Fitbit and Google merger: What happens to your health data now search giant owns it

It is not known how the deal will affect UK users’ data, as the EU Commission’s ruling does not apply post-Brexit

Adam Smith
Friday 15 January 2021 14:28
comments

Google’s acquisition of fitness company Fitbit is nearing completion. Following the company’s $2.1bn (£1.54bn) purchase, it faced investigation from the US government, the EU, and Australian government about its use of data. Many users will have the same question – how is Fitbit data going to be used by Google?

Of these investigations, only the EU’s approval has been granted to the two companies – despite both Google and Fitbit claiming to the contrary, the US Department of Justice says its investigation is ongoing.

“We will maintain strong data privacy and security protections, giving you control of your data and staying transparent about what we collect and why,” James Park, Fitbit’s chief executive, president and co-founder, wrote in a statement although there are concerns from privacy advocates that the merger will reject consumers’ data privacy rights in favour of corporate profits.

As the merger case was submitted to the European Commission before Britain left the EU, the decision over data remains with them. The Competition and Markets Authority has said it does not have justification to open its own investigation. 

The Information Commissioner's Office told The Independent that it is “aware of Google’s acquisition of Fitbit and the EU Commission’s investigation in this area, and we will engage with our European colleagues where necessary.”

In the EU, and by extension the UK, Google will not be able to use the health and wellness data, as well as other data collected via sensors such as GPS, from Fitbit devices in the European Economic Area (which the UK left on 31 January 2020) for Google ads for the next ten years.

Google will maintain a technical deparation – a “data silo” – which will remain separate from other Google data, and users will have an “effective choice” to grant or deny access to health data to be used by Google Search, Maps, Assistant, or YouTube.

Google will also need to maintain the Fitbit Web API, which will continue to work with third-party services, without charging for access.

There were concerns that Google would use its merger to shut down ways for other devices to connect to Android phones, but the EU Commission has stated that Google must maintain these APIs (Application Programming Interface, which allows applications to communicate).

“Such core functionalities include but are not limited to, connecting via Bluetooth to an Android smartphone, accessing the smartphone's camera or its GPS”, the EU Commission says.   

“To ensure that this commitment is future-proof, any improvements of those functionalities and relevant updates are also covered.

While these regulations will continue for a decade, Google’s “entrenched position in the market for online advertisement” means that it could be extended by another ten years, should such action be necessary.

However, pro-privacy organisation Privacy International has said that the EU Commission’s review is inadequate.

“The commitments will likely fail to be implemented in a manner that will uphold consumers’ data privacy rights over corporate profit”, the organisation said in a statement.  

It argued that the Commission did not consider concerns to the digital healthcare sector because the industry is still nascent in Europe, but that it should have done – lest Google use its might to stifle competition.  

"Nothing seems to prevent Google from further enriching their massive data troves with vast quantities of sensitive health data and potentially exploiting our data in ways that go beyond digital advertising markets.

"Google's latest leap forward is going to be game-changing in all the wrong ways. Enabling any company, through acquisition and merger to embed itself so deeply into so many aspects of our lives, is deeply troubling”, Ioannis Kouvakas, legal officer at Privacy International, said in a statement.

“Fitbit users will be asking themselves whether they want sensitive data like this being used and monetised by Google,” says Ed Johnson-Williams, a policy officer at Open Rights Group, told Wired in 2019. “Google says they won’t use the data for targeting ads. Google must tell Fitbit users and competition authorities what other purposes they will they use it for.

“In the past, Google has abruptly pulled the plug on devices sold to customers by companies they’ve acquired. Google must also reassure Fitbit users that this won’t happen here.”

Google reputation in the healthcare industry is questionable, following its restricting that moved healthcare-focused subsidiary, DeepMind Health, into the main arm of the organisation in 2018, despite claiming that NHS “data will never be connected to Google accounts or services”

The search giant said the move was necessary to allow DeepMind’s health app Streams, which monitored kidney injury, to scale up, but privacy researchers slammed it as a betrayal.

“Making this about semantics is a sleight of hand. DeepMind said it would never connect Streams with Google. The whole Streams app is now a Google product. That is an atrocious breach of trust, for an already beleaguered product”, privacy researcher Julia Powles said at the time.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments