Google gobbling Fitbit is a major privacy risk, warns EU data protection advisor
The European Data Protection Board (EDPB) has intervened to raise concerns about Google’s plan to scoop up the health and activity data of millions of Fitbit users — at a time when the company is under intense scrutiny over how extensively it tracks people online and for antitrust concerns.
Google confirmed its plan to acquire Fitbit last November, saying it would pay $7.35 per share for the wearable maker in an all-cash deal that valued Fitbit, and therefore the activity, health, sleep and location data it can hold on its more than 28M active users, at ~$2.1 billion.
Regulators are in the process of considering whether to allow the tech giant to gobble up all this data.
Google, meanwhile, is in the process of dialling up its designs on the health space.
In a statement issued after a plenary meeting this week the body that advises the European Commission on the application of EU data protection law highlights the privacy implications of the planned merger, writing: “There are concerns that the possible further combination and accumulation of sensitive personal data regarding people in Europe by a major tech company could entail a high level of risk to the fundamental rights to privacy and to the protection of personal data.”
Just this month the Irish Data Protection Commission (DPC) opened a formal investigation into Google’s processing of people’s location data — finally acting on GDPR complaints filed by consumer rights groups as early as November 2018 which argue the tech giant uses deceptive tactics to manipulate users in order to keep tracking them for ad-targeting purposes.
The Irish DPC, which is the lead privacy regulator for Google in the EU and a member of the EDPB, said the advisory body’s statement is a reflection of the collective views of data protection agencies across the bloc.
The EDPB’s statement goes on to reiterate the importance for EU regulators to asses what it describes as the “longer-term implications for the protection of economic, data protection and consumer rights whenever a significant merger is proposed”.
It also says it intends to remain “vigilant in this and similar cases in the future”.
The EDPB includes a reminder that Google and Fitbit have obligations under Europe’s General Data Protection Regulation to conduct a “full assessment of the data protection requirements and privacy implications of the merger” — and do so in a transparent way, under the regulation’s principle of accountability.
“The EDPB urges the parties to mitigate the possible risks of the merger to the rights to privacy and data protection before notifying the merger to the European Commission,” it also writes.
We reached out to Google for comment but at the time of writing it had not provided a response nor responded to a question asking what commitments it will be making to Fitbit users regarding the privacy of their data.
Fitbit has previously claimed that users’ “health and wellness data will not be used for Google ads”.
However big tech has a history of subsequently steamrollering founder claims that ‘nothing will change’. (See, for e.g.: Facebook’s WhatsApp U-turn on data-linking.)
“The EDPB will consider the implications that this merger may have for the protection of personal data in the European Economic Area and stands ready to contribute its advice on the proposed merger to the Commission if so requested,” the advisory body adds.
We also reached out to the European Commission’s competition unit for a response to the EDPB’s statement. A spokeswoman confirmed the transaction has not been formally notified to it.
“It is always up to the companies to notify transactions with an EU dimension to the European Commission,” she added.
It is not yet clear whether or not the acquisition will face merger control review in the EU.
Update: A Google spokesperson has now sent this statement: “We are acquiring Fitbit to help us develop devices in the highly competitive wearables space and the deal is subject to the usual regulatory approvals. Protecting peoples’ information is core to what we do, and we will continue to work constructively with regulators to answer their questions.”
This report was updated with additional comment