If you’ve made a restaurant reservation online since 2009, odds are that your personal data just moved to France.

The mass data migration happened in recent months after former Australian booking site Dimmi – which manages reservations for 4,500 Australian restaurants – became one of 17 country-specific booking sites consolidated into the growing holdings of LaFourchette SAS, a French company owned by travel giant TripAdvisor.

Dimmi was bought by TripAdvisor in May 2015 and rebranded as TheFork in January.

In September it advised customers it would expatriate their data as part of an effort “refreshing your user experience”.

That means, among other things, using personal details, booking information, geotagging and other information to better understand when, where, and how diners book restaurants.

Personal data would, according to the firm’s updated Privacy Policy, be protected by local law and TheFork would “take steps…to ensure that personal information continues to be protected wherever it is located in a manner consistent with the standards of protection required under applicable law.”

Transfers outside of the EU would “rely on appropriate safeguards” like approved EU Standard Contractual Clauses and the EU-US Privacy Shield Frameworks to manage the data.

Customers could opt out, but those who did would lose accrued loyalty points and be unable to access the newly-upgraded Web site and mobile app, which went live this month.

Where does the data go?

Privacy Act controls over the data of Australian customers will soon be tightened by the strictures of the Consumer Data Right (CDR) legislation, but data moving overseas will be subject to an entirely different set of rules – with no guarantee or recourse for Australians concerned with the way it is being protected.

It’s a growing issue that this week drew the ire of the Australian Competition & Consumer Commission (ACCC), whose chair Rod Sims weighed in on Google’s proposed $US2.1b ($A3b) acquisition of health-tracking giant Fitbit – which has privacy advocates sceptical and many long-time users abandoning their devices in protest.

“The change in data collection policies… creates a very uncertain world for consumers who shared very personal information about their health to Fitbit under a certain set of privacy terms,” Sims said in a speech to the Consumer Policy Research Centre conference.

“Few consumers are fully informed of, nor can they effectively control, how their data is going to be used and shared,” he added.

Promises about consumer data protection – made during Google’s acquisition of DoubleClick and Facebook’s acquisition of WhatsApp – had been reneged years later, Sims noted, echoing the concerns of the ACCC’s Digital Platforms Inquiry.

Google has been working hard to hoover up as much data as it can, collecting masses of data through in-home personal assistants and more recently targeting healthcare information through its “totally creepy, totally legal” Project Nightingale – which is aggregating and analysing sensitive medication histories, lab test results, and biographical information on patients in 23 US states.

Patients have not been notified of Google’s activities or those of healthcare provider Ascension, which is providing the data.

This sort of behaviour continues to raise eyebrows at the ACCC, with Sims calling for acquiring companies to respect consumers’ original privacy choices.

“A lack of clear information about how their data will be handled reduces consumers’ ability to make informed choices based on that data,” he said.

“Given the history of digital platforms making statements as to what they intend to do with data and what they actually do down the track, it is a stretch to believe any commitment Google makes in relation to Fitbit users’ data will still be in place five years from now.”