Noyb, the Vienna-based advocacy group with the fitting acronym ‘None Of Your Business’ and founded by privacy champion Max Schrems, has taken action against Fitbit, which is owned by tech giant Google. Noyb alleges that Fitbit has run afoul of the European Union’s General Data Protection Regulation (GDPR) by engaging in the unauthorized export of user data.
Complaints Spread Across Three Nations
Noyb has lodged complaints against Fitbit in not one, but three European countries: Austria, the Netherlands, and Italy. But why the fuss? Noyb asserts that Fitbit essentially strong-arms its users into permitting the transfer of their data outside the EU, specifically to the United States and other nations with varying data protection laws. The kicker? Users seemingly have no recourse to retract their consent, a move that may contravene the GDPR’s stipulations. According to Noyb, the only escape hatch from this perceived “illegal processing” is to obliterate your Fitbit account entirely.
GDPR Under Fire
Google’s Fitbit faces multiple potential GDPR violations in this scenario. First and foremost, the GDPR mandates that consent must be a voluntary act. If users find themselves backed into a corner with no option to withdraw, it’s hard to argue that their consent is given freely.
Furthermore, the GDPR insists on users being fully informed about how their data will be utilized and processed. If data transfer becomes a non-negotiable condition, the consent doesn’t meet the GDPR’s criteria for specificity and informativeness.
Noyb claims that Fitbit’s alleged coercion of users into sharing sensitive data without providing clear information on potential consequences or the specific destinations of their data makes their consent neither free, informed, nor specific, as the GDPR requires.
Sensitive Data Scrutinized
The GDPR emphasizes that only data strictly necessary for its intended purpose should be collected and processed. Fitbit’s insistence on data transfers may run afoul of this principle if the data transferred exceeds what’s genuinely needed for the service provided.
Noyb contends that Fitbit’s privacy policy reveals that shared data encompasses not only basic information like email addresses, birthdates, and gender but also extends to more intimate details such as food logs, weight, sleep patterns, water consumption, and menstrual tracking. This raises concerns, especially in regions where abortion care is illegal, as such data could potentially be used against users. Notably, such data sharing is uncommon even in specialized menstrual tracking apps.
Moreover, Noyb alleges that Fitbit’s collected data can be handed over to third-party entities, whose locations remain undisclosed. Users are left in the dark about which specific data is shared, rendering it virtually impossible to ascertain.
A “Take It or Leave It” Approach
Another GDPR provision allows users to change their minds and withdraw their consent. Fitbit’s privacy policy, however, states that the only way to do so is by deleting the account, a move that wipes out all previously tracked workouts and health data. Even users with premium subscriptions, which cost 79.99 euros per year, face this same predicament. Noyb argues that this effectively forces people to forfeit their data if they want to regain control, rendering the product practically useless.
Maartje de Graaf, a Data Protection Lawyer at Noyb, remarks, “First, you buy a Fitbit watch for at least 100 euros. Then you sign up for a paid subscription, only to find that you are forced to ‘freely’ agree to the sharing of your data with recipients around the world. Five years into the GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach.”
A Blank Check?
Bernardo Armentano, another Data Protection Lawyer at Noyb, adds, “Fitbit wants you to write a blank check, allowing them to send your data anywhere in the world. Given that the company collects the most sensitive health data, it’s astonishing that it doesn’t even try to explain its use of such data, as required by law.”
Billions at Stake
Noyb warns that based on Alphabet’s (Google’s parent company) turnover from the previous year, if the complaints are substantiated by data regulators, Google may be looking at fines of up to a staggering 11.28 billion euros for Fitbit’s alleged data protection transgressions.
Implications for Businesses
Google’s acquisition of Fitbit in 2021 was initially viewed as a strategic move to expand into the wearables market and access the health data of millions of Fitbit users for profiling and advertising purposes. However, it has now come back to haunt them. Noyb’s complaints against Google-owned Fitbit could set a precedent for how tech giants handle user data, particularly sensitive health information, potentially forcing them to revise their global data policies.
As GlobalData’s recent tech regulation report suggests, data protection regulators are likely to continue their close scrutiny of companies in 2023. This could spell trouble for other tech firms concerning data collection, sharing practices, and consent issues. Several years after the introduction of the GDPR, Google may need to invest more resources in compliance to avoid facing similar allegations related to its other products or services.
For businesses heavily reliant on user data, this case serves as a wake-up call to thoroughly review their data collection and transfer policies to ensure alignment with GDPR requirements. Transparency and informed choices for users regarding their data are paramount, especially when crossing borders. Fitbit’s alleged actions could catalyze a broader reckoning, prompting closer scrutiny of other businesses with similar data consent practices.
Potential Benefits for Users
For Fitbit and similar device users, this case might lead to more transparent data practices, giving them greater control over their personal information. The exposure of sensitive health data, spanning sleep patterns to menstrual cycles, may encourage users to seek alternatives offering better data protection guarantees. In this age of heightened awareness about data privacy, users are likely to become more discerning about the permissions they grant to apps, ultimately demanding enhanced privacy protections.
