According to the association for the defense of digital rights NOYB, Fitbit, the connected watch company, acquired by Google in 2021, would not respect the RGPD, the European regulation on personal data. The company would send the collected data to other countries – including the United States – by “forcing” users’ consent, without giving them information about the destination countries.
“Consent or leave” (“ Agree or leave ” in English), this is how the NGO NOYB summarizes the approach of Fitbit, the service of connected objects oriented health and sports performance monitoring of Google, about the personal data that the company collects. This subsidiary of Google is the subject of three complaints in Austria, the Netherlands and Italy. At the origin of these three legal actions, NOYB, the association co-founded by the Austrian lawyer Max Schrems. The NGO which defends digital privacy and which is at the origin of numerous legal actions against the giants of the Web, considers that Fitbit does not respect the RGPD, the European Regulation on personal data. The one that became a subsidiary of Google in 2021 “ would force » its users to accept the transfer of data outside the European Union, according to the association.
“A take it or leave it approach, five years after the entry into force of the GDPR”
However, the data collected can be shared “ for processing with third-party companies whose location we do not know “, Regrets the association in its press release. They would also be sent to the United States and other countries outside the EU, where the GDPR – the European law that protects our personal data – does not apply.
Read also: Why transferring your personal data to the United States is an incredible headache
To avoid this, you would have to delete your account – but the user would suddenly lose all of his usage history – and therefore all of his data. ” A take-it-or-leave-it approach, five years after GDPR came into force “, that deplores Maartje de Graaf, lawyer of NOYB quoted in the press release of the NGO. The GDPR normally obliges companies to offer an alternative solution, so that users can continue to use the services.
The Austrian association therefore asks the Garante and the Austrian and Dutch CNILS to force Fitbit to authorize the use of its products without having to transfer health data.
A consent neither informed nor given freely, according to NOYB
Last month, however, a new data transfer agreement between the United States and the European Union was concluded, but according to NOYB, Fitbit does not rely on this text to justify data exports from European Union users. The company indeed indicates, in its policy relating to confidentiality, to use the consent and the CCS (the standard contractual clauses) to justify these transfers. However, to use these two legal bases – well provided for by the GDPR to justify the export of data across the Atlantic – the company must respect a certain number of conditions which would not be met.
Starting with consent, which cannot be used for repetitive and permanent transfers of data to the United States – which would be the case for Fitbit, suggests NOYB. And to be valid, it must above all be enlightened, specific and given freely. This last element would be missing since users have no choice but to consent to the sharing and transfer of their data if they want to continue using Fitbit’s products. It would also not be enlightened because the company does not specify either the names of the partner companies or the countries to which the data in question.
Read also: How Europe gave up your personal data to American spies
If this violation of the GDPR is confirmed, the company would risk a very hefty fine corresponding to 4% of its worldwide turnover. It could reach 11.28 billion euros, estimates NOYD, which explains acting on behalf of three users.
NOYB press release