Summary
None of Your Business (NOYB), the Vienna-based privacy advocacy group co-founded by Maximilian Schrems, filed complaints against Fitbit in European countries such as Austria, Netherlands, and Italy regarding violating EU data privacy regulations.
Acquired by Google in 2021 for 1.2 bn, Fitbit is one of the most popular smartwatch makers, which helps track various activities such as heart rate, steps taken, fitness tracking, and sleeping cycle and syncs data into the mobile application for easy access. Fitbit requires information such as name, email address, password, date of birth, gender, and weight, and invites users also to log data on food, water, and female health tracking. This is highly sensitive data.
“Fitbit wants you to write a blank check, allowing them to send your data anywhere in the world. Given that the company collects the most sensitive health data, it’s astonishing that it doesn’t even try to explain its use of such data, as required by law.” -Bernardo Armentano, data protection lawyer, NOYB (Source: NOYB) |
NOYB stated that while creating a Fitbit account, a member found out that the company had published in September 2018 that it would be sharing data and information overseas and internationally. This was under compulsory terms and conditions, which violates the European Union’s data privacy regulation, the General Data Protection Regulation (GDPR).
The GDPR explicitly stipulates that consent can serve as an exemption to the restriction on data transfers outside the EU, limited to occasional and non-repetitive transfers. Fitbit, on the other hand, routinely employs consent as the legal basis for sharing all health data, deviating from this guideline.
"We operate internationally and transfer information to the United States and other countries for the purposes described in this policy. We rely on multiple legal bases to lawfully transfer personal data around the world. These include your consent, the EU-US and Swiss-US Privacy Shield, and EU Commission-approved model contractual clauses, which require certain privacy and security protections. Please note that the countries where we operate may have privacy and data protection laws that differ from, and are potentially less protective than, the laws of your country. You agree to this risk when you create a Fitbit account and click "I agree" to data transfers, irrespective of which country you live in “ -Fitbit (Source: NOYB) |
Despite the upgrades to its terms and policies, it is evident from both the 2019 and 2023 versions of Fitbit's privacy policies that the obligation to grant consent for the transfer of personal data to third countries remains unaltered.
At present, Fitbit users can only revoke their consent by opting to delete their accounts entirely, resulting in the loss of all their previously recorded workout and health data. Considering Alphabet's (the parent company of Google) revenue from the previous year, regulatory bodies have the authority to impose a fine of as much as 11.28 billion euros if the violations are accepted.
To learn more about NOYB, join the upcoming webinar between Max Schrems and Romain Gauthier later this month: