abusesaffiliationarrow-downarrow-leftarrow-rightarrow-upattack-typeburgerchevron-downchevron-leftchevron-rightchevron-upClock iconclosedeletedevelopment-povertydiscriminationdollardownloademailenvironmentexternal-linkfacebookfiltergenderglobegroupshealthC4067174-3DD9-4B9E-AD64-284FDAAE6338@1xinformation-outlineinformationinstagraminvestment-trade-globalisationissueslabourlanguagesShapeCombined Shapeline, chart, up, arrow, graphLinkedInlocationmap-pinminusnewsorganisationotheroverviewpluspreviewArtboard 185profilerefreshIconnewssearchsecurityPathStock downStock steadyStock uptagticktooltiptwitteruniversalityweb

Cette page n’est pas disponible en Français et est affichée en English

Article

31 aoû 2023

Auteur:
Natasha Lomas, TechCrunch

EU: Google's Fitbit faces three privacy complaints which allege the company is illegally exporting user data in breach of the GDPR

"Fitbit targeted with trio of data transfer complaints in Europe", 31 August 2023

Google-owned Fitbit is facing a trio of privacy complaints in the European Union which allege the company is illegally exporting user data in breach of the bloc’s data protection rules.

The complaints target Fitbit’s claim that users have consented to international transfers of their information — to the US and elsewhere — arguing the company is forcing consent from users which does not meet the required legal standard.

The lawful basis being claimed by Fitbit to export EU users’ data — consent — needs to meet certain standards to be valid. In short, it must be informed, specific and freely given. But the complaints argue Fitbit is illegally forcing consent since users wanting to use products and services they have paid for have no choice to consent to the data exports in order for the products to work.

The complaints also allege Fitbit is failing to provide adequate information to users regarding transfers of their data — meaning they also cannot provide informed consent, as the GDPR requires. They also highlight that Fitbit users are unable to withdraw consent as they should be able to under the GDPR — short of deleting their Fitbit accounts and losing all their tracked workouts. Which means Fitbit users face having their product experience penalized for revoking consent. 

European privacy rights not-for-profit, noyb, has filed the complaints with data protection authorities in Austria, the Netherlands and Italy on behalf of three (unnamed) Fitbit users.

Commenting in a statement, Maartje de Graaf, data protection lawyer at noyb, said: “First, you buy a Fitbit watch for at least €100. Then you sign up for a paid subscription, only to find that you are forced to ‘freely’ agree to the sharing of your data with recipients around the world. Five years into the GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach.”

While the EU’s executive body, the European Commission, adopted a new adequacy data transfer agreement with US counterparts last month — a high level deal which aims to shrink the legal risks around transatlantic data flows — noyb notes that Fitbit is not claiming to rely on this so-called EU-US Data Privacy Framework for EU users’ data exports.

“Apart from that, it is only a matter of time until noyb will be challenging the validity of the new framework before the CJEU [Court of Justice of the EU]. The fundamental problems with US surveillance laws still exist.”

noyb confirmed it expects the three complaints to be funnelled back to Google’s lead data protection watchdog in the EU, Ireland’s Data Protection Commission (DPC), in line with the GDPR’s one-stop-shop mechanism for streamlining cross-border complaints.

..., given the DPC’s record on oversight of big tech, a swift outcome to this trio of Fitbit complaints seems unlikely — even as enforcement of the GDPR more generally has been gathering some momentum, thanks to a growing body of clarifying CJEU rulings in the five+ years since it came into application.

If noyb’s complaints against Fitbit trigger an investigation by the DPC — and GDPR infringements are confirmed down the line — Google could face fines in the billions of dollars given its parent company, Alphabet, saw its annual revenue reach $283BN last year. (noyb suggests it could be on the hook for fines of up to €11.28BN if the breaches are confirmed.)

Informations sur la confidentialité

Ce site utilise des cookies et d'autres technologies de stockage web. Vous pouvez définir vos choix en matière de confidentialité ci-dessous. Les changements prendront effet immédiatement.

Pour plus d'informations sur notre utilisation du stockage web, veuillez vous référer à notre Politique en matière d'utilisation des données et de cookies

Strictly necessary storage

ON
OFF

Necessary storage enables core site functionality. This site cannot function without it, so it can only be disabled by changing settings in your browser.

Cookie analytique

ON
OFF

Lorsque vous accédez à notre site Web, nous utilisons Google Analytics pour collecter des informations sur votre visite. Autoriser ce cookie nous permettra de comprendre en plus de détails sur votre parcours et d'améliorer la façon dont nous diffusons les informations. Toutes les informations analytiques sont anonymes et nous ne les utilisons pas pour vous identifier. Outre la possibilité que vous avez de refuser des cookies, vous pouvez installer le module pour la désactivation de Google Analytics.

Cookies promotionels

ON
OFF

Nous partageons des nouvelles et des mises à jour sur les entreprises et les droits de l'homme via des plateformes tierces, y compris les médias sociaux et les moteurs de recherche. Ces cookies nous aident à comprendre les performances de ces items.

Vos choix en matière de confidentialité pour ce site

Ce site utilise des cookies et d'autres technologies de stockage web pour améliorer votre expérience au-delà des fonctionnalités de base nécessaires.