International: NOYB files complaints against Fitbit for unlawful data transfers
On August 31, 2023, None of your business (NOYB) announced that it had filed complaints against Fitbit International Limited with the data protection authorities of Austria (DSB), the Netherlands (AP), and Italy (Garante) for alleged violations of the General Data Protection Regulation (GDPR).
NOYB alleged that Fitbit forced the complainants to consent to the transfer of their personal data to third countries in order to complete the creation of their Fitbit accounts and use the Fitbit app.
NOYB asserts that Fitbit breached the GDPR by:
- not disclosing the countries that the complainants' data would be transferred to;
- not disclosing the specific mechanisms it uses to transfer personal data to third countries;
- not responding to the complainants' data subject access requests;
- transferring personal data to third countries without a legal basis; and
- relying on consent that was not specific, informed, or freely given.
Based on the above, NOYB detailed that it would like the aforementioned data protection authorities to, among other things:
- declare that Fitbit can only rely on one legal basis for transfer of data to third countries;
- declare that the consent obtained by Fitbit was invalid and that the data transfers were unlawful;
- order Fitbit to bring its operations into compliance with the provisions of the GDPR; and
- order Fitbit to allow the complainants to withdraw their consent for international transfers without detriment and without having to delete their accounts.