Could Discord share my personal data to a Chinese company?
13 July 2022 — A Discord user had asked whether their personal data could be shared to Tencent.
Disclaimer: This article is a reproduction of a Discord post I wrote in an informal capacity and thus will not have been fact-checked. Moreover, the legal situation regarding EU-US data transfers has since changed. Read this article with a critical lens (like you should with anything on the internet).
The answer is ça dépend (like for everything in law).
The GDPR protects personal data, which is data that can identify a person or make them identifiable. That kind of user information would include names, addresses, card details, and (potentially) IP addresses.
If Discord wants to send that data to Tencent, it will need:
A lawful basis for processing — in other words, why is Discord sending that data to Tencent? That could be because it had the consent of the users, etc. Most businesses rely on the nebulous "legitimate interests" ground since it's the least hassle. In any case, Discord would have to send a minimal amount of data for the purposes it does for its shareholders (data minimisation) if it does.
If they are sending it to shareholders in China, Discord would also need to follow "Chapter V" rules. Basically, the GDPR is really really strict about international data flows. If the EU's highest court has previously ruled that sending EU data to the US was illegal because of the US' non-existent privacy laws,1 then I doubt you can make a strong case to send data to China without a strong exception (e.g. buying something from a Chinese online shop). Sending data to shareholders is probably not one that will be covered unless every Discord user explicitly consents (and is made clear what they are consenting to).
So, as we've seen, the GDPR is a headache for Discord. The far likelier thing you would do is anonymise the data so that you can't trace the data back to any single individual. You would collate the statistics into a spreadsheet and then send that off. Shareholders are unlikely to want a list of every IP address of every person, they just want general stats of how the platform is performing.
For your information, collating that spreadsheet and anonymising the data is itself processing. So Discord will still need a lawful basis. Still, they'd be able to argue legitimate interests far more easily since collecting data for use in shareholder meetings is common for businesses. Its impact on user privacy is minimal compared to its business interests (legitimate interest is a balancing exercise).
Anonymised data is not protected under the GDPR so nothing (to my knowledge) would stop Discord from sending that data to Tencent (and subsequently to the Chinese government, which may be mandated under Chinese cyberspace law).
TL;DR Discord isn't gonna be sending your credit card info, address, full name, and message logs to their Tencent shareholders (or it wouldn't be very legal) — but it can use your data to make some broad statistics (where it can't individually identify you) and then send it over to their shareholders under UK/EU data protection law. This level of protection only applies to UK/EU citizens. Americans are left to sort it out themselves.
It is more complicated than that, but that's the general gist — see Schrems I and Schrems II.