Google-owned Fitbit is facing three privacy complaints in the European Union, which allege the company is illegally exporting user data in violation of the bloc’s data protection rules.
The complaints target Fitbit’s claim that users consented to the international transfer of their information — to the United States and elsewhere — arguing that the company forces users to obtain consent that does not meet the required legal standards.
The European Union’s General Data Protection Regulation (GDPR) sets a set of rules for how local users’ information is used, including requiring data processors to have a valid legal basis for processing people’s data and setting controls on data exports. Violations of the system can result in financial penalties of up to 4% of the violator’s total global annual sales.
The legal basis for Fitbit to export EU users’ data – consent – must meet certain criteria to be valid. In short, it must be informed, defined, and freely given. But the complaints say Fitbit illegally enforces consent because users who want to use the products and services they paid for don’t have the option to consent to data exports for the products to work.
The complaints also allege that Fitbit failed to do so Providing sufficient information to users regarding transfers of their data – which means that they cannot also provide informed consent, as required by the GDPR. They also highlight that Fitbit users are unable to withdraw consent as they should be able to under GDPR – short of deleting their Fitbit accounts and losing all their tracked workouts. Which means Fitbit users face being penalized for trying their product due to consent being revoked.
European Privacy Rights is a non-profit, noybComplaints were submitted to data protection authorities in Austria, the Netherlands and Italy on behalf of three (unnamed) Fitbit users.
Commenting on this, Maartje de Graaf, data protection lawyer at: Noib said: “First, you have to buy a Fitbit watch for at least 100 euros. Then you sign up for a paid subscription, only to find that you are forced to “freely” agree to share your data with recipients around the world. Five years after the GDPR, Fitbit is still trying to enforce a take-it-or-leave-it approach.
noyb has been behind dozens of successful GDPR-related complaints in recent years — including a series of strikes against Meta (Facebook) that recently led to the company announcing that it would finally shift to requiring local users’ consent for tracking and profiling that underpins its behavior. Basic. Ad targeting. So Noib’s strategic lawsuits are always worth watching.
“When creating a Fitbit account, European users are obligated to consent to the transfer of their data to the United States and other countries with different data protection laws.” This means that their data could end up in any country around the world that does not have the same privacy protections as the European Union. “In other words: Fitbit forces its users to consent to sharing sensitive data without providing them with clear information about the potential implications or the specific countries their data is going to. This results in consent that is not free, informed or specific – which means that consent does not clearly meet the requirements of general regulation.” To protect data.
According to Fitbit’s privacy policy, the data shared includes not only things like a user’s email address, date of birth, and gender. The company can also share “data like food, weight, sleep, hydration, or women’s health records; alarm clock; and messages on discussion boards or to your friends on the Services. The data collected for processing may also be shared with third party companies whose whereabouts we do not know. “Furthermore, it is impossible for users to know what specific data has been affected. The three complainants exercised their right of access to information with the company’s data protection officer, but did not receive any response.
The complaints also question the validity of Fitbit’s reliance on approval for routine transfers of sensitive data outside the cluster.
“The GDPR clearly states that consent can only be used as an exception to the prohibition on data transfers outside the EU – which means that consent can only be a valid legal basis for occasional, infrequent data transfers.” However, Fitbit uses consent to share all health data on a routine basis,” suggests Noib, arguing that Fitbit’s transfers are “clearly systematic” and also questioning whether they can “pass the strict necessity test,” given the amount of personal data (including some sensitive data) being exported. Routinely.
While the EU’s executive body, the European Commission, adopted a new Adequate Data Transfer Agreement with its US counterparts last month — a high-profile deal aimed at reducing legal risks related to trans-Atlantic data flows — Noebe points out that Fitbit does not claim to rely on this so-called EU-US data privacy framework for EU user data exports.
“Fitbit does not state in its privacy policy or elsewhere that it transfers data under the new framework, but instead states that it uses consent and model contractual clauses.” [standard contractual clauses] “As transportation mechanisms,” De Graaf told TechCrunch. “Fitbit is also not certified under the Data Privacy Framework.
“Apart from that, it’s only a matter of time until noyb He will challenge the validity of the new framework before the European Court of Justice [Court of Justice of the EU]. Fundamental problems with US surveillance laws remain.”
noyb confirmed that it expects the three complaints to be forwarded back to Google’s main EU data protection authority, the Irish Data Protection Commission (DPC), in line with the GDPR’s comprehensive one-stop-shop mechanism to streamline cross-border complaints.
In early 2019, Google made a switch Jurisdiction It processes European users’ data, from the US to its Dublin-based entity, Google Ireland Limited – resulting in its European headquarters obtaining what is known as key enterprise status under the GDPR, meaning key oversight of Google’s compliance with the policy Home of the European Union. The data protection regime is the responsibility of the Irish DPC. (Prior to this, Google was subject to an early application of the General Data Protection Regulation (GDPR) in France regarding elements of how its Android smartphone operating system operates.)
The Irish regulator continues to be criticized for its plodding pace, winding paths, or just a complete lack of enforcement on the tech giants. This includes the status of a number of major GDPR complaints targeting Google – such as those focusing on Google’s location tracking (which the DPC opened in February 2020); And another in Google’s ad tech (which was initiated by the Irish regulator in May 2019). None of these investigations into aspects of Google’s business have resulted in a resolution outside of Ireland to date. In the case of the latest investigation, the DPC had already been sued by complainants last year who accused the regulator of failing to investigate the substance of the complaint.
In the case of Noyeb’s recent major strikes on Meta/Facebook, the DPC was also accused of obstructing enforcement by siding with Meta’s arguments on legal grounds – a conclusion that other EU DPAs and the European Data Protection Board (EDPB) have invalidated via the objection process and the audit included in the General Data Protection Regulation.
So, given the DPC’s track record of overseeing big tech companies, a quick conclusion to these three Fitbit complaints seems unlikely — even as enforcement of the GDPR more generally has gained some momentum, thanks to a growing body of clarification. Judgments of the European Court of Justice in the P5+. years since it came into effect.
If noyb’s complaints against Fitbit lead to a DPC investigation — and GDPR violations are confirmed — Google could face billions of dollars in fines given that its parent company, Alphabet, saw its annual revenue reach $283 billion last year. (Noib suggests he could be subject to fines of up to €11.28 billion if violations are confirmed.)
Although the DPC has, once again, not only avoided imposing the maximum possible penalties for major GDPR breaches in the technology space, its draft decisions have often set penalties that are lower than those envisaged by the Conventions. Other data protection (and EDPB) in the EU as applicable – resulting in interventions under the Regulation dispute settlement mechanisms that often resulted in higher levels of sanctions finally being applied in Ireland, even though such returns typically add several additional months to the dockets Timeframe for implementation. So expect any implementation of these complaints to be a marathon, not a sprint.