Fitbit faces privacy complaints in EU over alleged unlawful data exports

Fitbit, a Google company, is reportedly facing a series of privacy complaints within the European Union. These complaints revolve around allegations that the company is engaging in unlawful exporting of user data, thereby violating the EU's stringent data protection regulations.

The European Union's General Data Protection Regulation (GDPR) stipulates strict rules regarding the usage of users' information. This includes the necessity for data processors to possess a legitimate legal basis for processing individuals' data and the imposition of controls on the export of data. Non-compliance with these regulations can result in substantial financial penalties, which can amount to as much as 4% of the infringing entity's global annual revenue.

Fitbit claims that the lawful basis for exporting EU users' data is consent, but this consent needs to adhere to certain criteria to be valid. Specifically, it must be informed, specific, and given freely. The complaints contend that Fitbit is infringing on user rights by essentially compelling them to agree to data transfers for the products to function, which they argue is not genuine consent.

Furthermore, the complaints raise concerns about Fitbit's failure to adequately inform users about data transfers and the subsequent inability of users to withdraw consent, which is a key tenet of GDPR. This situation essentially penalizes users who wish to revoke their consent, as it entails deleting their Fitbit accounts and sacrificing their accumulated data.

The not-for-profit organization noyb, which advocates for privacy rights with a track record of successful GDPR complaints, has submitted these complaints on behalf of three Fitbit users to data protection authorities in Austria, the Netherlands, and Italy. The complaints question Fitbit's reliance on consent for regular transfers of sensitive data outside the EU and argue that this systematic data sharing does not fulfill the GDPR's requirements for valid consent.

While the European Commission recently established a new adequacy data transfer agreement with the US, Fitbit is not asserting reliance on this framework for its data exports. Instead, it is contending that consent and contractual clauses are the bases for these transfers.

 

Source credit: https://techcrunch.com/2023/08/30/fitbit-gdpr-data-transfer-complaints-noyb/