Today, noyb filed three complaints against Fitbit in Austria, the Netherlands and in Italy. The popular health and fitness company, acquired by Google in 2021, forces new users of its app to consent to data transfers outside the EU. Contrary to legal requirements, users aren’t even provided with a possibility to withdraw their consent. Instead, they have to completely delete their account to stop illegal processing.
- noyb complaint with the Austrian DPA (DE)
- noyb complaint with the Dutch DPA (NL)
- English auto-translation of the complaint with the Dutch DPA
- noyb complaint with the Italian DPA (IT)
No way around the transfer of personal data. When creating an account with Fitbit, European users are obliged to “agree to the transfer of their data to the United States and other countries with different data protection laws”. This means, that their data could end up in any country around the globe that does not have the same privacy protections as the EU. In other words: Fitbit forces its users to consent to sharing sensitive data without providing them with clear information about possible implications or the specific countries their data goes to. This results in a consent that is neither free, informed or specific – which means that the consent clearly doesn’t meet the GDPR’s requirements.
Highly personal data. According to Fitbit’s privacy policy, the shared data not only includes things like a user’s email address, date of birth and gender. The company can also share “data like logs for food, weight, sleep, water, or female health tracking; an alarm; and messages on discussion boards or to your friends on the Services”. The collected data can even be shared for processing with third-party companies of which we do not know where they are located. Furthermore, it is impossible for users to find out which specific data is affected. All three complainants exercised their right of access to information with the company’s Data Protection Officer – but never received an answer.
Maartje de Graaf, Data Protection Lawyer at noyb: “First, you buy a Fitbit watch for at least 100 euros. Then you sign up for a paid subscription, only to find that you are forced to “freely” agree to the sharing of your data with recipients around the world. Five years into the GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach.”
Take it or leave it. To make sure users can change their mind, the GDPR also gives every person the right to withdraw their consent. At least in theory. Fitbit’s privacy policy states that the only way to withdraw consent is to delete an account. For consumers, this means losing all their previously tracked workouts and health data. This even applies if you buy a premium subscription for 79,99 euros per year. Although these features are the main reason to buy a Fitbit, there is no realistic way to regain control over your data without making your product useless.
Bernardo Armentano, Data Protection Lawyer at noyb: “Fitbit wants you to write a blank check, allowing them to send your data anywhere in the world. Given that the company collects the most sensitive health data, it’s astonishing that it doesn’t even try to explain its use of such data, as required by law.”
Massive data transfers not allowed. Even if there was a way to withdraw consent, Fitbit still wouldn’t comply with European privacy law. The GDPR clearly states that consent can only be used as an exception to the prohibition of data transfers outside the EU – which means that consent can only be a valid legal basis for occasional and non-repetitive data transfers. Fitbit, however, is using consent to share all health data routinely.
Romain Robert, one of the complainants: “Fitbit may be a nice app to track your fitness, but once you want to learn more about how your data is being handled, you are bound for a marathon.”
Potential billion dollar fine. noyb requests the Austrian, Dutch and Italian DPAs to order Fitbit to share all mandatory information about the transfers with its users and allow them to use its app without having to consent to the data transfers. Based on Alphabet’s (Google’s parent company) turnover of last year, the competent authorities could also issue a fine of up to 11,28 billion euros.