Fitness tracker on mobile phone showing health data privacy with Google acquisition of Fitbit

Google Claims That Fitbit Acquisition Is Complete Despite Ongoing DOJ Investigation Into Handling of Health Data

Google’s $2.1 billion acquisition of market-leading activity tracker company Fitbit, which has dragged on for over a year due to scrutiny from international regulators, now appears to be complete. At least according to Google. The company announced in a blog post that the deal is complete, but US regulators may not agree. The Justice Department’s investigation into Fitbit’s use and handling of user health data and impact on the market remains ongoing, the agency reaffirmed after Google announced that the deal was done.

Questions about health data remain unanswered as Google presses forward

After Google published its blog post on January 14, the DOJ’s antitrust division released a statement clarifying that the deal was still under investigation. According to DOJ deputy assistant attorney general Alex Okuliar: “The Antitrust Division’s investigation of Google’s acquisition of Fitbit remains ongoing. Although the division has not reached a final decision about whether to pursue an enforcement action, the division continues to investigate whether Google’s acquisition of Fitbit may harm competition and consumers in the United States.”

Google claimed that it had the right to press forward with the deal because it had reached the end of an agreed-upon waiting period without any action taken by the DOJ. Though Google may have the legal right to move forward without approval, it does not mean that the deal is in the clear. The DOJ could, at minimum, sue to reverse the merger in the future if it finds a violation of antitrust laws (as happened recently with Google’s partnerships with various hardware manufacturers and internet browser publishers).

Google has previously promised to maintain Fitbit’s current data collection and privacy policies, and has said that it will not integrate Fitbit health data with its personalized advertising networks. Fitbit devices collect a variety of information related to exercise, such as heart rate and number of steps taken per day. Certain models also track quality of sleep. Fitbit’s current privacy policy prevents the sharing of any personally identifiable information; the company’s revenue comes from the sale of its devices and optional “premium services” subscriptions. However, Fitbit does sometimes partner with employers and insurance agencies that wish to offer fitness incentives to employees and clients. Google’s claim that the Fitbit acquisition is about “devices, not data” would indicate that it plans to continue focusing on revenue from hardware sales, at least for now.

Of course, things can always change (and often do in the world of big tech). Facebook made similar promises after acquiring the privacy-focused WhatsApp in 2014, but began walking them back and integrating the service with its targeted advertising ecosystem in 2016. But for the moment, Google is reassuring users that it won’t be sharing health data and will continue allowing connections to third-party services via Fitbit’s API at no cost.

That last item is important in terms of the anticompetitive aspect of the DOJ’s investigation. One of its primary concerns is that Google will shrink the fitness wearables market by refusing to allow other manufacturers to access the Android API or by charging fees, preventing integration with smartphones and essentially reducing the wearables market to just it and Apple.

Privacy of health data secured for ten years … for now

At minimum, Fitbit users in the EU will not have to worry about health data being sold or integrated into Google’s ad tracking ecosystem; at least not for a decade. That was one of the conditions placed on the merger when the European Commission approved it in December; Google will also be required to provide developers with API access at no cost, be monitored by a trustee that has access to company records, and to participate in a fast-track dispute resolution framework.

The merger also remains in legal limbo in Australia, where the Competition & Consumer Commission’s (ACCC) had previously threatened Google with a $400 million fine if it jumps the gun. The ACCC seems to have reversed that position since the acquisition was formally announced, however, telling The Verge that it does not fine companies for merging ahead of a formal approval.

Google had promised to maintain Fitbit's current #privacy policy which prevents sharing of #healthdata, claiming acquisition is about ‘devices, not data’. #respectdata Click to Tweet

Privacy and consumer groups have been protesting the deal since it was announced. The biggest organized pushback has come from a coalition of 20 consumer rights groups, including Privacy International and the Open Society European Policy Institute, which is primarily concerned about Google’s potential market dominance and a possible move into the health care industry. Though fitness tracking devices gather a variety of health data that medical records regulations usually apply to, companies like Fitbit have been able to legally dodge this level of responsibility in the US as existing HIPAA laws are generally applied to patient care facilities only. Google has had some interest in moving into medical care for several years now, primarily by applying artificial intelligence (AI) to patient diagnosis and business aspects as well as creating centralized digital records storage technology. The company took some flack in 2019 over its “Project Nightingale” initiative, which saw it access the health data of millions of US patients of the Ascension Health system without informing them.

 

Senior Correspondent at CPO Magazine