Fitbit is facing a major probe into its data protection policies, amid claims that the Google-owned app – which has more than 120 million users – shows an “astonishing” lack of transparency when it comes to its data collection and user consent practices.
The claims are made in three user complaints, issued in conjunction with Max Schrems privacy organisation NOYB, which have been filed to the Italian, Austrian and Dutch data protection authorities.
According to the complainants, Fitbit is in breach GDPR because customers are forced to agree to the illegal transfer of personal data to outside the EU, with its user agreement stating that data is transferred to the US and “other countries”, which are not named.
NOYB argues that this means customer data could end up in any country around the world that does not have the same privacy protections as the EU.
By forcing users to agree to this, NOYB maintains that the user consent collected by Fitbit is not “free, informed or specific” a key tenet of GDPR, which has been in force since May 2018.
NOYB also highlights that, according to Fitbit’s privacy policy, the shared data not only includes date of birth, gender and email address, the company can also share “data, like logs for food, weight, sleep, water, or female health tracking; an alarm; and messages on discussion boards or to your friends”.
The collected data can even be shared for processing with unknown third-party companies. The three complainants all filed right of access requests to Fitbit’s data protection officer to find out which specific data is affected but did not receive an answer.
NOYB data protection lawyer Maartje de Graaf said: “First, you buy a Fitbit watch for at least €100. Then you sign up for a paid subscription, only to find that you are forced to ‘freely’ agree to the sharing of your data with recipients around the world. Five years into the GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach.”
Her colleague, and fellow data protection lawyer Bernado Armentano, added: “Fitbit wants you to write a blank check, allowing them to send your data anywhere in the world. Given that the company collects the most sensitive health data, it’s astonishing that it doesn’t even try to explain its use of such data, as required by law.”
NOYB is now calling on the Austrian, Dutch and Italian data protection authorities to order Fitbit to share all mandatory information about the transfers with its users and allow them to use its app without having to consent to the data transfers.
If found guilty, the authorities could potentially issue a fine of up to 4% of Google parent company Alphabet’s $289.5bn (€267.94bn) global turnover. However, a monetary penalty of $12.19bn (€11.28bn) seems about as likely as Google mending its ways.
Related stories
Big tech’s privacy claims ‘are nonsense’, analysis claims
Revealed: Data breaches which will get the ICO calling
No mercy: £4.4m ICO fine fuels cyber security warning
GDPR five years on: ‘Firms just don’t fear enforcement’
GDPR five years on: The death knell for lazy marketing?