Google wants to acquire Fitbit, and we shouldn’t let it!

fitbit

Photo by Ashstar01  (CC BY-SA 3.0)

The lead author of this piece is Elettra Bietti, a doctoral student at Harvard Law School and volunteer for Privacy International.

Yesterday, we found out that Google has been collecting a wide range of health data as part of a project it has named “Project Nightingale.” Google has purportedly been amassing data for about a year on patients in 21 U.S. states in the form of lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, including patient names and dates of birth. Today’s news adds to our concerns around the Google / FitBit merger.

The transaction

Just a few days ago, Privacy International learned of Google’s parent Alphabet’s proposed acquisition of Fitbit.

Alphabet is Google’s parent company. In 2018, it generated 85% of its $136.22 billion in revenue from delivering targeted advertisements to the users of their many user-facing services, which include the Android operating system, Google Search, YouTube, Gmail, and many others.

Google has a long track record of competition law infringements in the EU, including violations of competition on the search market, on Google Play Store and Android and on the market for online advertising intermediation. The company is also currently under investigation in the United States and has a long track record of mergers and acquisitions.

Fitbit is a company that produces and sells health tracking technologies and wearables including smartwatches, health trackers, smart scales and other health tracking services including via mobile. Fitbit reported a revenue of $1.51 billion in 2018 and its revenues have increased in 2019.

A big part of Fitbit’s value is said to lie in the quality of the health data it possesses. The company’s technologies can track individuals’ daily steps, distance walked or traveled, calories burned, sleep patterns and heart rate. In the recent past, Fitbit has increased its health-related database and health tracking capabilities by acquiring a number of other actors on the health tracking and wearables market, including FitStar, Pebble, Vector and Twine Health. Some of these acquisitions include partnerships with health insurers as part of efforts to diversify its revenue stream.

The merger between these two companies would effectively allow Google/Alphabet to establish itself as an even stronger player in the markets for health data-related services including health tracking devices. Most significantly perhaps, the merger could potentially allow the company to enrich any large datasets and detailed consumer profiles it may hold with sophisticated real time data about individuals’ health conditions and needs, as well as general information about their daily behaviour and bodily rhythms. Anything Google/Alphabet is planning to do with Fitbit’s data is concerning to us.

Our concerns

A merger between these two companies raises a number of significant competition and privacy concerns, related to the potential uses that Google could make of Fitbit’s valuable health data, to the pooling of data between these two entities, and to the exclusionary potential of Google’s entry on the health tracking market. We are dismayed that sensitive health data such as the data currently controlled by Fitbit could become combined with that of a dominant digital platform such as Google, with the potential to be spread and reused in circumstances likely to impair people’s privacy, dignity and entitlement to equal treatment.

Privacy International has already asked the Competition and Markets Authority in the UK to consider the impact of data concentration on the operation of digital markets, particularly how the use of large amounts of personal data by dominant platforms like Google can lead to various forms of consumer exploitation in the form of microtargeting and discrimination. In this regard, the European Data Protection Board (EDPB) has also noted that the increase in the concentration of digital markets “has the potential to threaten the level of data protection and freedom enjoyed by consumers of digital services”.

While in their Press Release, Fitbit state that their “health and wellness data will not be used for Google ads,” in the past similar statements have been made to the European Commission in relation to mergers that have resulted in pervasive and problematic data sharing schemes between the merging entities. Two examples are the Google / Doubleclick merger and the Facebook / Whatsapp merger, which led to a number of decisions finding that the parties had misled competition regulators (see e.g. here). In light of Google’s own efforts to gather health data independently, we are concerned about the effects on individuals of possible combinations of the two merging parties’ already large health databases.

The harms at stake

Google is dominant on the market for online and mobile advertising practices, at least since its acquisition of Doubleclick in 2008, and has been abusing its dominance on that market. If this merger goes through, the merged entity could significantly contribute to creating a state of affairs where individuals are shown online advertisements and are sold products not only – and alarmingly - in connection to their sensitive health conditions, but also in relation to their general bodily sensitivity, including real-time physical reactions, moods and behaviors. We would thus quickly be verging toward an environment in which our moods and physical reactions could be second-guessed before we even have an ability to understand them.

Medical data is probably among the most sensitive of data; you would not share them with anyone besides your doctor or close family members, if at all. Last year we learned that Grindr, the LGBT dating app, shared its users’ HIV status with third parties. The data Google can gather about individuals’ health-related searches and the data that Fitbit possesses through their tracking devices might be equally sensitive and cause as much concern.

Privacy International recently looked into menstruation apps’ data practices, discovering that several of these apps seem to disregard the sensitive nature of the data they collect and use, and that some of them in fact are sharing personal data about women’s health, sexual life and mood with Facebook. Similarly, Privacy International previously conducted a study on 136 mental depression sites in France, Germany and the UK showing that most of these websites fail to comply with data protection and privacy law and share sensitive data about website visitors’ depression concerns and symptoms with advertisers, brokers and dominant platforms. The sharing and combination of health data across different websites, apps or services in the digital ecosystem is a cause for scrutiny not only because it largely fails to comply with data protection rules, but also because it leads to a surveillance-as-a-default environment that is harmful to personal dignity and identity and leads to discrimination and exclusion.

The location data the merging parties will be combining is also extremely sensitive. Recently on 29 October, Google was accused by the Australian Competition and Consumer Commission (ACCC) of misleading consumers regarding its collection and use of geolocation data in breach of consumer protection laws. The ACCC’s case is premised on the fact that individuals were not warned that by switching off their “Location History” they would not be stopping Google from continuing to track their location through Android and the web browser. In November 2018, the Norwegian Consumer Council similarly found that Google continuously tracks its users through a number of tracking devices including mobile phones, a practices that breaches of European Data Protection, a number of consumer protection organisations across Europe have complained to data protection authorities about this practice. The New York Times also conducted extensive reporting on geolocation tracking by Google in December 2018 causing public outrage and demonstrating that we have privacy expectations when it comes to the sharing of our location data.

A combination of Google / Alphabet’s potentially extensive and growing databases, user profiles and dominant tracking capabilities with Fitbit’s uniquely sensitive health data could have pervasive effects on individuals’ privacy, dignity and equal treatment across their online and offline existence in future. We therefore strongly urge competition regulators in charge of scrutinizing this merger to not let it go through and err on the side of caution in favoring the fundamental freedoms of the many over the financial profits of the few.