Fitbit accused of illegally exporting EU user data

  • Fitbit has had three complaints levelled against it by a privacy rights group in the EU.
  • The allegations stem from the unauthorised export of user data, which seemingly infringes upon GDPR law.
  • The complaints were filed with regulators in the Netherlands, Italy, and Austria.

User data remains a contentious issue for Fitbit ever since Google acquired the company back in early 2021. With Fitbit wearable owners soon needing to make the shift to a Google account in order to make proper use of their device, it looks as if the company is coming under increased scrutiny, particularly in the European Union.

This as three complaints have been filed against Fitbit with three separate regulators in different EU countries, alleging that the company has been illegally exporting user data and therefore infringing upon GDPR law in the region.

The complaints come via non-profit privacy rights organisation noyb, which filed complaints in the Netherlands, Italy, and Austria.

“When creating an account with Fitbit, European users are obliged to ‘agree to the transfer of their data to the United States and other countries with different data protection laws’. This means, that their data could end up in any country around the globe that does not have the same privacy protections as the EU,” noyb alleges.

“In other words: Fitbit forces its users to consent to sharing sensitive data without providing them with clear information about possible implications or the specific countries their data goes to. This results in a consent that is neither free, informed or specific – which means that the consent clearly doesn’t meet the GDPR’s requirements,” it adds.

While it remains to be seen what action, if any, the aforementioned regulators will take following the complaints, some of the allegations will likely be questioned heavily by both Fitbit and Google.

“According to Fitbit’s privacy policy, the shared data not only includes things like a user’s email address, date of birth and gender. The company can also share ‘data like logs for food, weight, sleep, water, or female health tracking; an alarm; and messages on discussion boards or to your friends on the Services’. The collected data can even be shared for processing with third-party companies of which we do not know where they are located,” the non-profit posits.

These are similar to concerns that were raised when Google first purchased Fitbit, but the company has stated on the record that sensitive user data would not be shared.

“This deal is about devices, not data. We appreciate the opportunity to work with the European Commission on an approach that safeguards consumers’ expectations that Fitbit device data won’t be used for advertising,” a spokesperson confirmed prior to the deal being finalised.

There are several more elements that have been outlined in the extensive complaints, but at the time of writing, neither Google, nor Fitbit, have officially commented on the matter.

As TechCrunch points out though, should anything materialise from said allegations and complaints, it would prove quite costly for Google’s parent company, Alphabet. This as under GDPR law, based on Alphabet’s annual revenue of $238 billion in 2022, a fine of up to $11.28 billion could be levelled aginst the company.

Should that happen, it would be one of the biggest in recent GDPR history. For now though, we will need to wait to see whether regulators will choose to investigate Fitbit’s user data practices.

[Image – Photo by Adam Birkett on Unsplash]


About Author


Related News