Google's FitBit acquisition could pose 'high risk' to privacy: European Data Protection Board

Raising privacy concerns around Google’s acquisition of  FitBit, the European Data Protection Board (EDPB), on February 20, said that “the combination and accumulation of sensitive personal data regarding people in Europe by a major tech company could entail a high level of risk to privacy and data protection”. Following the 18th EDPB plenary session, the Board said that both Google and FitBit should conduct a “full assessment of the data protection requirements and privacy implications of the merger in a transparent way”,  and mitigate any privacy risks before notifying the merger to the European Commission. We have reached out to Google for comment.

Google’s FitBit acquisition gives it access to health data of 28 million FitBit users: Google had announced the acquisition of wearables company FitBit for $2.1 billion in November 2019, to help invest further in Wear OS and introduce Made by Google wearables into the market. Apart from the hardware push, the acquisition will give Google access to health data of FitBit’s 28 million active users. FitBit devices track granular health data of wearers, such as steps taken, calories burned, exercises performed, sleep cycle and quality. According to a TechCrunch report, the merger has not been formally notified to the EDPB.

• At the time of the deal, Google had claimed that it will be transparent about what and why data will be collected, stating that “privacy and security are paramount”. It had also claimed that FitBit health and wellness data will not be used for Google ads, and FitBit users will have the choice to review, move, or delete their data. FitBit had made the same claims in its announcement.

Privacy and antitrust concerns around the acquisition were raised in the US: However, a coalition of privacy, consumer and social justice groups had, in November 2019, asked the United States government to block the acquisition, citing antitrust and privacy concerns. Fitbit would help Google to increase its dominance over internet searches, and give it another way to gather health information, the coalition had said.

Google’s ‘Project Nightingale’: The acquisition had also come amid media reports suggesting that Google was secretly gathering the health data of millions of Americans on behalf of the US’ second-largest healthcare provider, Ascension. The data gathered included lab results, diagnoses, hospitalisation records, patient names and dates of birth. Dubbed ‘Project Nightingale’, the project involved collection of health data from Ascension’s hospitals without informing patients of such collection.

Irish privacy regulator investigating Google on processing of location data: The Data Protection Commission (DPC) in Ireland initiated an inquiry to investigate complaints regarding Google’s processing of location data earlier this month. Consumer privacy groups across the EU had raised concerns regarding the legality of the tech giant’s processing of location data and the transparency surrounding the processing.