It wasn’t too long ago that Google announced it had plunked down $US2.1 ($3) billion to acquire Fitbit. While the news was welcomed by some, many others raised the question of what would happen with all that health data Fitbit had collected. You can count the European Data Protection Board among the latter. At its 18th plenary session, the advisory board released a statement expressing concern that the acquisition represents a major privacy risk.
“Following the announcement of Google LLC’s intention to acquire Fitbit, the EDPB adopted a statement highlighting that the possible further combination and accumulation of sensitive personal data regarding people in Europe by a major tech company could entail a high level of risk to privacy and data protection,” the statement reads.
In the statement, the EDPB is also keen to point out that the Google-Fitbit merger must comply with the European Union’s General Data Protection Regulation (GDPR). “The Board urges the parties to mitigate possible risks to the rights to privacy and data protection before notifying the merger to the European Commission,” the advisory body added. “The EDPB will consider any implications for the protection of personal data in the EEA and stands ready to contribute its advice to the EC if so requested.
There’s good reason for the EDPB to be sceptical of the Google-Fitbit deal. For starters, Google, along with Facebook, was found to be in violation of GDPR the first day the law came into effect. Last year, France fined Google $US57 ($86) million for its opaque privacy terms. In the U.S., the deal is also facing scrutiny from the Department of Justice. Not to mention, Google is currently facing numerous antitrust inquiries.
It’s also worth noting that the data in question is not just your steps, heart rate, sleep, and general activity. It also includes reproductive health, including sexual encounters and whether or not protection was used. Plus, Fitbit is collecting data that you might not even know in preparation for future features down the line. For instance, back in 2017, Fitbit introduced Sp02 sensors into its Ionic smartwatch—and, has included them in subsequent trackers like the Versa and Charge 3. While Fitbit kept mum about what it was tracking, it was an open secret that the company was interested in sleep apnea. Well today, the company rolled out a new ‘Estimated Oxygen Variation’ graph to all Charge 3, Versa, Versa Lite, Versa 2, and Ionic users to help them measure blood oxygen saturation while they sleep. Barring regulatory bodies stepping in and shutting down this merger, this just a slice of what Google’s actually buying.
Both Google and Fitbit are aware of the privacy concerns. In its original blog post announcing the acquisition, Google wrote that “We will be transparent about the data we collect and why. We will never sell personal information to anyone. Fitbit health and wellness data will not be used for Google ads. And we will give Fitbit users the choice to review, move, or delete their data.” These sentiments were echoed by Fitbit’s corresponding press release.
Whether this pans out to be true, however, is another story. As I’ve written previously, Nest said the same thing when Google acquired it. It took five long years, but lo and behold, Google is now requiring Nest users to migrate their accounts and any vague promises of users owning their data are moot. For now, it’s a game of wait-and-see as to whether regulators will step in and intervene, or if Google prevails according to plan.