Fitbit faces three GDPR complaints over data transfers outside the EU

Max Schrems and his privacy group "noyb" filed three complaints against Fitbit in Austria, the Netherlands and Italy at the end of August 2023. The popular fitness app is accused of illegal international data transfers and failing to allow users to refuse it and continue using the app.

The privacy policy states this as a risk users may take. "Please note that the countries where we operate may have privacy and data protection laws that differ from, and are potentially less protective than, the laws of your country. You agree to this risk when you create a Fitbit account and click 'I agree' to data transfers, irrespective of which country you live in."

Noyb outlines the major privacy issues in Fitbit's data policy that contravene the GDPR specifics protecting European users:

1.      Take it or leave it approach. Consent and the right to withdraw it are a cornerstone of GDPR. However, Fitbit users must either agree to data sharing or stop using the app.

2.      Collection of highly sensitive data. On top of account and payment details, the app collects health and lifestyle data: logs for food, weight, sleep, water, or female health tracking, messages on discussion boards, or to friends on the Services. Users have no control or knowledge of who and where their information may be processed.

3.      Unclear terms about data transfer. When creating an account with Fitbit, European users are obliged to "agree to the transfer of their data to the United States and other countries with different data protection laws". No further information is provided regarding the countries or possible implications.

What's next?

noyb requests the Austrian, Dutch, and Italian DPAs to order Fitbit to share all mandatory information about the transfers with its users and allow them to use its app without having to consent to the data transfers.

Meanwhile, if you are using Fitbit, take a moment to reflect on how important is health data tracking for you, in a benefits vs. risks context. Consider monitoring your data with Digital Identity Protection, so you will know if the app is involved in a breach or your information pops up on the internet (surface or dark web) leaked by a third party.

Digital Identity Protection is the only digital monitoring service that offers personalized, detailed guidance for data management (discovery, retrieving, and deleting personal information from old accounts) while keeping you updated with new incidents and specific actions to take when they happen.