Google-owned Fitbit is facing a trio of privacy complaints in the European Union which allege the company is illegally exporting user data in breach of the bloc’s data protection rules.
The complaints target Fitbit’s claim that users have consented to international transfers of their information — to the U.S. and elsewhere — arguing the company is forcing consent from users which does not meet the required legal standard.
The EU’s General Data Protection Regulation (GDPR) lays out a set of rules for how local users’ information can be used, including requiring data processors to have a valid legal basis for processing people’s data and setting controls on data exports. Breaches of the regime can carry financial penalties as high as 4% of the infringer’s global annual turnover.
The lawful basis being claimed by Fitbit to export EU users’ data — consent — needs to meet certain standards to be valid. In short, it must be informed, specific and freely given. But the complaints argue Fitbit is illegally forcing consent since users wanting to use products and services they have paid for have no choice to consent to the data exports in order for the products to work.
The complaints also allege Fitbit is failing to provide adequate information to users regarding transfers of their data — meaning they also cannot provide informed consent, as the GDPR requires. They also highlight that Fitbit users are unable to withdraw consent as they should be able to under the GDPR — short of deleting their Fitbit accounts and losing all their tracked workouts. Which means Fitbit users face having their product experience penalized for revoking consent.
European privacy rights not-for-profit, noyb, has filed the complaints with data protection authorities in Austria, the Netherlands and Italy on behalf of three (unnamed) Fitbit users.
Commenting in a statement, Maartje de Graaf, data protection lawyer at noyb, said: “First, you buy a Fitbit watch for at least €100. Then you sign up for a paid subscription, only to find that you are forced to ‘freely’ agree to the sharing of your data with recipients around the world. Five years into the GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach.”
noyb has been behind scores of successful GDPR complaints in recent years — including a series of strikes against Meta (Facebook) which recently led to the company announcing it will finally switch to asking local users’ consent for the tracking and profiling that powers its core behavioral ad targeting. So noyb’s strategic litigations are always worth watching.
“When creating an account with Fitbit, European users are obliged to ‘agree to the transfer of their data to the United States and other countries with different data protection laws’. This means, that their data could end up in any country around the globe that does not have the same privacy protections as the EU,” noyb writes in a press release announcing the Fitbit complaints. “In other words: Fitbit forces its users to consent to sharing sensitive data without providing them with clear information about possible implications or the specific countries their data goes to. This results in a consent that is neither free, informed or specific — which means that the consent clearly doesn’t meet the GDPR’s requirements.”
“According to Fitbit’s privacy policy, the shared data not only includes things like a user’s email address, date of birth and gender. The company can also share ‘data like logs for food, weight, sleep, water, or female health tracking; an alarm; and messages on discussion boards or to your friends on the Services’. The collected data can even be shared for processing with third-party companies of which we do not know where they are located,” it goes on. “Furthermore, it is impossible for users to find out which specific data even is affected. All three complainants exercised their right of access to information with the company’s Data Protection Officer — but never received an answer.”
The complaints also question the validity of Fitbit relying on consent for what are routine transfers of sensitive data outside the bloc.
“The GDPR clearly states that consent can only be used as an exception to the prohibition of data transfers outside the EU — which means that consent can only be a valid legal basis for occasional and non-repetitive data transfers. Fitbit, however, is using consent to share all health data routinely,” noyb suggests, arguing Fitbit’s transfers are “clearly systematic” and also questioning whether they can “pass the strict necessity test”, given how much personal data (including some sensitive data) is being routinely exported.
While the EU’s executive body, the European Commission, adopted a new adequacy data transfer agreement with U.S. counterparts last month — a high level deal which aims to shrink the legal risks around transatlantic data flows — noyb notes that Fitbit is not claiming to rely on this so-called EU-U.S. Data Privacy Framework for EU users’ data exports.
“Fitbit doesn’t state in its privacy policy or elsewhere that it transfers data under the new framework but instead it states that it uses consent and SCCs [standard contractual clauses] as ‘transfer mechanisms’,” de Graaf told TechCrunch. “Fitbit also isn’t certified under the data privacy framework.
“Apart from that, it is only a matter of time until noyb will be challenging the validity of the new framework before the CJEU [Court of Justice of the EU]. The fundamental problems with U.S. surveillance laws still exist.”
noyb confirmed it expects the three complaints to be funnelled back to Google’s lead data protection watchdog in the EU, Ireland’s Data Protection Commission (DPC), in line with the GDPR’s one-stop-shop mechanism for streamlining cross-border complaints.
Early in 2019 Google switched the legal jurisdiction of where it processes European users’ data, from the U.S. to its Dublin-based entity, Google Ireland Limited — which led to its European HQ gaining what’s known as main establishment status under the GDPR, meaning lead oversight of Google’s compliance with the EU’s flagship data protection regime falls to the Irish DPC. (Prior to that Google was hit with an early GDPR enforcement in France related to elements of how it operated its Android smartphone OS.)
The Irish regulator continues to be criticized over the plodding pace, tortuously winding pathways or just total lack of enforcement atop tech giants. This includes in the case of a number of major GDPR complaints targeting Google — such as one focused on Google’s location tracking (which the DPC opened in February 2020); and another into Google’s adtech (which the Irish regulator kicked off in May 2019). Neither of those probes into aspects of Google’s business have yielded a decision out of Ireland yet. And in the case of the latter enquiry, the DPC was actually sued by the complainants last year which accuse the regulator of failing to investigate the substance of the complaint.
In the case of noyb’s recent major strikes on Meta/Facebook, the DPC has also been accused of impeding enforcement by siding with Meta’s arguments on legal basis — a finding that was overturned by other EU DPAs and the European Data Protection Board (EDPB) via a process of objection and review baked into the GDPR.
So, given the DPC’s record on oversight of big tech, a swift outcome to this trio of Fitbit complaints seems unlikely — even as enforcement of the GDPR more generally has been gathering some momentum, thanks to a growing body of clarifying CJEU rulings in the five+ years since it came into application.
If noyb’s complaints against Fitbit trigger an investigation by the DPC — and GDPR infringements are confirmed down the line — Google could face fines in the billions of dollars given its parent company, Alphabet, saw its annual revenue reach $283 billion last year. (noyb suggests it could be on the hook for fines of up to €11.28 billion if the breaches are confirmed.)
Although, again, the DPC has not only avoided levying the maximum possible penalties on major big tech GDPR breaches its draft decisions have frequently penciled in lower penalties than other EU DPAs (and the EDPB) view as appropriate — leading to interventions under the regulation’s dispute settlement mechanisms which have often raised the levels of penalties finally applied in Ireland, even as these push-backs have typically added many extra months to enforcement timelines. So expect any enforcement on these complaints to be a marathon, not a sprint.