Vienna-based advocacy group âNoybâ has filed complaints against Google-owned Fitbit, alleging that it has violated the EUâs GDPR over illegal exporting of user data.Â
Complaints In Three Countries
Noyb, which stands for âNone Of Your Business,â (and founded by privacy activist Max Schrems) filed three complaints against Fitbit â in Austria, the Netherlands and Italy. Â
Why?
Noyb alleges that Fitbit forces users to consent to data transfers outside the EU, to the US and other countries (with different data protection laws), without providing users with the possibility to withdraw their consent, thereby potentially violating GDPRâs requirements. Noyb says that the only option users have to stop the âillegal processingâ is to completely delete their Fitbit account.Â
How Would This Go Against GDPR?
There are several ways that this (alleged) practice by Googleâs Fitbit could violate GDPR. For example:Â
â GDPR mandates that consent must be freely given. If users are forced to agree to data transfers with no ability to withdraw, the consent is not freely given.Â
â Under GDPR, users must be informed about how their data will be used and processed. If the data transfer is a condition that users cannot opt-out of, then the consent cannot be considered specific or informed.Â
In relation to these points, Noyb says that because Fitbit (allegedly) forces users to consent to sharing sensitive data without providing them with clear information about possible implications or the specific countries their data goes to, this means that consent that it is neither free, informed, or specific (as GDPR requires).Â
Sensitive Data
GDPR also emphasises that only the data that is necessary for the intended purpose should be collected and processed. Fitbit Forcing data transfers may violate this principle if the data being transferred is broader than what is strictly necessary for the service provided.Â
In relation to this, Noyb alleges that Fitbitâs privacy policy says that the shared data not only includes things like a userâs email address, date of birth and gender, but can also include âdata like logs for food, weight, sleep, water, or female health tracking; an alarm; and messages on discussion boards or to your friends on the Servicesâ. This has raised concerns that, for example, the sharing of menstrual tracking data could be used in court cases where abortion care is criminalised, especially considering that sharing this kind of data is not common practice even in specialised menstrual tracking apps.Â
Also, Noyb alleges that the collected Fitbit data can even be shared for processing with third-party companies, the location of which are unknown, and that itâs âimpossibleâ for users to find out which specific data is affected. Â
âTake It Or Leave Itâ Approach?
One other aspect of GDPR is that to ensure users can change their mind, every person has the right to withdraw their consent. Noyb says that Fitbitâs privacy policy states that the only way to withdraw consent is to delete an account which would mean losing all previously tracked workouts and health data, even for those on a premium subscription for 79.99 euros per year. Noyb argues that this means that although people may buy a Fitbit for its features, there appears to be no realistic way to regain control their data without making the product useless.Â
Maartje de Graaf, Data Protection Lawyer at Noyb says: âFirst, you buy a Fitbit watch for at least 100 euros. Then you sign up for a paid subscription, only to find that you are forced to âfreelyâ agree to the sharing of your data with recipients around the world. Five years into the GDPR, Fitbit is still trying to enforce a âtake it or leave itâ approach.âÂ
Blank Cheque?
Bernardo Armentano, Data Protection Lawyer at Noyb, says: âFitbit wants you to write a blank check, allowing them to send your data anywhere in the world. Given that the company collects the most sensitive health data, itâs astonishing that it doesnât even try to explain its use of such data, as required by law.âÂ
Fine Could Be ÂŁ Billions
According to Noyb, based on Alphabetâs (Googleâs parent company) turnover of last year, if the complaints are upheld by data regulators, Google could face fines of up to 11.28 billion euros over Fitbitâs alleged data protection violations.Â
There appears to be no publicly available comment from Google about Noybâs allegations at the time of writing this article.Â
What Does This Mean For Your Business?
Google which acquired Fitbit in 2021 and at the time, in addition expanding its move wearables, some commentators noted that it may also have been motivated by the lure of the health data of millions of Fitbit customers (potentially for profiling and advertising) and the ability to improve its competitive position in the lucrative healthcare tech space. Also, at the time, it was noted that Fitbitâs corporate partnerships with insurance companies and corporate wellness programmes may have also been attractive to Google.Â
Now, just a couple of years down the line, itâs the data aspect of the deal that appears to have landed Google in some hot water. Noybâs complaints against Google-owned Fitbit could have a ripple effect that goes well beyond just a potentially hefty fine. With a penalty that could be up to 11.28 billion euros, the situation would have serious financial repercussions, and the case could set a precedent for how Google and other tech giants handle user data (especially sensitive health information), forcing them to change their global data policies.
Itâs been noted, for example, in analyst GlobalDataâs recent tech regulation report that data protection regulators look likely to continue closer scrutiny of companies in 2023, so there could be more trouble to come for other tech companies relating to which data they collect, how they share it, and around matters of consent.Â
Some may argue that Google may, several years down the line from GDPRâs introduction, need to invest more resources in compliance to avoid facing similar allegations related to other products or services.Â
For businesses that similarly rely on user-data, this case is a wake-up call to thoroughly review their data collection and transfer policies to ensure they align with GDPR requirements. Businesses must offer clear, informed choices to users about how their data is used, especially if it crosses borders. The situation with Fitbit highlights the reputational damage and legal risks involved in âtake it or leave itâ approaches to data consent. If Fitbitâs alleged actions are deemed a violation of GDPR, it could trigger a domino effect, prompting closer scrutiny of other businesses that have similar policies.Â
For users of Fitbit and similar devices, this case could lead to more transparent data practices, potentially providing them with greater control over their personal information. Reading about what may be happening to their extremely sensitive data may mean that users may become more cautious and discerning about the permissions they grant to these apps. Given the sensitive nature of health data involved, ranging from sleep patterns to menstrual cycles, users may start to demand more robust privacy protections, and this case could also encourage users to seek alternatives that offer better data protection guarantees.Â
By Mike Knight