Fitbit allegedly ‘forces’ users to consent to sharing sensitive user data with countries outside the EU, according to privacy group NYOB.
NYOB, the digital privacy rights group founded by Max Schrems, has filed three complaints against Fitbit in Austria, Italy and the Netherlands today (31 August) for allegedly violating GDPR.
The group claims Fitbit, which was acquired by Google in 2021, allegedly “forces new users of its app to consent to data transfers outside the EU”.
“Contrary to legal requirements, users aren’t even provided with a possibility to withdraw their consent. Instead, they have to completely delete their account to stop illegal processing,” reads a statement from NYOB, which stands for None of Your Business.
According to the complaint, European users who create a Fitbit account are obliged to agree to the transfer of their data to the US and other countries with different data protection laws.
NYOB sees this as an instance of Fitbit forcing users to consent to sharing sensitive data “without providing them with clear information” about possible implications or the specific countries their data goes to – which goes against European GDPR rules.
“First, you buy a Fitbit watch for at least 100 euro. Then you sign up for a paid subscription, only to find that you are forced to ‘freely’ agree to the sharing of your data with recipients around the world,” said Maartje de Graaf, a data protection lawyer at the group.
“Five years into the GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach.”
EU-US data transfers have caused contentious debate for years, more recently exacerbated by the strike down of the EU-US Privacy Shield framework. Last month, the European Commission announced an adequacy decision for safe data transfers with the US under a new EU-US Data Privacy Framework.
The decision came following commitments from the US in October of last year, in which US president Joe Biden signed an executive order detailing steps the US would take to add further safeguards around EU data in order to enable transatlantic data flow.
NYOB also argues in its complaint that Fitbit makes it hard for people to withdraw their consent – a GDPR requirement – because the only way to withdraw consent is to delete the account. This means that users will risk losing all their previous workout and health data.
“Fitbit wants you to write a blank check, allowing them to send your data anywhere in the world,” added Bernardo Armentano, another data protection lawyer at NYOB.
“Given that the company collects the most sensitive health data, it’s astonishing that it doesn’t even try to explain its use of such data, as required by law.”
Even if there was a way to withdraw consent, NYOB says Fitbit still wouldn’t comply with European privacy law.
“The GDPR clearly states that consent can only be used as an exception to the prohibition of data transfers outside the EU – which means that consent can only be a valid legal basis for occasional and non-repetitive data transfers,” the group wrote.
“Fitbit, however, is using consent to share all health data routinely.”
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.