Vienna-based advocacy group Noyb has filed complaints against Fitbit in Austria, the Netherlands, and Italy, alleging that the Google-owned fitness tracking company is in violation of EU data privacy regulations.
Fitbit — which sells watches that track activity, heart rate, and sleep — “forces” new users of its app to consent to data transfers outside the EU, said Noyb.
Currently, the only way Fitbit users can withdraw their consent is by deleting their accounts entirely, which would mean losing all their previously tracked workouts and health data.
“This means there is no realistic way to regain control over your data without making your product useless,” said the digital rights group in a statement. This, it argued, puts Fitbit in breach of the GDPR.
“Given that the company collects the most sensitive health data, it’s astonishing that it doesn’t even try to explain its use of such data, as required by law,” said Bernardo Armentano, data protection lawyer at Noyb.
Acquired by Google in 2021 at a $2.1bn valuation, Fitbit is one of the world’s most popular smart watchmakers. Its wearable fitness trackers monitor various aspects of your activity, such as steps taken, heart rate, and sleep patterns, and syncs this data to a smartphone app for analysis and tracking. In 2021, Fitbit counted over 100 million registered users.
Even if Fitbit did offer an opt-out function on its app, the company’s routine transfer of data to third parties outside the EU is still in breach of the GDPR, said the campaigners.
“Fitbit may be a nice app to track your fitness, but once you want to learn more about how your data is being handled, you are bound for a marathon,” said Romain Robert, one of the three complainants represented by Noyb.
Noyb, founded by privacy activist Max Schrems, has already filed hundreds of complaints against big tech companies like Google and Meta over privacy violations, some leading to big penalties.
In this case, Noyb is requesting that the Austrian, Dutch, and Italian regulators order Fitbit to share all mandatory information about the transfers with its users and allow them to use its app without having to consent to the data transfers.
The privacy watchdogs could also issue a fine for violating GDPR rules that can reach up to 4% of a firm’s global annual revenue, which for Google’s parent company Alphabet would equal €11bn.