In that case, is a YouTuber liable for the GDPR failings of Google? Of course they aren’t. It’s the same here.

Is McDonald’s liable for the GDPR failings of X? They have an account with their name and brand on it. They even pay X for a golden checkmark.

Is Taylor Swift or UGM liable for the GDPR failings of Spotify?

Are individual eBay sellers liable for the GDPR failings of eBay.

I could go on, but you don’t quite seem to realise what the implications of what you’re saying are if they are true. You’re basically making every user liable for any GDPR on any service that collects any data. This isn’t the case, or businesses wouldn’t use these services.

Except that’s not how it’s working here. The only “contract” is the EULA that the developer agrees to when creating their discord account.

The developer doesn’t collect or store the data, nor have they entered an agreement with discord for them specifically to collect this data. The game developer does not sell access to the discord server (a violation of the EULA). All they have done is use a feature on Discord, available to every user and bound to the terms of both the EULA and Discord’s privacy policy.

If what you said was true, then any individual that enables the highest level of protection on any server of any size would end up being liable. This simply is not true. It would also mean that the lowest setting would also leave them liable as an email is stored, which is also not true.

It would also be incredibly hard to determine exactly what they’re liable for. Is it all the users who have Discord? All the members in their server? What if a user is in multiple servers with phone/email verification turned on?

Discord collects this information as part of their service for their verification purposes, including 2FA. The implication for the developer is nothing more than a flag on an account.

The difference between the developer and Microsoft/Amazon is that those two companies, while yes they don’t store it on their own servers, collect the data for use in their services for their profit for services they sell, run ads on, or collect more data to sell on. The game developer does not run discord, they do not sell discord, they have little agency over that server in discord, and is a service that discord provides. The game developer could pull out at any point and the service would still exist because it is not theirs.

TL;DR - The developer is not liable in the same way that X users aren’t liable for people who verify their phone number following them. It’s not their service, and the Discord EULA and Privacy Policy apply.

But it’s not the game dev that handles the information, so the game studio wouldn’t be at fault. The game dev never gets that info so isn’t storing anything. Discord would be liable for any GDPR infractions.

But here’s the thing - side loading, even on android, is an opt-in feature. The user has to actively go out of their way to sideload an app. Even if an app tries to do it behind your back, you must first enable its ability to do so.

Yes, this doesn’t exist when ADB is involved, but in that case you have to go out of your way to enable USB debugging (and be stupid enough to plug your phone into someone else’s computer). The vast majority of iPhones will never have sideloading enabled by their users. The EU isn’t grabbing their balls and saying that all users must have it enabled by default, otherwise they’d be going after Android too.