The privacy group noyb has filed three different lawsuits over Fitbit’s unlawful data sharing practices. Fitbit is a popular health and fitness company that specializes in smart watches. They were purchased by Google in 2021.
The lawsuit outlines how Fitbit mishandles its customer’s data, making it a potential threat to users’ personal privacy. The suit claims that Fitbit forces its users to consent to data transfers outside of the UK, which is against the GDPR laws.
“European users are obliged to “agree to the transfer of their data to the United States and other countries with different data protection laws,” explains the noyb group.
The shared data includes a lot of personal information, including but not limited to full names, email addresses, data of birth, gender, messages to friends made with Fitbit, and your logs for health information like food, weight, exercise, etc.
Fitbit uses a “take it or leave it” approach to their user agreement. Rather than giving you any control over how your data is shared, Fitbit completely prohibits you from using your device unless you agree to have your data shared with foreign companies. As noyb points out, you can pay for a Fitbit and the subscription, only to find that you can’t use the product at all.
But as the lawsuit claims, even if there was a simple way to withdraw consent, it would still be in violation of GDPR, as they regularly send extremely personal health information and mass data transfers outside of the EU.
The lawsuits were filed in The Netherlands, Italy, and Austria near the end of August — if Google is found guilty, they’re looking at a potentially multi-billion dollar fine.
“The collected data can even be shared for processing with third-party companies of which we do not know where they are located,” noyb said.