Max Schrems’ Noyb Files Privacy Complaint Against Fitbit

Complaint from campaign group alleges Google’s Fitbit broke EU General Data Protection Regulation (GDPR) rules

Campaign group founded by privacy activist Max Schrems has filed an official complaint against Google’s Fitbit.

Vienna-based Noyb (None Of Your Business) announced that it has filed three complaints against Fitbit in Austria, the Netherlands and in Italy. It accused the fitness tracking company of violating the European Union’s General Data Protection Regulation (GDPR) privacy regime.

Max Schrems is a noted privacy campaigner, and has filed multiple complaints over the past decade against many big name tech firms, leading to some hefty fines. His most frequent target has been Facebook (now Meta Platforms).

fitbit blaze

Fitbit complaint

Now Google’s Fitbit is now in the cross hairs of Max Schrems and his Noyb campaign group.

Noyb alleges that Fitbit forces new users of its app to consent to data transfers outside the EU.

“Contrary to legal requirements, users aren’t even provided with a possibility to withdraw their consent,” the group alleged. “Instead, they have to completely delete their account to stop illegal processing”

And the campaign group that was no way around the transfer of personal data.

When creating an account with Fitbit, European users are allegedly obliged to ‘agree to the transfer of their data to the United States and other countries with different data protection laws’, the group stated.

This means, that their data could end up in any country around the globe that does not have the same privacy protections as the EU, the group alleged. In other words: Fitbit forces its users to consent to sharing sensitive data without providing them with clear information about possible implications or the specific countries their data goes to, said Noyb.

This results in a consent that is neither free, informed or specific – which means that the consent clearly doesn’t meet the GDPR’s requirements, it alleged.

And the data at risk is highly personal data, including things like a user’s email address, date of birth and gender, Noyb added.

Noyb said Fitbit can also share “data like logs for food, weight, sleep, water, or female health tracking; an alarm; and messages on discussion boards or to your friends on the Services”.

It even alleged that the collected data can even be shared for processing with third-party companies, whose location and jurisdiction is unknown.

Blank cheque

And it is allegedly impossible for users to find out which specific data is affected. Noyb said that all three complainants exercised their right of access to information with the company’s Data Protection Officer – but never received an answer.

“First, you buy a Fitbit watch for at least 100 euros. Then you sign up for a paid subscription, only to find that you are forced to ‘freely’ agree to the sharing of your data with recipients around the world,” said Maartje de Graaf, Data Protection Lawyer at noyb. “Five years into the GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach.”

Under GDPR rules, every person the right to withdraw their consent. However it is alleged that Fitbit’s privacy policy states that the only way to withdraw consent is to delete an account. For consumers, this means losing all their previously tracked workouts and health data.

“Fitbit wants you to write a blank cheque, allowing them to send your data anywhere in the world,” said Bernardo Armentano, Data Protection Lawyer at Noyb. “Given that the company collects the most sensitive health data, it’s astonishing that it doesn’t even try to explain its use of such data, as required by law.”

Noyb is requesting that the Austrian, Dutch and Italian DPAs order Fitbit to share all mandatory information about the transfers with its users and allow them to use its app without having to consent to the data transfers.

Fines for violating GDPR rules can reach up to 4 percent of a firm’s global annual revenue. Alphabet’s annual revenue was $280bn in 2022, meaning authorities could potentially issue a fine of up to 11.28 billion euros (£9.65bn).

Fitbit battle

This is not the only battle that Alphabet has faced over Fitbit in recent years.

Alphabet’s Google had announced its intention to purchase Fitbit for $2.1bn (£1.63bn) back in November 2019, but almost immediately concerns were raised the deal would give Google access to potentially sensitive data about people’s health and lifestyle.

Those concerns prompted European Union antitrust officials to begin an official investigation. The EU then extended the investigation, and it appeared that Google was prepared to make concessions.

Google made increased concessions to European Union regulators in November 2020, and in December the deal was finally approved by EU regulators.