Joggers run through rocky terrain showing GDPR complaint against Fitbit for data transfers

Schrems Continuing International Data Transfer Crusade With GDPR Complaint Against Fitbit

Max Schrems and his privacy group “noyb” have been a general source of consternation for tech companies operating in Europe that rely on international data transfers, but have been a particular thorn in Facebook’s side. The group has been increasingly targeting Google since 2021, however, and a new GDPR complaint against Google-owned Fitbit is another advance against the tech giant.

Fitbit faces three GDPR complaints filed in Italy, Austria and the Netherlands. The complaints accuse the popular fitness app of an illegal international data transfer process, citing failure to obtain proper consent and requiring users to delete the app entirely to put a stop to personal data processing.

GDPR complaints hone in on Fitbit’s data collection

Established in 2007, Fitbit grew to become one of the world’s top five fitness wearable technology companies prior to being acquired by Google in 2021. It was already being criticized for its data collection practices a decade prior to that merger, however, starting with a 2011 policy change that publicly shared user activity on the internet by default.

Fitbit was able to move past those concerns for the most part, largely by promising never to sell user data. However, fresh fears were raised when it was announced that Google parent Alphabet planned to acquire the company in 2019. Fitbit reiterated that user data would not be sold, but given that Google makes some 80% of its revenue from targeted advertising there were well-founded concerns that its health data would make its way into the internet-spanning profiles that the company collects.

Schrems and noyb point out that the company forces EU users to accept international data transfers as a requirement to use the service, something that may not meet regulatory standards for free and informed consent given that it does not specify exactly where personal information might be transferred to. The GDPR complaint also notes that the devices collect personal information that is classified as sensitive personal data, putting additional restrictions on how it can be shared with third-party companies for processing (something the Fitbit privacy policy has similarly non-specific wording about).

Another element of the GDPR complaint is Fitbit’s requirement that users delete their accounts to stop all personal data collection and processing. There is no opt-out available for any form of data transfer, even if one purchases a premium subscription. One can only use the products and agree to allow the company to collect and use data however it sees fit, or quit using Fitbit devices entirely.

noyb is requesting that the DPAs of each of the countries the GDPR complaints were filed in order Fitbit to provide the ability to opt out, and to disclose all mandatory information about data transfers.

International data transfers still a point of contention

The EU and US recently hammered out a new Data Privacy Framework agreement meant to address the gap left by Schrems’ former GDPR complaints, but the attack on Fitbit seems to focus on data transfers to unspecified other countries. The US is the only one that is specifically named, leaving the possibility that user data might be sent to some other nation with inadequate data transfer partner status.

The GDPR complaint also notes that Fitbit has not yet invoked the new framework as its legal basis for international data transfers. That means it is using standard contractual clauses (SCCs) as its basis, which sets a higher bar for how user consent is obtained.

Fitbit devices and apps collect some very sensitive health data: heart rate, weight, sleep time, caloric intake, and more. They also ask users to fill out personal information profiles, create contact lists and share their time zone. IP addresses can also potentially be paired with this data if one visits the Fitbit website. The GDPR complaint notes that though the company’s privacy policy says collected data is not sold, it could be shared with third parties for processing or even marketing purposes, and is not specific about those partners or purposes.

One partner was inadvertently revealed in September 2021, when a data breach at a company called GetHealth exposed some 61 million records of Fitbit and Apple wearables to the open internet. The incident put a spotlight on the fact that fitness apps and wearables collect information that is usually subject to special regulation, such as HIPAA, yet these apps are not regulated like health care providers.

The GDPR complaints could result in fines of up to 4% of Alphabet’s annual turnover, which was at about $283 billion last year. Any process involving Google means going through Ireland’s DPC as the point agency on investigations, however, which in the past has led to relatively small initial fine proposals and interventions by other EU authorities that turn into protracted debates.