Google’s acquisition of fitness company Fitbit is nearing completion. Following the company’s $2.1bn (£1.54bn) purchase, it faced investigation from the US government, the EU, and Australian government about its use of data. Many users will have the same question – how is Fitbit data going to be used by Google?
For EU citizens, what happens to their data is certain. In a post-Brexit world, it remains unclear how it will affect those in the UK.
“While we cannot know for certain, our understanding is that the European Commission acts as an umbrella competition authority for all EU member states and therefore carries out the review of the merger somehow on their behalf too. Since the decision to green light the merger was taken before the 31st of December 2020, it seems like the merger was already approved under EU law and could thus bind the UK too”, Ioannis Kouvakas, legal officer at Privacy International, told The Independent.
Neither Google, Fitbit, the EU Commission, nor the ICO responded to The Independent’s requests for more information.
The Competition and Markets Authority (CMA) said that there was not currently an investigation into the merger of Google and Fitbit.
“We will maintain strong data privacy and security protections, giving you control of your data and staying transparent about what we collect and why,” James Park, Fitbit’s chief executive, president and co-founder, wrote in a statement although there are concerns from privacy advocates that the merger will reject consumers’ data privacy rights in favour of corporate profits.
With the UK’s Fitbit data still in the lurch, the EU has issued clarifications on how their citizens’ data will be used.
In the EU, for the next ten years, Google will not be able to use the health and wellness data, as well as other data collected via sensors such as GPS, from Fitbit devices in the European Economic Area (which the UK left on 31 January 2020) for Google ads.
Google will maintain a technical deparation – a “data silo” – which will remain separate from other Google data, and users will have an “effective choice” to grant or deny access to health data to be used by Google Search, Maps, Assistant, or YouTube.
Google will also need to maintain the Fitbit Web API, which will continue to work with third-party services, without charging for access.
There were concerns that Google would use its merger to shut down ways for other devices to connect to Android phones, but the EU Commission has stated that Google must maintain these APIs (Application Programming Interface, which allows applications to communicate).
“Such core functionalities include but are not limited to, connecting via Bluetooth to an Android smartphone, accessing the smartphone’s camera or its GPS”, the EU Commission says.
“To ensure that this commitment is future-proof, any improvements of those functionalities and relevant updates are also covered.
While these regulations will continue for a decade, Google’s “entrenched position in the market for online advertisement” means that it could be extended by another ten years, should such action be necessary.
However, pro-privacy organisation Privacy International has said that the EU Commission’s review is inadequate.
“The commitments will likely fail to be implemented in a manner that will uphold consumers’ data privacy rights over corporate profit”, the organisation said in a statement.
It argued that the Commission did not consider concerns to the digital healthcare sector because the industry is still nascent in Europe, but that it should have done – lest Google use its might to stifle competition.
“Nothing seems to prevent Google from further enriching their massive data troves with vast quantities of sensitive health data and potentially exploiting our data in ways that go beyond digital advertising markets.
“Google’s latest leap forward is going to be game-changing in all the wrong ways. Enabling any company, through acquisition and merger to embed itself so deeply into so many aspects of our lives, is deeply troubling”, Privacy International said in a statement.
“Fitbit users will be asking themselves whether they want sensitive data like this being used and monetised by Google,” says Ed Johnson-Williams, a policy officer at Open Rights Group, told Wired in 2019. “Google says they won’t use the data for targeting ads. Google must tell Fitbit users and competition authorities what other purposes they will they use it for.
“In the past, Google has abruptly pulled the plug on devices sold to customers by companies they’ve acquired. Google must also reassure Fitbit users that this won’t happen here.”
Google reputation in the healthcare industry is questionable, following its restricting that moved healthcare-focused subsidiary, DeepMind Health, into the main arm of the organisation in 2018, despite claiming that NHS “data will never be connected to Google accounts or services”
The search giant said the move was necessary to allow DeepMind’s health app Streams, which monitored kidney injury, to scale up, but privacy researchers slammed it as a betrayal.
“Making this about semantics is a sleight of hand. DeepMind said it would never connect Streams with Google. The whole Streams app is now a Google product. That is an atrocious breach of trust, for an already beleaguered product”, privacy researcher Julia Powles said at the time.