European privacy rights group, Noyb, has filed three complaints with the data protection authorities (DPAs) in Austria, the Netherlands, and Italy on behalf of three Fitbit users, alleging that the Google-owned company forces new users of its app to consent to data transfers outside the EU.
Noyb requested the Austrian, Dutch, and Italian DPAs to order Fitbit to share all mandatory information about the transfers with its users and allow them to use its app without having to consent to the data transfers.
Based on Alphabet’s (Google’s parent company) turnover of last year, the competent authorities could also issue a fine of up to 11,28 billion euros, according to the complaint.
When creating an account with Fitbit, European users are obliged to “agree to the transfer of their data to the US and other countries with different data protection laws”.
This means that their data could end up in any country around the globe that does not have the same privacy protections as the EU.
“In other words, Fitbit forces its users to consent to share sensitive data without providing them with clear information about possible implications or the specific countries their data goes to,” according to the Noyb complaint.
This results in a consent that is neither free, informed, or specific — which means that the consent clearly doesn’t meet the GDPR’s requirements. The collected data can even be shared for processing with third-party companies of which we do not know where they are located. Furthermore, it is impossible for users to find out which specific data is affected, reads the complaint.
“First, you buy a Fitbit watch for at least 100 euros. Then you sign up for a paid subscription, only to find that you are forced to ‘freely’ agree to the sharing of your data with recipients around the world. Five years into the GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach,” said Maartje de Graaf, Data Protection Lawyer at noyb.
Romain Robert, one of the complainants, said that “Fitbit may be a nice app to track your fitness, but once you want to learn more about how your data is being handled, you are bound for a marathon”.