NOYB filed a complaint against Fitbit over alleged data transfer violation

The Austrian non-profit organisation, European Center for Digital Rights (NOYB), filed a complaint against the health and fitness company Fitbit in Austria, the Netherlands, and Italy. NOYB claims in its complaint that Fitbit, which was bought by Google, violates GDPR provisions as it allegedly forced its users to consent to their data transfer to the US and other countries with different data protection laws. Fitbit is also accused of not informing its users about the possible implications or the specific countries their data goes to, nor does it give them the right to withdraw their consent. Instead, users would have to completely delete their accounts to end the data processing. Meaning that users would lose their health data even if they had paid for the premium subscription.

Why does it matter?

The main issue in this case is that Fitbit does not allow its customers to consent to transfer their data outside the EU or withdraw their consent. NOYB claims that Fitbit’s practices of coercing users to consent to data transfers outside the EU, the lack of clarity on data sharing implications, and the inability to withdraw consent without losing data violate the GDPR. According to NOYB, even if users could withdraw their consent, it still would not comply with the GDPR as Fitbit would need to have an option to consent to the data transfer in the first place.

What would be interesting to see is whether and how the European Commission’s new adequacy decision for the EU-US Data Privacy Framework would be used in this case when determining the legality of the data transfer. Considering that the adequacy decision found that the US ensures an adequate level of protection to that of the EU when transferring data from the EU to the US, either Fitbit would have to change its privacy policies, or it would end up in a legal gap where the company would still be allowed to conduct repetitive data transfer outside the EU.