The fine of Euro 800000/- imposed by CNIL on the US based Discord.com is an instance where the supervisory authority conducted its own online inspection without any complaint about data breach and arrived at the fine for a relatively low risk contravention.
The fine which was imposed on 10th November 2022 was a reminder to the industry that even without any breach related complaint, CNIL could on its own try to find a non compliance and impose fines.
The breach identified was that there was lack of a written “Data Retention policy” under article 5.1.e. As a result, the investigation found that the data of 2,474,000 French users remained in the data base though they had not been used for more than 3 years and 58000 accounts which were not used for more than 5 years. (P.S: During the investigation, the company introduced the policy to delete the information after 2 years).
CNIL further identified an associated Article 13 breach (Not providing information to data subject) since there was no policy on data retention.
Yet another breach identified was that there was deficiency in the implementation of Data Protection by default (article 25.2). The observation in this regard was that when a user wanted to close the voice chat and clicked on the X mark on the window, the application was only sent to the background and not exited. (P.S: During the investigation, company introduced as a compliance measure, a Popup to indicate that the voice chat window is still running in the background).
Another issue found by CNIL was that the Password policy allowed use of 6 letter password and did not mandate complicated password with a mix of lower case, upper case and special charecters. (P.S: During the investigation, company complied with the requirement).
Further CNIL found fault with Discord.com that it had not conducted a DPIA and given the volume of data handled, it should have conducted a DPIA. (PS: The Company conducted two DPIA and concluded that it is not likely to result in a high risk to individual’s rights and freedoms).
The incident indicates that CNIL could conduct its own online inspections and initiate action against companies and it would be wise for Foreign companies providing services in the GDPR region to set aside a suitable insurance coverage (if available) or provisions to meet such demands as if it is a GDPR tax.
Naavi