News
NEW
Expect to give up your data as a trade-off for using a Fitbit
Giving up your data: a fair trade-off for using a Fitbit?

Published September 4, 2023
by Jivika Lillaney

min read

Summary

    None of Your Business (NOYB), the Vienna-based privacy advocacy group co-founded by Maximilian Schrems, filed complaints against Fitbit in European countries such as Austria, Netherlands, and Italy regarding violating EU data privacy regulations. 

    Acquired by Google in 2021 for 1.2 bn, Fitbit is one of the most popular smartwatch makers, which helps track various activities such as heart rate, steps taken, fitness tracking, and sleeping cycle and syncs data into the mobile application for easy access. Fitbit requires information such as name, email address, password, date of birth, gender, and weight, and invites users also to log data on food, water, and female health tracking. This is highly sensitive data. 

    “Fitbit wants you to write a blank check, allowing them to send your data anywhere in the world. Given that the company collects the most sensitive health data, it’s astonishing that it doesn’t even try to explain its use of such data, as required by law.”

    -Bernardo Armentano, data protection lawyer, NOYB (Source: NOYB)

    NOYB stated that while creating a Fitbit account, a member found out that the company had published in September 2018 that it would be sharing data and information overseas and internationally. This was under compulsory terms and conditions, which violates the European Union’s data privacy regulation, the General Data Protection Regulation (GDPR). 

    The GDPR explicitly stipulates that consent can serve as an exemption to the restriction on data transfers outside the EU, limited to occasional and non-repetitive transfers. Fitbit, on the other hand, routinely employs consent as the legal basis for sharing all health data, deviating from this guideline.

    "We operate internationally and transfer information to the United States and other countries for the purposes described in this policy. We rely on multiple legal bases to lawfully transfer personal data around the world. These include your consent, the EU-US and Swiss-US Privacy Shield, and EU Commission-approved model contractual clauses, which require certain privacy and security protections. Please note that the countries where we operate may have privacy and data protection laws that differ from, and are potentially less protective than, the laws of your country. You agree to this risk when you create a Fitbit account and click "I agree" to data transfers, irrespective of which country you live in “

    -Fitbit (Source: NOYB)

    Despite the upgrades to its terms and policies, it is evident from both the 2019 and 2023 versions of Fitbit's privacy policies that the obligation to grant consent for the transfer of personal data to third countries remains unaltered.

    At present, Fitbit users can only revoke their consent by opting to delete their accounts entirely, resulting in the loss of all their previously recorded workout and health data. Considering Alphabet's (the parent company of Google) revenue from the previous year, regulatory bodies have the authority to impose a fine of as much as 11.28 billion euros if the violations are accepted. 

    To learn more about NOYB, join the upcoming webinar between Max Schrems and Romain Gauthier later this month:

    Webinar unlocking data privacy

    Related Articles
    Our freshest data privacy content for you
    • News

    NOYB challenges Meta with GDPR complaint over controversial subscription model │ Yes We Trust

    November 29, 2023 by Jivika Lillaney

    NOYB challenges Meta with GDPR complaint over controversial subscription model

    Read Article

    • News

    Meta fined a record €1.2B | Yes We Trust

    May 23, 2023 by Yes We Trust

    Meta fined a record €1.2B

    Read Article

    • News

    Norway bans Meta from using behavioral ads without user consent | Yes We Trust

    July 18, 2023 by Yes We Trust

    Norway bans Meta from using behavioral ads without user consent

    Read Article

    • News

    Adtech company Criteo hit with €40M fine by French DPA | Yes We Trust

    June 27, 2023 by Yes We Trust

    Adtech company Criteo hit with €40M fine by French DPA

    Read Article

    • News

    UK Government proposes amendments to Data Protection and Digital Information Bill │Yes We Trust

    December 4, 2023 by Jivika Lillaney

    UK Government proposes forward-thinking amendments to Data Protection and Digital Information Bill

    Read Article

    • News

    Norway pushes for broader EU ban on Meta's non-consensual tracking ads │Yes We Trust

    October 11, 2023 by Jivika Lillaney

    Norway pushes for broader EU ban on Meta's non-consensual tracking ads

    Read Article