Sign up to save your podcasts
Or
Share Discord's photo ID breach: Are the UK GDPR and Online Safety Act to blame?
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Discord's photo ID breach: Are the UK GDPR and Online Safety Act to blame?
Discord's recent data breach exposed photo IDs used to verify users' ages. Should we blame the Online Safety Act, the Children's Code, or the UK GDPR? It's complicated. (Please excuse the unsightly cut on my forehead in this one).
While this breach probably just boils down to vendor security, I wanted to consider whether Discord was obliged to collect users' ID documents, and whether it should have been retaining them.
This story does involve some competing obligations under the OSA and the UK GDPR.
I think Discord was required to verify ages—not necessarily via photo ID, but I can see why they landed on that method.
And while it assures users that ID documents are deleted immediately after verification, this appears to only apply to the initial automated age assurance process, not the manual appeal procedure.
But that manual appeal procedure is arguably required under Article 22 UK GDPR, so it's hard to see a way around retaining this data for some period.
This isn't the last time we'll see this sort of data exposed. Resolving the tensions between these requirements means thinking things through very carefully, both in terms of data security and data protection.
View all episodes
By treborjnametab1Discord's recent data breach exposed photo IDs used to verify users' ages. Should we blame the Online Safety Act, the Children's Code, or the UK GDPR? It's complicated. (Please excuse the unsightly cut on my forehead in this one).
While this breach probably just boils down to vendor security, I wanted to consider whether Discord was obliged to collect users' ID documents, and whether it should have been retaining them.
This story does involve some competing obligations under the OSA and the UK GDPR.
I think Discord was required to verify ages—not necessarily via photo ID, but I can see why they landed on that method.
And while it assures users that ID documents are deleted immediately after verification, this appears to only apply to the initial automated age assurance process, not the manual appeal procedure.
But that manual appeal procedure is arguably required under Article 22 UK GDPR, so it's hard to see a way around retaining this data for some period.
This isn't the last time we'll see this sort of data exposed. Resolving the tensions between these requirements means thinking things through very carefully, both in terms of data security and data protection.