Your Privacy Hub

Yes We Trust moves to Didomi

We are excited to share that going forward, Yes We Trust content will be incorporated into Didomi, where we will continue to post relevant, educational content that helps you make sense of data privacy today, including out flagship newsletter and opinion pieces. Thank you for your continued support and see you there!

    • company-news
    • industry-news

    Published on September 4, 2023 last updated on September 4, 2023

    Expect to give up your data as a trade-off for using a Fitbit

    None of Your Business (NOYB), the Vienna-based privacy advocacy group co-founded by Maximilian Schrems, filed complaints against Fitbit in European countries such as Austria, Netherlands, and Italy regarding violating EU data privacy regulations. 

    Acquired by Google in 2021 for 1.2 bn, Fitbit is one of the most popular smartwatch makers, which helps track various activities such as heart rate, steps taken, fitness tracking, and sleeping cycle and syncs data into the mobile application for easy access. Fitbit requires information such as name, email address, password, date of birth, gender, and weight, and invites users also to log data on food, water, and female health tracking. This is highly sensitive data. 

    “Fitbit wants you to write a blank check, allowing them to send your data anywhere in the world. Given that the company collects the most sensitive health data, it’s astonishing that it doesn’t even try to explain its use of such data, as required by law.”

    -Bernardo Armentano, data protection lawyer, NOYB (Source: NOYB)

    NOYB stated that while creating a Fitbit account, a member found out that the company had published in September 2018 that it would be sharing data and information overseas and internationally. This was under compulsory terms and conditions, which violates the European Union’s data privacy regulation, the General Data Protection Regulation (GDPR). 

    The GDPR explicitly stipulates that consent can serve as an exemption to the restriction on data transfers outside the EU, limited to occasional and non-repetitive transfers. Fitbit, on the other hand, routinely employs consent as the legal basis for sharing all health data, deviating from this guideline.

    "We operate internationally and transfer information to the United States and other countries for the purposes described in this policy. We rely on multiple legal bases to lawfully transfer personal data around the world. These include your consent, the EU-US and Swiss-US Privacy Shield, and EU Commission-approved model contractual clauses, which require certain privacy and security protections. Please note that the countries where we operate may have privacy and data protection laws that differ from, and are potentially less protective than, the laws of your country. You agree to this risk when you create a Fitbit account and click "I agree" to data transfers, irrespective of which country you live in “

    -Fitbit (Source: NOYB)

    Despite the upgrades to its terms and policies, it is evident from both the 2019 and 2023 versions of Fitbit's privacy policies that the obligation to grant consent for the transfer of personal data to third countries remains unaltered.

    At present, Fitbit users can only revoke their consent by opting to delete their accounts entirely, resulting in the loss of all their previously recorded workout and health data. Considering Alphabet's (the parent company of Google) revenue from the previous year, regulatory bodies have the authority to impose a fine of as much as 11.28 billion euros if the violations are accepted. 

    To learn more about NOYB, join the upcoming webinar between Max Schrems and Romain Gauthier later this month:

    Webinar unlocking data privacy

    avatar Jivika Lillaney

    Jivika Lillaney

    Content writer at Didomi. I am a digital creator who loves to explore the world and tick off things on my bucket list!