Countries with data protection laws generally put health data in a special category of sensitive personal information that is subject to stricter regulation. These regulations also usually apply only to the medical industry, however; things like fitness apps and wearables capture some sensitive data of this nature, but are not subject to the same level of regulation.
This issue has been taken up by privacy advocates, and it is now receiving some mainstream attention in the form of a petition to block the proposed merger between Google and Fitbit. The effort is led by Privacy International, and accuses Google of having a dangerous monopoly on personal data.
Health data in the hands of Google?
Google and Fitbit announced a $2.1 billion acquisition in November 2019. Fitbit is one of the world’s leading manufacturers of “smart” fitness devices such as watches, wearable trackers and scales. The company has about 28 million customers. Health data that these devices track include heart rate, number of steps taken, respiratory patterns, menstrual cycles and information about sleep quality.
Google formally notified the European Commission of the proposed acquisition in mid-June of this year, a necessary step in finalizing the merger. The data protection regulator must review the proposed merger for potential harm it might cause to European Union (EU) consumers.
In response, Privacy International issued a letter stating that the merger would give Google a dangerous level of insight into and control over people’s personal data. The letter argues that Google already has access to an immense amount of personal data, and combining health data with this trove of sensitive information creates too much potential for invasive monitoring and discrimination.
The letter references Project Nightingale, a Google initiative that was revealed shortly after the Fitbit merger was announced in November. The project represents Google’s first formal move into the health care industry, with the tech giant partnering with the Ascension health care system to store and process its patient data in the cloud. The project would see the patient care records of millions of people pass through Google’s hands. It is currently being investigated by the United States Department of Health and Human Services (HHS) to determine if it is HIPAA compliant; concerns were raised by an anonymous whistleblower that Ascension patients would not be allowed to opt out of this system.
The letter also points out questionable elements of Google’s data handling record, chiefly its major antitrust fine in France in late 2019 for arbitrary abuses of its search advertising platform.
Privacy International has called for the EU Commission to reject the merger. The commission is set to make a decision by July 20. The merger is also contingent on approval by antitrust regulators in the United States and Australia.
Potential issues with Google having health data
Ioannis Kouvakas, Legal Officer at Privacy International, summarized the public’s concerns: “Regardless of whether we are Fitbit users or not, we all need to stop and think about the wider implications of this merger. Can we trust a company with a shady competition and data protection past with our most intimate data?”
Fitbit has stated that its data would not be used with Google’s targeted advertising system. However, Fitbit is not necessarily in a position to guarantee that remains the case after the merger. Privacy International points out two other cases in which similar statements were made that later turned out to be false: Google’s merger with Doubleclick and Facebook with WhatsApp.
Unburdened by special regulations, privacy advocates worry what Google might do with all of that Fitbit health data. There are some legitimately concerning possibilities.
The biggest concern is that Google adds it to the sprawling advertising profiles that it collects on all internet users that encounter its services, even those that do not have Google accounts. Internet users might start seeing targeted ads related to their health conditions appearing in their browsers and apps. This would not be limited to known diagnoses of medical issues; the type of health data that Fitbit captures could allow Google to get fairly accurate beads on a person’s mood or behavior in the moment.
Discrimination is another serious concern. The possibility exists that “big data” profiles such as these might be used by health insurance companies to deny coverage, refuse to pay claims and unfairly screen out customers or charge them excessive premiums by citing a high level of risk.
This also creates another worrying centralized source of sensitive personal data that is now subject to potential breach. A threat actor could potentially get someone’s personal profile, web browsing history and health data all in one convenient package. Real-world persecution is also a potential concern should someone gain access to particular types of health data in combination with someone’s physical address or online contact information.
In addition to clearing the July 20 review in the EU, the merger is subject to an ongoing review by the Department of Justice (DOJ) in the United States. The DOJ has not set a deadline for completing this review, and could opt to either block the merger or impose additional terms on it. Australia’s antitrust regulation body, the Australian Competition and Consumer Commission (ACCC), has also weighed in with public concerns about the potential harm that Google’s access to all of this health and wellness data could cause. The ACCC is conducting its own review of the merger, which is slated to wrap up by August 13.