Privacy advocate group the European Centre for Digital Rights (NOYB) has filed a complaint against Google-owned Fitbit over its “unlawful” data collection and user consent practices.
Three complaints by Austrian-based NOYB were filed to the Italian, Austrian and Dutch Data Protection Agencies (DPAs).
According to NOYB, there is no way around the illegal transfer of personal data to handlers outside of the EU which goes against GDPR. The group points to Fitbit’s user agreement which states that user data is transferred to the US and other unnamed countries with different data protection laws.
By “forcing” users to agree to this, NOYB alleges that the user consent collected by Fitbit is neither free, informed or specific, which means that it does not follow GDPR guidelines.
Aside from not being GDPR compliant, NOYB also highlights that the data collected by Fitbit is highly personal and potentially identifiable.
Data including email addresses, gender and date of birth are all shared according to the complaint.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataHealth data that a user logs throughout the day, such as food consumption or menstrual tracking, can also be shared according to Fitbit’s privacy policy.
This raises major concerns, especially in the sharing of menstrual tracking data which could be used in court cases where abortion care is criminalised. Sharing this kind of data is also an uncommon practice amongst specific menstrual tracking apps.
Data protection lawyer at NOYB, Bernado Armentano, likens the situation to signing a “blank check” that allows Fitbit to send your personal health data anywhere in the world.
“Given that the company collects the most sensitive health data,” Armentano explained, “it’s astonishing that it doesn’t even try to explain its use of such data, as required by law.”
In its recent thematic report into tech regulation, analyst GlobalData expects data protection regulators to continue harsh scrutiny of companies into 2023.
Although a recent EU-US Data Privacy Framework came into effect July 2023, GlobalData predicts that it could soon be challenged in court by early to mid-September.
NOYB’s complaint to the Italian, Austrian and Dutch DPAs asks the agencies to request that Fitbit shares all mandatory information about data transfers with its users and allows users to opt out of such transfers.
According to NOYB’s research over Google’s 2022 revenue, it states that the company could face a GDPR fine of up to €11bn (US$12bn).
Verdict has reached out to Google for comment.