Google-owned Fitbit is dealing with a trio of privateness complaints within the European Union which allege the corporate is illegally exporting consumer knowledge in breach of the bloc’s knowledge safety guidelines.
The complaints goal Fitbit’s declare that customers have consented to worldwide transfers of their data — to the US and elsewhere — arguing the corporate is forcing consent from customers which doesn’t meet the required authorized customary.
The EU’s Common Knowledge Safety Regulation (GDPR) lays out a algorithm for a way native customers’ data can be utilized, together with requiring knowledge processors to have a sound authorized foundation for processing individuals’s knowledge and setting controls on knowledge exports. Breaches of the regime can carry monetary penalties as excessive as 4% of the infringer’s world annual turnover.
The lawful foundation being claimed by Fitbit to export EU customers’ knowledge — consent — wants to fulfill sure requirements to be legitimate. In brief, it have to be knowledgeable, particular and freely given. However the complaints argue Fitbit is illegally forcing consent since customers wanting to make use of services they’ve paid for haven’t any option to consent to the information exports to ensure that the merchandise to work.
The complaints additionally allege Fitbit is failing to present satisfactory data to customers concerning transfers of their knowledge — that means in addition they can’t present knowledgeable consent, because the GDPR requires. In addition they spotlight that Fitbit customers are unable to withdraw consent as they need to be capable to below the GDPR — wanting deleting their Fitbit accounts and shedding all their tracked exercises. Which implies Fitbit customers face having their product expertise penalized for revoking consent.
European privateness rights not-for-profit, noyb, has filed the complaints with knowledge safety authorities in Austria, the Netherlands and Italy on behalf of three (unnamed) Fitbit customers.
Commenting in an announcement, Maartje de Graaf, knowledge safety lawyer at noyb, stated: “First, you purchase a Fitbit look ahead to a minimum of €100. You then join a paid subscription, solely to search out that you’re compelled to ‘freely’ conform to the sharing of your knowledge with recipients around the globe. 5 years into the GDPR, Fitbit continues to be making an attempt to implement a ‘take it or go away it’ strategy.”
noyb has been behind scores of profitable GDPR complaints in recent times — together with a sequence of strikes in opposition to Meta (Fb) which just lately led to the corporate saying it is going to lastly swap to asking native customers’ consent for the monitoring and profiling that powers its core behavioral advert focusing on. So noyb’s strategic litigations are at all times price watching.
“When creating an account with Fitbit, European customers are obliged to ‘conform to the switch of their knowledge to the USA and different international locations with totally different knowledge safety legal guidelines’. This implies, that their knowledge may find yourself in any nation across the globe that doesn’t have the identical privateness protections because the EU,” noyb writes in a press launch saying the Fitbit complaints. “In different phrases: Fitbit forces its customers to consent to sharing delicate knowledge with out offering them with clear details about attainable implications or the precise international locations their knowledge goes to. This ends in a consent that’s neither free, knowledgeable or particular — which implies that the consent clearly doesn’t meet the GDPR’s necessities.”
“Based on Fitbit’s privateness coverage, the shared knowledge not solely contains issues like a consumer’s e-mail handle, date of delivery and gender. The corporate also can share ‘knowledge like logs for meals, weight, sleep, water, or feminine well being monitoring; an alarm; and messages on dialogue boards or to your mates on the Companies’. The collected knowledge may even be shared for processing with third-party corporations of which we have no idea the place they’re positioned,” it goes on. “Moreover, it’s inconceivable for customers to search out out which particular knowledge even is affected. All three complainants exercised their proper of entry to data with the corporate’s Knowledge Safety Officer — however by no means acquired a solution.”
The complaints additionally query the validity of Fitbit counting on consent for what are routine transfers of delicate knowledge outdoors the bloc.
“The GDPR clearly states that consent can solely be used as an exception to the prohibition of knowledge transfers outdoors the EU — which implies that consent can solely be a sound authorized foundation for infrequent and non-repetitive knowledge transfers. Fitbit, nevertheless, is utilizing consent to share all well being knowledge routinely,” noyb suggests, arguing Fitbit’s transfers are “clearly systematic” and likewise questioning whether or not they can “cross the strict necessity check”, given how a lot private knowledge (together with some delicate knowledge) is being routinely exported.
Whereas the EU’s govt physique, the European Fee, adopted a brand new adequacy knowledge switch settlement with US counterparts final month — a excessive stage deal which goals to shrink the authorized dangers round transatlantic knowledge flows — noyb notes that Fitbit is just not claiming to depend on this so-called EU-US Knowledge Privateness Framework for EU customers’ knowledge exports.
“Fitbit doesn’t state in its privateness coverage or elsewhere that it transfers knowledge below the brand new framework however as a substitute it states that it makes use of consent and SCCs [standard contractual clauses] as ‘switch mechanisms’,” de Graaf instructed TechCrunch. “Fitbit additionally isn’t licensed below the information privateness framework.
“Aside from that, it’s only a matter of time till noyb will likely be difficult the validity of the brand new framework earlier than the CJEU [Court of Justice of the EU]. The elemental issues with US surveillance legal guidelines nonetheless exist.”
noyb confirmed it expects the three complaints to be funnelled again to Google’s lead knowledge safety watchdog within the EU, Eire’s Knowledge Safety Fee (DPC), consistent with the GDPR’s one-stop-shop mechanism for streamlining cross-border complaints.
Early in 2019 Google switched the authorized jurisdiction of the place it processes European customers’ knowledge, from the US to its Dublin-based entity, Google Eire Restricted — which led to its European HQ gaining what’s often known as major institution standing below the GDPR, that means lead oversight of Google’s compliance with the EU’s flagship knowledge safety regime falls to the Irish DPC. (Previous to that Google was hit with an early GDPR enforcement in France associated to components of the way it operated its Android smartphone OS.)
The Irish regulator continues to be criticized over the plodding tempo, tortuously winding pathways or simply whole lack of enforcement atop tech giants. This contains within the case of various main GDPR complaints focusing on Google — resembling one centered on Google’s location monitoring (which the DPC opened in February 2020); and one other into Google’s adtech (which the Irish regulator kicked off in Could 2019). Neither of these probes into features of Google’s enterprise have yielded a call out of Eire but. And within the case of the latter enquiry, the DPC was truly sued by the complainants final yr which accuse the regulator of failing to research the substance of the grievance.
Within the case of noyb’s latest main strikes on Meta/Fb, the DPC has additionally been accused of impeding enforcement by siding with Meta’s arguments on authorized foundation — a discovering that was overturned by different EU DPAs and the European Knowledge Safety Board (EDPB) by way of a means of objection and assessment baked into the GDPR.
So, given the DPC’s file on oversight of huge tech, a swift end result to this trio of Fitbit complaints appears unlikely — at the same time as enforcement of the GDPR extra typically has been gathering some momentum, because of a rising physique of clarifying CJEU rulings within the 5+ years because it got here into software.
If noyb’s complaints in opposition to Fitbit set off an investigation by the DPC — and GDPR infringements are confirmed down the road — Google may face fines within the billions of {dollars} given its guardian firm, Alphabet, noticed its annual income attain $283BN final yr. (noyb suggests it could possibly be on the hook for fines of as much as €11.28BN if the breaches are confirmed.)
Though, once more, the DPC has not solely averted levying the utmost attainable penalties on main huge tech GDPR breaches its draft selections have regularly penciled in decrease penalties than different EU DPAs (and the EDPB) view as applicable — resulting in interventions below the regulation’s dispute settlement mechanisms which have typically raised the degrees of penalties lastly utilized in Eire, at the same time as these push-backs have usually added many further months to enforcement timelines. So count on any enforcement on these complaints to be a marathon, not a dash.
