The French supervisory authority, National Commission on Informatics and Liberty (CNIL) has fined Discord, a popular VoIP and instant messaging social platform, for violating GDPR rules in the region. According to sources, the sanctions came after the authorities found flaws in the policies of the American company, including the limitation of conservation, transparency, privacy by default, security, and the obligation to carry out an impact assessment.
Among the list of violations, the authorities excoriated Discord for keeping the personal data of customers “for a period not exceeding the achievement of the purposes for which they are processed” (art. 5.1 letters e) GDPR). Following the verification during the initial investigation of accounts that had not been used for more than 3 and 5 years, the absence of a waste and conservation procedure was a significant omission.
Discord sanctioned for a GDPR violation
The General Data Protection Regulation (GDPR) governs data protection and privacy in the European Union and the European Economic Area. Most websites, apps, and web applications must comply with GDPR to run their services efficiently. However, the American VoIP and instant messaging service provider failed to report the data processing at the time of the storage times (point 31 of the resolution).
Moreover, the primary data rule for the EU, “privacy by default,” was set up inaccurately and remained active even when the main window was closed. To put it more clearly, as CNIL notes, while clicking the “x” button in most Windows programs shuts them down, the “x” button in Discord puts the application in the background.
This raises the possibility that a speaker may have said something they believed to be private but which was shared with everyone else logged into the voice chat, according to CNIL.