Vienna-based advocacy group ‘Noyb’ has filed complaints against Google-owned Fitbit, alleging that it has violated the EU’s GDPR over illegal exporting of user data. 

Complaints In Three Countries

Noyb, which stands for ‘None Of Your Business,’ (and founded by privacy activist Max Schrems) filed three complaints against Fitbit – in Austria, the Netherlands and Italy.  

Why? 

Noyb alleges that Fitbit forces users to consent to data transfers outside the EU, to the US and other countries (with different data protection laws), without providing users with the possibility to withdraw their consent, thereby potentially violating GDPR’s requirements. Noyb says that the only option users have to stop the “illegal processing” is to completely delete their Fitbit account. 

How Would This Go Against GDPR? 

There are several ways that this (alleged) practice by Google’s Fitbit could violate GDPR. For example: 

– GDPR mandates that consent must be freely given. If users are forced to agree to data transfers with no ability to withdraw, the consent is not freely given. 

– Under GDPR, users must be informed about how their data will be used and processed. If the data transfer is a condition that users cannot opt-out of, then the consent cannot be considered specific or informed. 

In relation to these points, Noyb says that because Fitbit (allegedly) forces users to consent to sharing sensitive data without providing them with clear information about possible implications or the specific countries their data goes to, this means that consent that it is neither free, informed, or specific (as GDPR requires). 

Sensitive Data 

GDPR also emphasises that only the data that is necessary for the intended purpose should be collected and processed. Fitbit Forcing data transfers may violate this principle if the data being transferred is broader than what is strictly necessary for the service provided. 

In relation to this, Noyb alleges that Fitbit’s privacy policy says that the shared data not only includes things like a user’s email address, date of birth and gender, but can also include “data like logs for food, weight, sleep, water, or female health tracking; an alarm; and messages on discussion boards or to your friends on the Services”.  This has raised concerns that, for example, the sharing of menstrual tracking data could be used in court cases where abortion care is criminalised, especially considering that sharing this kind of data is not common practice even in specialised menstrual tracking apps. 

Also, Noyb alleges that the collected Fitbit data can even be shared for processing with third-party companies, the location of which are unknown, and that it’s “impossible” for users to find out which specific data is affected.  

‘Take It Or Leave It’ Approach? 

One other aspect of GDPR is that to ensure users can change their mind, every person has the right to withdraw their consent. Noyb says that Fitbit’s privacy policy states that the only way to withdraw consent is to delete an account which would mean losing all previously tracked workouts and health data, even for those on a premium subscription for 79.99 euros per year. Noyb argues that this means that although people may buy a Fitbit for its features, there appears to be no realistic way to regain control their data without making the product useless. 

Maartje de Graaf, Data Protection Lawyer at Noyb says: “First, you buy a Fitbit watch for at least 100 euros. Then you sign up for a paid subscription, only to find that you are forced to “freely” agree to the sharing of your data with recipients around the world. Five years into the GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach.” 

Blank Cheque? 

Bernardo Armentano, Data Protection Lawyer at Noyb, says: “Fitbit wants you to write a blank check, allowing them to send your data anywhere in the world. Given that the company collects the most sensitive health data, it’s astonishing that it doesn’t even try to explain its use of such data, as required by law.” 

Fine Could Be £ Billions 

According to Noyb, based on Alphabet’s (Google’s parent company) turnover of last year, if the complaints are upheld by data regulators, Google could face fines of up to 11.28 billion euros over Fitbit’s alleged data protection violations. 

There appears to be no publicly available comment from Google about Noyb’s allegations at the time of writing this article. 

What Does This Mean For Your Business? 

Google which acquired Fitbit in 2021 and at the time, in addition expanding its move wearables, some commentators noted that it may also have been motivated by the lure of the health data of millions of Fitbit customers (potentially for profiling and advertising) and the ability to improve its competitive position in the lucrative healthcare tech space. Also, at the time, it was noted that Fitbit’s corporate partnerships with insurance companies and corporate wellness programmes may have also been attractive to Google. 

Now, just a couple of years down the line, it’s the data aspect of the deal that appears to have landed Google in some hot water. Noyb’s complaints against Google-owned Fitbit could have a ripple effect that goes well beyond just a potentially hefty fine. With a penalty that could be up to 11.28 billion euros, the situation would have serious financial repercussions, and the case could set a precedent for how Google and other tech giants handle user data (especially sensitive health information), forcing them to change their global data policies.

It’s been noted, for example, in analyst GlobalData’s recent tech regulation report that data protection regulators look likely to continue closer scrutiny of companies in 2023, so there could be more trouble to come for other tech companies relating to which data they collect, how they share it, and around matters of consent. 

Some may argue that Google may, several years down the line from GDPR’s introduction, need to invest more resources in compliance to avoid facing similar allegations related to other products or services. 

For businesses that similarly rely on user-data, this case is a wake-up call to thoroughly review their data collection and transfer policies to ensure they align with GDPR requirements. Businesses must offer clear, informed choices to users about how their data is used, especially if it crosses borders. The situation with Fitbit highlights the reputational damage and legal risks involved in “take it or leave it” approaches to data consent. If Fitbit’s alleged actions are deemed a violation of GDPR, it could trigger a domino effect, prompting closer scrutiny of other businesses that have similar policies. 

For users of Fitbit and similar devices, this case could lead to more transparent data practices, potentially providing them with greater control over their personal information. Reading about what may be happening to their extremely sensitive data may mean that users may become more cautious and discerning about the permissions they grant to these apps. Given the sensitive nature of health data involved, ranging from sleep patterns to menstrual cycles, users may start to demand more robust privacy protections, and this case could also encourage users to seek alternatives that offer better data protection guarantees. 

By Mike Knight

Back To Latest News

Comments are closed.