"Fitbit targeted with trio of data transfer complaints in Europe", 31 August 2023

Google-owned Fitbit is facing a trio of privacy complaints in the European Union which allege the company is illegally exporting user data in breach of the bloc’s data protection rules.

The complaints target Fitbit’s claim that users have consented to international transfers of their information — to the US and elsewhere — arguing the company is forcing consent from users which does not meet the required legal standard.

The lawful basis being claimed by Fitbit to export EU users’ data — consent — needs to meet certain standards to be valid. In short, it must be informed, specific and freely given. But the complaints argue Fitbit is illegally forcing consent since users wanting to use products and services they have paid for have no choice to consent to the data exports in order for the products to work.

The complaints also allege Fitbit is failing to provide adequate information to users regarding transfers of their data — meaning they also cannot provide informed consent, as the GDPR requires. They also highlight that Fitbit users are unable to withdraw consent as they should be able to under the GDPR — short of deleting their Fitbit accounts and losing all their tracked workouts. Which means Fitbit users face having their product experience penalized for revoking consent. 

European privacy rights not-for-profit, noyb, has filed the complaints with data protection authorities in Austria, the Netherlands and Italy on behalf of three (unnamed) Fitbit users.

Commenting in a statement, Maartje de Graaf, data protection lawyer at noyb, said: “First, you buy a Fitbit watch for at least €100. Then you sign up for a paid subscription, only to find that you are forced to ‘freely’ agree to the sharing of your data with recipients around the world. Five years into the GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach.”

While the EU’s executive body, the European Commission, adopted a new adequacy data transfer agreement with US counterparts last month — a high level deal which aims to shrink the legal risks around transatlantic data flows — noyb notes that Fitbit is not claiming to rely on this so-called EU-US Data Privacy Framework for EU users’ data exports.

“Apart from that, it is only a matter of time until noyb will be challenging the validity of the new framework before the CJEU [Court of Justice of the EU]. The fundamental problems with US surveillance laws still exist.”

noyb confirmed it expects the three complaints to be funnelled back to Google’s lead data protection watchdog in the EU, Ireland’s Data Protection Commission (DPC), in line with the GDPR’s one-stop-shop mechanism for streamlining cross-border complaints.

..., given the DPC’s record on oversight of big tech, a swift outcome to this trio of Fitbit complaints seems unlikely — even as enforcement of the GDPR more generally has been gathering some momentum, thanks to a growing body of clarifying CJEU rulings in the five+ years since it came into application.

If noyb’s complaints against Fitbit trigger an investigation by the DPC — and GDPR infringements are confirmed down the line — Google could face fines in the billions of dollars given its parent company, Alphabet, saw its annual revenue reach $283BN last year. (noyb suggests it could be on the hook for fines of up to €11.28BN if the breaches are confirmed.)