October 2, 2023

Google-owned Fitbit is going through a trio of privateness complaints within the European Union which allege the corporate is illegally exporting consumer information in breach of the bloc’s information safety guidelines.

The complaints goal Fitbit’s declare that customers have consented to worldwide transfers of their data — to the US and elsewhere — arguing the corporate is forcing consent from customers which doesn’t meet the required authorized commonplace.

The EU’s Common Information Safety Regulation (GDPR) lays out a algorithm for a way native customers’ data can be utilized, together with requiring information processors to have a legitimate authorized foundation for processing individuals’s information and setting controls on information exports. Breaches of the regime can carry monetary penalties as excessive as 4% of the infringer’s world annual turnover.

The lawful foundation being claimed by Fitbit to export EU customers’ information — consent — wants to satisfy sure requirements to be legitimate. In brief, it should be knowledgeable, particular and freely given. However the complaints argue Fitbit is illegally forcing consent since customers wanting to make use of services they’ve paid for haven’t any option to consent to the info exports to ensure that the merchandise to work.

The complaints additionally allege Fitbit is failing to present enough data to customers relating to transfers of their information — that means in addition they can not present knowledgeable consent, because the GDPR requires. In addition they spotlight that Fitbit customers are unable to withdraw consent as they need to have the ability to underneath the GDPR — wanting deleting their Fitbit accounts and shedding all their tracked exercises. Which implies Fitbit customers face having their product expertise penalized for revoking consent. 

European privateness rights not-for-profit, noyb, has filed the complaints with information safety authorities in Austria, the Netherlands and Italy on behalf of three (unnamed) Fitbit customers.

Commenting in an announcement, Maartje de Graaf, information safety lawyer at noyb, stated: “First, you purchase a Fitbit look ahead to a minimum of €100. Then you definately join a paid subscription, solely to seek out that you’re compelled to ‘freely’ conform to the sharing of your information with recipients around the globe. 5 years into the GDPR, Fitbit continues to be making an attempt to implement a ‘take it or go away it’ method.”

noyb has been behind scores of profitable GDPR complaints lately — together with a sequence of strikes towards Meta (Fb) which lately led to the corporate asserting it can lastly change to asking native customers’ consent for the monitoring and profiling that powers its core behavioral advert focusing on. So noyb’s strategic litigations are all the time price watching.

“When creating an account with Fitbit, European customers are obliged to ‘conform to the switch of their information to the US and different nations with totally different information safety legal guidelines’. This implies, that their information may find yourself in any nation across the globe that doesn’t have the identical privateness protections because the EU,” noyb writes in a press launch asserting the Fitbit complaints. “In different phrases: Fitbit forces its customers to consent to sharing delicate information with out offering them with clear details about doable implications or the precise nations their information goes to. This leads to a consent that’s neither free, knowledgeable or particular — which implies that the consent clearly doesn’t meet the GDPR’s necessities.”

“In keeping with Fitbit’s privateness coverage, the shared information not solely contains issues like a consumer’s electronic mail handle, date of delivery and gender. The corporate also can share ‘information like logs for meals, weight, sleep, water, or feminine well being monitoring; an alarm; and messages on dialogue boards or to your folks on the Providers’. The collected information may even be shared for processing with third-party corporations of which we have no idea the place they’re situated,” it goes on. “Moreover, it’s not possible for customers to seek out out which particular information even is affected. All three complainants exercised their proper of entry to data with the corporate’s Information Safety Officer — however by no means obtained a solution.”

The complaints additionally query the validity of Fitbit counting on consent for what are routine transfers of delicate information exterior the bloc.

“The GDPR clearly states that consent can solely be used as an exception to the prohibition of knowledge transfers exterior the EU — which implies that consent can solely be a legitimate authorized foundation for infrequent and non-repetitive information transfers. Fitbit, nonetheless, is utilizing consent to share all well being information routinely,” noyb suggests, arguing Fitbit’s transfers are “clearly systematic” and likewise questioning whether or not they can “move the strict necessity take a look at”, given how a lot private information (together with some delicate information) is being routinely exported.

Whereas the EU’s govt physique, the European Fee, adopted a brand new adequacy information switch settlement with US counterparts final month — a excessive degree deal which goals to shrink the authorized dangers round transatlantic information flows — noyb notes that Fitbit shouldn’t be claiming to depend on this so-called EU-US Information Privateness Framework for EU customers’ information exports.

“Fitbit doesn’t state in its privateness coverage or elsewhere that it transfers information underneath the brand new framework however as a substitute it states that it makes use of consent and SCCs [standard contractual clauses] as ‘switch mechanisms’,” de Graaf advised TechCrunch. “Fitbit additionally isn’t licensed underneath the info privateness framework.

“Other than that, it is just a matter of time till noyb might be difficult the validity of the brand new framework earlier than the CJEU [Court of Justice of the EU]. The elemental issues with US surveillance legal guidelines nonetheless exist.”

noyb confirmed it expects the three complaints to be funnelled again to Google’s lead information safety watchdog within the EU, Eire’s Information Safety Fee (DPC), according to the GDPR’s one-stop-shop mechanism for streamlining cross-border complaints.

Early in 2019 Google switched the legal jurisdiction of the place it processes European customers’ information, from the US to its Dublin-based entity, Google Eire Restricted — which led to its European HQ gaining what’s often known as principal institution standing underneath the GDPR, that means lead oversight of Google’s compliance with the EU’s flagship information safety regime falls to the Irish DPC. (Previous to that Google was hit with an early GDPR enforcement in France associated to parts of the way it operated its Android smartphone OS.)

The Irish regulator continues to be criticized over the plodding tempo, tortuously winding pathways or simply complete lack of enforcement atop tech giants. This contains within the case of quite a few main GDPR complaints focusing on Google — akin to one targeted on Google’s location monitoring (which the DPC opened in February 2020); and one other into Google’s adtech (which the Irish regulator kicked off in Might 2019). Neither of these probes into facets of Google’s enterprise have yielded a choice out of Eire but. And within the case of the latter enquiry, the DPC was really sued by the complainants final yr which accuse the regulator of failing to analyze the substance of the grievance.

Within the case of noyb’s current main strikes on Meta/Fb, the DPC has additionally been accused of impeding enforcement by siding with Meta’s arguments on authorized foundation — a discovering that was overturned by different EU DPAs and the European Information Safety Board (EDPB) by way of a means of objection and evaluate baked into the GDPR.

So, given the DPC’s report on oversight of huge tech, a swift final result to this trio of Fitbit complaints appears unlikely — at the same time as enforcement of the GDPR extra usually has been gathering some momentum, because of a rising physique of clarifying CJEU rulings within the 5+ years because it got here into software.

If noyb’s complaints towards Fitbit set off an investigation by the DPC — and GDPR infringements are confirmed down the road — Google may face fines within the billions of {dollars} given its dad or mum firm, Alphabet, noticed its annual income attain $283BN final yr. (noyb suggests it could possibly be on the hook for fines of as much as €11.28BN if the breaches are confirmed.)

Though, once more, the DPC has not solely averted levying the utmost doable penalties on main large tech GDPR breaches its draft choices have incessantly penciled in decrease penalties than different EU DPAs (and the EDPB) view as acceptable — resulting in interventions underneath the regulation’s dispute settlement mechanisms which have usually raised the degrees of penalties lastly utilized in Eire, at the same time as these push-backs have usually added many additional months to enforcement timelines. So count on any enforcement on these complaints to be a marathon, not a dash.