Introduction:
NOYB, the Vienna-based organization founded by privacy activist Max Schrems, has filed three complaints in against Fitbit. A popular health and fitness company acquired by Google in 2021. These three complaints were filed in three different countries, specifically Austria, the Netherlands and Italy. NOYB has already filed hundreds of complaints against major technology companies, ranging from Google to Meta, for privacy violations. Often resulting in large fines.
Why did NOYB file a complaint against Fitbit?
NOYB found that when creating an account, Fitbit requires European users to consent to the transfer of their data to the United States and numerous other countries. As a result, data subjects who use a Fitbit have no idea where their personal data ends up.
Fitbit is essentially forcing its users to consent to the sharing of sensitive data without giving them clear information about the potential implications or the specific countries their data is going to. Therefore, one cannot be sure if the personal data is processed in a country with adequate data protection.
Insufficiently Clear and Honest Consent for Data Sharing
The data collected was even shared with outside companies whose whereabouts the data subject does not know. Moreover, it is impossible for users to identify the specific data involved. Fitbit’s DPO also failed to provide data subjects with a clear answer.
This results in consent that is not free, informed or specific. So this consent clearly does not meet the requirements set forth in the GDPR.
A Deep Dive into Privacy Concerns
In addition, it is also very sensitive information that is shared. According to Fitbit’s privacy policy, the data shared included not only things like a user’s email address, date of birth and gender, but also data such as logs tracking food intake, weight, sleep patterns and water intake of those involved, messages posted by those involved on discussion boards and even private messages to friends. The latter is possible because a Fitbit device can receive notifications from users’ nearby phones.
A Violation of GDPR Rules.
There is also the fact that the only way data subjects can withdraw their consent is to delete their account. This is so described in Fitbit’s privacy statement.
For consumers, this means losing all their previously tracked workouts and health data. While this data is the reason why many buy a Fitbit, there is no realistic way to regain control of your data without rendering your product unusable.
In other words, Fitbit fails to give data subjects the opportunity to withdraw their consent in a manner consistent with the provisions of the GDPR.
In doing so, such large data transfers, which Fitbit currently performs, are not permitted. This means that even if there were a way to revoke consent, Fitbit would still not comply with the GDPR.
Indeed, the GDPR clearly states that consent can only be used as an exception to the ban on data transfers outside the EU. As a result, “consent” can only be a valid legal basis for incidental and non-repetitive data transfers.
However, Fitbit uses this consent to routinely share all health data of data subjects.
What does NOYB want to achieve?
NOYB wants Fitbit to be forced to share all mandatory information about the data transfers with its users and allow them to use Fitbit without being required to consent to the transfers. Fitbit will thus have to change its privacy policy so that deleting the account is no longer the only way for data subjects to withdraw their consent.
What consequences could these charges have for Fitbit
If Noyb’s complaints against Fitbit trigger an investigation by data protection authorities and the violations of the GDPR are later confirmed, it could have major implications for Fitbit. Fines for violating GDPR rules can amount to 4% of a company’s annual global turnover. Google’s annual revenue in 2022 was a whopping $280 billion. Noyb suggests Fitbit could risk fines of up to 11.28 billion euros if the breaches are confirmed.
Get your GDPR in order quickly and affordably?
Then click on GDPR Subscriptions!