Vienna-based advocacy group Noyb has filed complaints against Fitbit in Austria, the Netherlands and Italy, alleging that the Google-owned fitness-tracking company violates EU privacy rules.
Fitbit – that sells watches that measure activity, heart rate and sleep – “Forces” new users of his app to consent to data transfers outside the EU, Noyb said.
Currently, this is the only option for Fitbit users revoke their consent This is done by completely deleting their accounts, which would mean losing all previously recorded exercise and health data.
“That means “There is no realistic way to regain control of your data without breaking your product,” the Digital Rights Group said in one opinion. This, it argued, violates Fitbit against that GDPR.
“Given that the company collects the most sensitive healthcare data, it’s amazing that they don’t even try to explain how the law uses that data,” said Bernardo Armentano, privacy attorney at Noyb.
Acquired by Google for $2.1 billion in 2021, Fitbit is one of the world’s most popular smartwatch makers. Its wearable fitness trackers monitor various aspects of your activity, such as steps taken, heart rate and sleep patterns, and sync that data to a smartphone app for analysis and tracking. In 2021, Fitbit counted over 100 million registered users.
Even though Fitbit offers an opt-out feature in its app, the company’s routine data transfers to third parties outside the EU still violate the GDPR, the activists say.
“Fitbit might be a nice app to track your fitness, but once you want to learn more about how your data is being handled, you’re in for a marathon,” said Romain Robert, one of the three complainants represented by Noyb.
Founded by privacy activist Max Schrems, Noyb has filed hundreds of complaints against big tech companies like Google and Meta for data breaches, some of which have resulted in this High penalties.
In this case, Noyb is asking the Austrian, Dutch and Italian regulators to order Fitbit to provide all mandatory information about the transfers to its users and allow them to use its app without having to consent to the data transfers.
Data protection authorities could also impose a fine of up to 4% of a company’s global annual revenue for violating GDPR rules, which would be tantamount to Google’s parent company Alphabet 11 billion euros.