Three complaints were filed against the Google-owned health and fitness company Fitbit for forcing new users to consent to highly personal data transfers outside the EU.
The complaints in Austria, the Netherlands, and Italy were filed by Vienna-based non-profit organization noyb, working in the field of digital rights.
According to the organization, contrary to legal requirements, Fitbit users are obliged to “agree to the transfer of their data to the United States and other countries with different data protection laws.”
Processing highly personal data
The highly personal data can end up in countries outside the EU, that have different privacy regulations. Furthermore, the company gives itself the right to share the data for processing even with third-party companies without providing users with clear information about the possible implications of such data sharing.
The shared data not only includes the user’s email address, date of birth, and gender, but also data like logs for food, weight, sleep, water, or female health tracking, as well as messages on discussion boards or to your friends on the service. Furthermore, users can't find out which specific data is affected.
“First, you buy a Fitbit watch for at least 100 euros. Then you sign up for a paid subscription, only to find that you are forced to “freely” agree to the sharing of your data with recipients around the world. Five years into the GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach,” said Maartje de Graaf, Data Protection Lawyer at noyb.
No way to withdraw consent
Furthermore, GDPR states that consent can only be a valid legal basis for occasional and non-repetitive data transfers. Fitbit, however, is using consent to share health-related data on a regular basis.
“Fitbit wants you to write a blank check, allowing them to send your data anywhere in the world. Given that the company collects the most sensitive health data, it’s astonishing that it doesn’t even try to explain its use of such data, as required by law,” stated Bernardo Armentano, Data Protection Lawyer at noyb.
Billions in fines
noyb has requested the Austrian, Dutch, and Italian Data Protection Authorities (DPA) to order Fitbit to provide its users with complete information regarding data transfers.
Additionally, noyb insists that users be granted the ability to use the app without being compelled to provide consent for their data transfers.
Considering the previous year's revenue for Alphabet, the parent company of Google, the relevant authorities could potentially impose a fine amounting to as much as €11.28 billion.
More from Cybernews:
Subscribe to our newsletter