[vore]

  Failure to ensure the security of personal data (Article 32 of the GDPR)
  At the time of the online investigation, when creating an account on DISCORD, a password of six characters including letters and numbers was accepted.

  The restricted committee considered that DISCORD's password management policy was not sufficiently strong and restrictive to ensure the security of users' accounts.

Kind of surprising the GDPR is so prescriptive about password requirements!

[ender341341]

Is it actually prescriptive, or does it say (in more legalese form) "use industry best practices to protect user data". Six characters is laughably bad and would fail pretty much any password requirements I've seen in the last decade (except for my credit union who only updated like 5 years ago after finally migrating to a better back end).

[d1sxeyes]

The GDPR is actually surprisingly understandable and 'plain English' (obviously, lawyers have their own interpretations of everything).

Key section is probably this one: https://gdpr-info.eu/art-32-gdpr/