Your Fitbit is useless – unless you consent to unlawful data sharing
Vienna, Aug 31, 2023
Today, noyb filed three complaints against Fitbit in Austria, the Netherlands and in Italy. The popular health and fitness company, acquired by Google in 2021, forces new users of its app to consent to data transfers outside the EU. Contrary to legal requirements, users aren’t even provided with a possibility to withdraw their consent. Instead, they have to completely delete their account to stop illegal processing.
No way around the transfer of personal data. When creating an account with Fitbit, European users are obliged to “agree to the transfer of their data to the United States and other countries with different data protection laws”. This means, that their data could end up in any country around the globe that does not have the same privacy protections as the EU. In other words: Fitbit forces its users to consent to sharing sensitive data without providing them with clear information about possible implications or the specific countries their data goes to. This results in a consent that is neither free, informed or specific – which means that the consent clearly doesn’t meet the GDPR’s requirements.
Maartje de Graaf, Data Protection Lawyer at noyb: “First, you buy a Fitbit watch for at least 100 euros. Then you sign up for a paid subscription, only to find that you are forced to “freely” agree to the sharing of your data with recipients around the world. Five years into the GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach.”
Bernardo Armentano, Data Protection Lawyer at noyb: “Fitbit wants you to write a blank check, allowing them to send your data anywhere in the world. Given that the company collects the most sensitive health data, it’s astonishing that it doesn’t even try to explain its use of such data, as required by law.”
Massive data transfers not allowed. Even if there was a way to withdraw consent, Fitbit still wouldn’t comply with European privacy law. The GDPR clearly states that consent can only be used as an exception to the prohibition of data transfers outside the EU – which means that consent can only be a valid legal basis for occasional and non-repetitive data transfers. Fitbit, however, is using consent to share all health data routinely.
Romain Robert, one of the complainants: “Fitbit may be a nice app to track your fitness, but once you want to learn more about how your data is being handled, you are bound for a marathon.”
Potential billion dollar fine. noyb requests the Austrian, Dutch and Italian DPAs to order Fitbit to share all mandatory information about the transfers with its users and allow them to use its app without having to consent to the data transfers. Based on Alphabet’s (Google’s parent company) turnover of last year, the competent authorities could also issue a fine of up to 11,28 billion euros.