CNIL (France) - SAN-2022-020
| CNIL - Délibération SAN-2022-020 | |
|---|---|
 | |
| Authority: | CNIL (France) |
| Jurisdiction: | France |
| Relevant Law: | Article 3(2)(a) GDPR Article 5(1)(e) GDPR Article 12 GDPR Article 13 GDPR Article 13(2)(a) GDPR Article 21 GDPR Article 25(2) GDPR Article 32 GDPR Article 35(1) GDPR Article 55(1) GDPR Article 56 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 17.11.2020 |
| Decided: | 10.11.2022 |
| Published: | |
| Fine: | 800,000 EUR |
| Parties: | Discord |
| National Case Number/Name: | Délibération SAN-2022-020 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | CNIL (in FR) |
| Initial Contributor: | n/a |
The French DPA fined an online communication platform €800,000 for several GDPR violations. Among other things, the controller did not have a data retention period in its privacy policy, provided incomplete information and failed to ensure data protection by default.
English Summary
Facts
The French CNIL (DPA) started an investigation into a company, which was based in the United states (controller). The controller provided a free of charge online service that allowed users to communicate online in real time. The service also included an option for instant messaging and options to create servers, text, voice - and video rooms. The investigation service of the DPA (investigation service) determined several shortcomings at the side of the controller.
•During the investigation, the controller stated that it did not have a written data retention policy. The investigation service confirmed that there were 2,474,000 French user accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. During the procedure for this decision, the controller added a written data retention policy, which included deleting accounts after two years of user inactivity.
•The investigation service found that the information regarding data retention periods was incomplete: there were no specific periods or criteria for determining these retention periods. The controller had also complied with this obligation during the procedure.
•The investigation service also found that when a user, logged into a voice room, closed the controller’s application window by clicking on the "X" icon at the top right of the window in Microsoft Windows, they actually just put the application in the background and stayed logged in. However, in Microsoft Windows, clicking on the "X" at the top right of the last visible application window will exit the application for the vast majority of applications.
•At the time of the online investigation, when creating an account, the controller accepted a password of six characters including letters and numbers. The controller adjusted this during the proceedings: it required users use a password of at least eight characters, with at least three of the four character types (lower case, upper case, numbers and special characters). Also, after ten unsuccessful login attempts, the controller now required a captcha (question and answer, e.g. via a checkbox or an image selection) to be solved.
•The investigation service had also determined that the controller considered that it was not necessary to carry out a data protection impact assessment.
Holding
Competence of the DPA
The DPA determined that the controller processed personal of French data subject and held that the GDPR was applicable pursuant of Article 3(2)(a) GDPR by considering several factors. Amongst other factors, The DPA considered for example that almost all pages on the controller’s website and in the controller’s application were available in French, except in the controller’s privacy policy.
The DPA determined that it was competent to handle because the one-stop shop" mechanism (Article 56 GDPR) did not apply in this case, since the controller did not have an establishment on the territory of an EU Member State. Therefore, each national supervisory authority was competent to monitor GDPR compliance on the territory of this member state (Article 55 GDPR), for processing operations carried out by the controller on data subjects residing in that member state.
Failure to define and respect a data retention period appropriate to the purpose (Article 5(1)(e) GDPR)
The DPA confirmed that the controller did not have a written date retention policy at the time of the investigation. The DPA also confirmed that there were 2,474,000 French user accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. The DPA held that this was a violation of Article 5(1)(e) GDPR, because the controller could not rely in this case on the maintenance of a contractual relationship to indefinitely keep the accounts of users who were totally inactive but who had not unsubscribed. Since the account had been created free of charge and an inactive user who wished to use the service again could do so by recreating an account at any time.
Failure to comply with the obligation to provide information (Article 13 GDPR)
The DPA stated that at the time of the investigation, the information regarding data retention periods was incomplete: there were no specific periods or criteria for determining these periods. The DPA held that this was a violation of Article 13 GDPR, because retention periods were stated in a generic manner, without being sufficiently explicit.
Failure to ensure data protection by default (Article 25(2) GDPR)
The DPA also found a violation of Article 25(2) GDPR when it was analyzing the controllers “X” icon at the top right corner of its Windows application. The DPA determined that the controller’s behavior was different in comparison with other Windows applications. The fact that users would click the “X” button in the controller’s application could lead to a situation where this user is being heard by other members in the voice room when the user thought he/she had closed the application. The DPA considered that the controller should specifically inform users by alerting them that their voice can still be heard by other members. The DPA stated that the user's personal data was communicated to third parties without the user necessarily being aware of this. The DPA noted that such this setting, in the absence of sufficiently clear and visible information, presented significant risks for users, in particular of intrusion into their private life. The DPA stated that the user should either be informed in advance of this setting, or the user should enable this setting himself/herself. During the procedure, the controller implemented a pop-up window to alert users when the window is closed for the first time, that the application is still running. The controller also informed the user that this setting can be changed.
Failure to ensure the security of personal data (Article 32 of the GDPR)
At the time of the online investigation, when creating an account on DISCORD, a password of six characters including letters and numbers was accepted. The restricted committee considered that DISCORD's password management policy was not sufficiently strong and restrictive to ensure the security of users' accounts. However, the company took steps during the procedure to secure access to accounts: it now requires users to set a password of at least eight characters, with at least three of the four character types (lower case, upper case, numbers and special characters) and, after ten unsuccessful login attempts, the company requires a captcha (question and answer, e.g. via a checkbox or an image selection) to be solved.
Failure to carry out a data protection impact assessment (Article 35 of the GDPR)
The controller considered that it was not necessary to carry out a data protection impact assessment. The restricted committee considered that the company should have carried out such an impact assessment, given the volume of data processed by the company and the use of its services by minors. The company took actions during the procedure by carrying out two impact assessments for its processing related to the DISCORD service and its core services, which concluded that the processing is not likely to result in a high risk to individuals' rights and freedoms.
Fine
On the basis of the findings from the investigations, the restricted committee - the CNIL body responsible for issuing sanctions - considered that the company had failed to comply with several obligations under the General Data Protection Regulation (GDPR). It imposed a fine of 800,000 euros on the controller . The amount of the fine was decided regarding the breaches identified, the number of people concerned, but also taking into account the efforts made by the company throughout the procedure to reach compliance and the fact that its business model is not based on the exploitation of personal data.
Comment
The DPA also investigated breaches of Articles 12 and 21 GDPR, which were not upheld by the DPA.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
