CNIL (France) - SAN-2022-020
| CNIL - Délibération SAN-2022-020 | |
|---|---|
 | |
| Authority: | CNIL (France) |
| Jurisdiction: | France |
| Relevant Law: | Article 3(2)(a) GDPR Article 5(1)(e) GDPR Article 12 GDPR Article 13 GDPR Article 13(2)(a) GDPR Article 21 GDPR Article 25(2) GDPR Article 32 GDPR Article 35(1) GDPR Article 55(1) GDPR Article 56 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 17.11.2020 |
| Decided: | 10.11.2022 |
| Published: | |
| Fine: | 800,000 EUR |
| Parties: | Discord |
| National Case Number/Name: | Délibération SAN-2022-020 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | CNIL (in FR) |
| Initial Contributor: | n/a |
The French DPA fined an online communication platform €800,000 for several GDPR violations. Among other things, the controller did not have a data retention period in its privacy policy, provided incomplete information and failed to ensure data protection by default.
English Summary
Facts
The French CNIL (DPA) started an investigation into a company, which was based in the United states (controller). This controller provided a free of charge online service that allowed data subjects to communicate online in real time. The service also included an option for instant messaging and options to create servers, text, voice - and video rooms. The investigation service of the DPA (investigation service) determined several shortcomings at the side of the controller.
•During the investigation, the controller stated that it did not have a written data retention policy. The investigation service confirmed that there were 2,474,000 French data subject accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. During the procedure, the controller fixed this by adding a data retention policy, which described that the controller would delete data subject accounts after two years of data subject inactivity.
•The investigation service found that the information provideded regarding data retention periods was incomplete: there were no specific periods or criteria for determining these retention periods. The controller also fixed this during the procedure.
•The investigation service also found an issue with the controllers application on Windows. When a data subject, logged into a voice room, closed the controller’s application window by clicking on the "X" icon at the top right of the application, the application would continue to run in the background and the data subject would stay logged in. However, in the majority of Microsoft Windows applications, clicking on the "X" at the top right of the last visible application window will exit the application, instead of keep running in the background. During the procedure, the controller implemented a pop-up window to alert data subjects when the window is closed for the first time, that the application is still running. The controller also informed the data subject that this setting can be changed.
•At the time of the online investigation, when creating an account, the controller accepted a password of six characters including letters and numbers. The controller also adjusted this during the proceedings: it required data subjects to use a password of at least eight characters, with at least three of the four character types (lower case, upper case, numbers and special characters). Also, after ten unsuccessful login attempts, the controller now required a captcha (question and answer, e.g. via a checkbox or an image selection) to be solved, which was previously not the case.
•The investigation service also determined that the controller considered that it was not necessary to carry out a data protection impact assessment. Later, the controller took actions during the procedure by carrying out two impact assessments, in which the controller concluded that its processing is not likely to result in a high risk to individuals' rights and freedoms.
Holding
Competence of the DPA
The DPA determined that the controller processed personal of French data subject and held that the GDPR was applicable pursuant of Article 3(2)(a) GDPR by considering several factors. Amongst other factors, The DPA considered for example that almost all pages on the controller’s website and in the controller’s application were available in French, except in the controller’s privacy policy.
The DPA determined that it was competent to handle because the one-stop shop" mechanism (Article 56 GDPR) did not apply in this case, since the controller did not have an establishment on the territory of an EU Member State. Therefore, each national supervisory authority was competent to monitor GDPR compliance on the territory of this member state (Article 55 GDPR), for processing operations carried out by the controller on data subjects residing in that member state.
Failure to define and respect a data retention period appropriate to the purpose (Article 5(1)(e) GDPR)
The DPA confirmed that the controller did not have a written date retention policy at the time of the investigation. The DPA also confirmed that there were 2,474,000 French data subject accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. The DPA held that this was a violation of Article 5(1)(e) GDPR, because the controller could not rely on the maintenance of a contractual relationship to indefinitely keep accounts of data subjects who were inactive, but had not unsubscribed. The reason for this was because a new account could be created free of charge. Therefore, an inactive data subject who wished to use the service again, could do so by recreating a ne data subject account.
Failure to comply with the obligation to provide information (Article 13 GDPR)
The DPA stated that at the time of the investigation, the information regarding data retention periods was incomplete: there were no specific periods or criteria for determining these periods. The DPA held that this was a violation of Article 13 GDPR, because retention periods were stated in a generic manner, without being sufficiently explicit.
Failure to ensure data protection by default (Article 25(2) GDPR)
The DPA also found a violation of Article 25(2) GDPR when it was analyzing the controllers “X” icon at the top right corner of its Windows application. The DPA determined that the controller’s behavior was different in comparison with other Windows applications. The fact that data subjects would click the “X” button in the controller’s application could lead to a situation where this data subject is being heard by other members in the voice room when the data subject thought he/she had closed the application. The DPA considered that the controller should specifically inform data subjects by alerting them that their voice can still be heard by other members. The DPA stated that the data subject's personal data was communicated to third parties without the data subject necessarily being aware of this. The DPA noted that such this setting, in the absence of sufficiently clear and visible information, presented significant risks for data subjects, in particular of intrusion into their private life. The DPA stated that the data subject should either be informed in advance of this setting, or the data subject should enable this setting himself/herself.
Failure to ensure the security of personal data (Article 32 GDPR)
At the time of the online investigation, when creating an account on DISCORD, a password of six characters including letters and numbers was accepted. The DPA considered that the controller's password management policy was not sufficiently strong and restrictive to ensure the security of data subjects' accounts.
Failure to carry out a data protection impact assessment (Article 35 GDPR)
The controller previously considered that it was not necessary to carry out a data protection impact assessment. The DPA considered that the controller should have done so, looking at the volume of data processed and the use of the controllers by minors.
Fine
The DPA imposed a fine of 800,000 euros on the controller . The amount of the fine was based on several factors, such as the number of data subjects concerned, the efforts made by the controller throughout the procedure to become GDPR complaint and the fact that the controller's business model was not based on the exploitation of personal data.
Comment
The DPA also investigated breaches of Articles 12 and 21 GDPR, which were not upheld by the DPA.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
