data protection impact assessment (Article 35 GDPR)
The controller previously considered that it was not necessary to carry out a DPIA. The DPA considered that the controller should have done so, looking at the large scale of personal data processed and the fact that the controller's service was also intended used by children aged fifteen, of which the controller was fully aware, according to the DPA.
The DPA imposed a fine of 800,000 euros on the controller. The amount of the fine was based on several factors, and took into account the efforts made by the controller throughout the procedure to become GDPR compliant.
Comment[edit | edit source]
The DPA also investigated breaches of Articles 12 and 21 GDPR, which were determined by the investigation service. However, the DPA did not follow its investigation service in these instances and held that the controller did not violate these articles.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.