💁‍♂️ IP Address Handling and GDPR Compliance Concerns

Since I was previously hidden a post by the Rabbit Inc. in the person of @mattdomko and since the post was a bit important for the European community of over about 33000 users, this is becoming my personal battle and now no one will stop me until I will get what the European citizens deserve.

I formally ask to not hide this post again, and to reactivate also the other one, due to the importance for the European Users as expressed clearly from the European regulatory agencies and board!

According to Rabbit Inc.'s Privacy Policy (last update on 22 April 2024) , the company collects and processes IP addresses as part of its services. Specifically, it states that IP addresses may be used to infer general location information and for other purposes related to service functionality.

However, the policy also mentions that Rabbit’s services are hosted in the United States, and personal data, including IP addresses, may be transferred to and stored on servers outside the European Economic Area (EEA), such as in the U.S.

While Rabbit Inc. claims to use Standard Contractual Clauses (SCCs) to ensure GDPR compliance for these transfers, routing user data (including IP addresses) through servers in the U.S. without explicit user consent or additional safeguards could potentially violate GDPR regulations. This is particularly concerning given the invalidation of the EU-U.S. Privacy Shield by the Court of Justice of the European Union.

I have notice that our device routes your 4G/Wireless IP address through U.S.-based servers (as described in my experience), this raises questions about transparency and compliance with GDPR’s principles of data minimization and purpose limitation.

Key Questions for Rabbit Tech:

  1. Why is the user’s 4G/Wireless IP address being routed through servers in the U.S.?
  2. What specific safeguards are in place to ensure compliance with GDPR for such data transfers?
  3. Is explicit user consent obtained for this type of data processing?

If these practices are not adequately justified or safeguarded, users in the EU may have grounds to file a complaint with their Data Protection Authority.

Transparency and adherence to GDPR are essential for protecting users’ rights.

2 Likes

…and then excuse me, if my IP address is transmitted in this way, why are users banned from various services or have their accounts deleted including Spotify because it is seen as a connection from the United States?

I don’t want to start thinking badly… and I await exhaustive answers!

As far as I know from my dealings with GDPR, the European Commission has the possibility to adopt adequacy decisions to formally confirm, with binding effect on EEA countries, that the level of data protection in a non-EEA country or an international organisation is essentially equivalent to the level of protection in the European Economic Area.

The European Commission has adopted adequacy decisions for a number of countries which includes the USA. For USA there is a requirement that the commercial organisations participate in the EU-US Data Privacy Framework. AWS participates in that Data Privacy Framework.

Did I miss something?

Also interesting reads:

1 Like

Thank you for your input, @nzwaneveld but the Rabbit Inc.'s Privacy Policy (last update on 22 April 2024) mentions the use of Wi-Fi, Bluetooth signals, and GPS for collecting precise geolocation data in connection with their services, including the rabbit r1 device. However, there is no explicit mention of mobile or 4G data being used for geolocation or other purposes in the provided sections of the privacy policy.

This is also why WE (European Citizens) are asking to update the Privacy Policy and perform the DPIA by 25 August 2025

Does Rabbit Inc.'s Privacy Policy Violate GDPR Despite the EU-U.S. Data Privacy Framework?

While the EU-U.S. Data Privacy Framework (DPF) was adopted in July 2023 and provides an adequacy decision for data transfers to U.S. companies participating in the framework, there are several concerns regarding Rabbit Inc.'s compliance with GDPR based on its current Privacy Policy.

1. Status of the DPF and Legal Challenges

Although the DPF is currently valid, it faces significant legal challenges. Privacy activist Max Schrems and NOYB have announced their intent to challenge the framework before the Court of Justice of the European Union (CJEU), citing unresolved issues from Schrems II:

These challenges could lead to the invalidation of the DPF, similar to what occurred with Safe Harbor in 2015 and Privacy Shield in 2020

2. Violations in Rabbit Inc.'s Privacy Policy

Even assuming the validity of the DPF, Rabbit Inc.'s practices appear to violate several GDPR principles:

Violation GDPR Article Issue in Rabbit Inc.'s Privacy Policy
Lack of transparency Art. 12-14 The policy does not specify where AWS servers are located (state/region) or how risks from U.S. authorities are mitigated (CMS LawNow - Is the EU-U.S. Data Privacy Framework in Danger?).
Consent not freely given Art. 7 Users must accept data transfers outside the EU to use Rabbit R1, making consent mandatory rather than optional (Lawfare - Changing Landscape of European Privacy Enforcement).
Data minimization Art. 5(1)(c) Collects unnecessary data (e.g., full voice history and photo metadata) without clear justification (CMS LawNow - Is the EU-U.S. Data Privacy Framework in Danger?).

3. Technical Weaknesses of the DPF

Even if Rabbit Inc. adheres to the DPF:

4. Next Steps?

To address these concerns, I am asking again:

  1. Request clarification from Rabbit Inc. not via vulnerability disclosure policy (VDP) at security@rabbit.tech but public here due to the importance for the European Users as expressed clearly from the European regulatory agencies and board:
  • Their participation in the DPF.
  • A Data Protection Impact Assessment (DPIA) for transfers to AWS servers.
  1. File a complaint with your national Data Protection Authority (EDPB Member List).
  2. Monitor ongoing legal challenges to the DPF, including Schrems III.

Conclusion

While the EU-U.S. Data Privacy Framework provides a mechanism for transatlantic data transfers, Rabbit Inc.'s practices raise significant questions about GDPR compliance.

Transparency, free consent, and data minimization are core principles that must be upheld regardless of adequacy decisions.

1 Like