Shocking Revelation: Fitbit Faces Three Alarming Data Transfer Complaints in Europe!

Fitbit owned by Google is facing a trio of privacy complaints in the European Union alleging the company is illegally exporting user data in violation of the bloc’s data protection rules.

The complaints target Fitbit’s claim that users have consented to international transfers of their information (to the United States and elsewhere) arguing that the company is forcing users to provide consent that does not meet the legal standard. required.

The EU General Data Protection Regulation (GDPR) sets out a set of rules for how local user information can be used, including the requirement that data processors have a valid legal basis to process data from people and establish controls on data exports. Violations of the regime can carry financial penalties of up to 4% of the offender’s global annual turnover.

The legal basis that Fitbit claims for exporting user data from the EU (consent) must meet certain standards to be valid. In short, it must be informed, specific and free. But the complaints argue that Fitbit is illegally forcing consent, as users who want to use products and services they have paid for are not given the option to consent to data exports in order for the products to work.

The complaints also allege that Fitbit is not Provide adequate information to users about the transfers of their data, which means that they cannot give their informed consent either, as required by the GDPR. They also note that Fitbit users cannot withdraw consent as they should under the GDPR, short of deleting their Fitbit accounts and losing all their recorded workouts. Which means that Fitbit users face a penalty on their product experience for revoking consent.

European Nonprofit Privacy Rights, noybhas filed complaints with the data protection authorities of Austria, the Netherlands and Italy on behalf of three (unidentified) Fitbit users.

In a statement, Maartje de Graaf, a data protection lawyer at noyb said: “First, you buy a Fitbit watch for at least €100. You then sign up for a paid subscription, only to find that you are forced to “freely” agree to share your data with recipients around the world. Five years after GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach.”

noyb has been behind dozens of successful GDPR complaints in recent years, including a series of strikes against Meta (Facebook) that recently led the company to announce that it will finally switch to asking for consent from local users for tracking and profiling that drives your primary behavioral advertising targeting. So Noyb’s strategic litigation is always worth watching.

“By creating an account with Fitbit, European users are required to ‘agree to the transfer of their data to the United States and other countries with different data protection laws.’ This means that your data could end up in any country in the world that does not have the same privacy protections as the EU,” noyb writes in a press release announcing Fitbit’s complaints. “In other words: Fitbit forces its users to consent to sharing sensitive data without giving them clear information about the potential implications or the specific countries their data is going to. This results in consent that is neither free, informed nor specific, which means that the consent clearly does not meet the requirements of the GDPR.”

“Under Fitbit’s privacy policy, the data shared doesn’t just include things like the user’s email address, date of birth, and gender. The company can also share data such as food, weight, sleep, water records or female health monitoring; an alarm; and messages in discussion forums or to your friends on the Services. The collected data may even be shared for processing with third-party companies whose location we do not know,” he continues. “In addition, it is impossible for users to know what specific data is affected. The three complainants exercised their right of access to information before the company’s Data Protection Officer, but never received a response.”

The complaints also question the validity of Fitbit’s reliance on consent for what are routine transfers of sensitive data off the block.

“The GDPR clearly states that consent can only be used as an exception to the prohibition on data transfers outside the EU, which means that consent can only be a valid legal basis for occasional and non-repetitive data transfers. Fitbit, however, routinely uses consent to share all health data,” suggests noyb, arguing that Fitbit’s transfers are “clearly systematic” and also questions whether they can “pass the strict necessity test,” given the amount of personal data (including some sensitive data). ) is commonly exported.

While the executive body of the EU, the European Commission, adopted a new data transfer adequacy agreement with its American counterparts. last month (a high-level agreement that aims to reduce legal risks around transatlantic data flows) noyb notes that Fitbit does not claim to rely on this so-called EU-US Data Privacy Framework. for EU user data exports.

“Fitbit does not state in its privacy policy or anywhere else that it transfers data under the new framework, but instead states that it uses consent and SCCs. [standard contractual clauses] as ‘transfer mechanisms,’” de Graaf told TechCrunch. “Fitbit is also not certified under the Data Privacy Framework.

“Other than that, it’s only a matter of time until noyb challenge the validity of the new framework before the CJEU [Court of Justice of the EU]. The fundamental problems with American surveillance laws still exist.”

noyb confirmed that it expects the three complaints to be redirected to Google’s main EU data protection watchdog, the Irish Data Protection Commission (DPC), in line with the GDPR’s one-stop-shop mechanism to expedite cross-border complaints.

In early 2019, Google changed the legal jurisdiction from where you process the data of European users, from the US to its Dublin-based entity, Google Ireland Limited – which led to its European headquarters gaining what is known as principal establishment status under the GDPR, meaning that primary oversight of Google’s compliance with the EU’s flagship data protection regime falls to the Irish DPC . (Before that, Google was hit with a Early application of the GDPR in France related to elements of how the operating system of your Android smartphone operated).

The Irish regulator continues to come under fire for slow pace, circuitous roads, or just a complete lack of enforcement by the tech giants. This includes the case of a number of major GDPR complaints directed at Google, such as one focused on Google location tracking (which the DPC opened in February 2020); and another on Google’s advertising technology (which the Irish regulator launched in May 2019). None of those investigations into aspects of Google’s business have yet produced a decision in Ireland. And in the case of this latest investigation, the In fact, DPC was sued by the whistleblowers. last year accusing the regulator of not investigating the merits of the complaint.

In the case of recent major noyb attacks on Meta/Facebook, the DPC has also been accused of impeding law enforcement by siding with Meta’s arguments on legal grounds, a finding that has been reversed by other DPAs. of the EU and the European Data Protection Board (EDPB) through an objection and review process integrated into the GDPR.

So given the DPC’s track record of overseeing big tech, it seems unlikely that this trio of Fitbit complaints will have a quick outcome, even as GDPR enforcement in general has been gaining some momentum, thanks to a growing body of clarify CJEU rulings in the more than five years since it came into force.

If Noyb’s complaints against Fitbit trigger an investigation by the DPC (and GDPR violations are confirmed in the future), Google could face billions of dollars in fines, given that its parent company Alphabet saw its annual revenue reach 283 billion dollars last year. (Noyb suggests it could be forced to pay fines of up to €11.28 billion if the breaches are confirmed.)

Although, once again, the DPC has not it only avoided imposing the maximum possible penalties for major GDPR violations by big tech companies its draft decisions have frequently included lower sanctions than other EU DPAs (and ECPD) consider appropriate, leading to interventions under the regulation’s dispute resolution mechanisms that have often raised levels of sanctions finally applied in Ireland, even when these returns have usually added many additional months to the application deadlines. So expect any enforcement of these complaints to be a marathon, not a sprint.