Discord was Fined 800,000 Euros for Data Retention and Access Control Failures. The social media platform Discord is facing a fine and condemnation from a French Privacy watchdog, as the organization identified failures to define and adhere to data retention and keep users’ data secure.
According to CNIL, the French Data Protection Authority, Discord failed to adhere to several obligations of the European General Data Protection Regulation (GDPR) involving providing secure access control systems and data retention policies. This resulted in an 800,000 euro fine being levied against the social media company on 10 November 2022.
The CNIL reached the fine amount after considering the number of data exposed, the number of people affected, and the efforts Discord has made to rectify the problems.
Discord Kept the Personal Details of Users for Up to Five Years After They Stopped Using Their Accounts
Over 2 million French users’ details were still on the Discord system for three years or more after they stopped using their accounts. The security watchdog also discovered that 58,000 users were still saved on the system after they stopped using their accounts for five years.
Following this report, Discord has committed to deleting user accounts and personal details after two years of account inactivity and formulated a written data retention policy for their user details.
Discord Password Security Process Was Also Criticised
Discord was also criticized for the security of its password policy. At the time of the CNLI investigation, the social media giant only required alphabets and numbers to set a password. The organization has since updated its password policy to require more complicated and secure user passwords, including special characters.
The organization has also implemented a password security feature whereby a captcha is presented to the user after ten unsuccessful login attempts.
Discord Users Were Still Audible to Other Users After Closing Voice Room Application
The French Data Security Organisation also found that Discord users would remain logged into the voice room feature even after closing the application. Although clicking the “X” on most applications in Microsoft Windows results in logging off from the application, Discord’s application did not behave the same way. This could result in users’ private conversations being heard by other Discord users without their knowledge.
Discord has now started including a pop-up window to notify those connected to the voice room app that it will still be running the first time they close the app, and they need to adjust their settings to change this.
The Social Media Company Did Not Undertake Data Protection Impact Assessments
CNLI also reported that Discord had not found it necessary to conduct a data protection impact assessment. They found that this assessment should have been carried out given the sheer amount of personal data being stored and the heavy use of the application by children.
Discord has since conducted two data protection impact assessments on its access control network and core services. Following these assessments, they have concluded that their current processes are unlikely to present a “high risk” for users’ freedoms and rights.
