Advocacy group Noyb on Thursday filed complaints against Google-owned Fitbit in Austria, the Netherlands and Italy accusing the fitness tracking company of violating the European Union's General Data Protection Regulation (GDPR) privacy regime.
Vienna-based Noyb (None Of Your Business), the digital rights group founded by privacy activist Max Schrems, has already filed hundreds of complaints against big tech companies ranging from Alphabet Inc's Google to Meta over privacy violations, some leading to big fines.
Fitbit forces its users to consent to data transfers outside the EU and does not provide the possibility to withdraw their consent, violating GDPR's requirements, Noyb said.
Fitbit sells watches that track activity, heart rate and sleep. It also offers a subscription service starting at $9.99 a month.
"Given that the company collects the most sensitive health data, it's astonishing that it doesn't even try to explain its use of such data, as required by law," said Bernardo Armentano, data protection lawyer at Noyb.
Fines for violating GDPR rules can reach up to 4 per cent of a firm's global annual revenue. Google's annual revenue was $280 billion in 2022.
The advocacy group wants Fitbit to be forced to share all mandatory information about the data transfers with its users and allow them to use its app without having to consent to the transfers.
While GDPR allows every person to withdraw their consent, Fitbit's privacy policy states that the only way to withdraw consent is to delete an account, which means losing their previously tracked workouts and health data, Noyb said.