The European Data Protection Board has raised concerns about Google’s plan to acquire wearable-maker Fitbit. The deal, which was confirmed by the search giant in November 2018, is worth approximately $2.8 billion.
“There are concerns that the possible further combination and accumulation of sensitive personal data regarding people in Europe by a major tech company could entail a high level of risk to the fundamental rights to privacy and to the protection of personal data,” said the board, which advises the EU Commission, on Thursday.
Around the same time as the acquisition announcement, the US Department of Health began an investigation of Google surrounding Project Nightingale, its initiative to collect health data from millions of its users.
There are concerns that Alphabet Inc.’s purchase of Fitbit would give it access to historical or current health data of its 28 million active users. Users who did not initially agree to Google’s involvement on their smartwatch purchase.
That data could include a user’s calorie intake, distance traveled, daily steps, heart rate data, and more. With the data, it could potentially advertise food to someone who it can tell hasn’t had dinner yet, or anti-anxiety solutions to someone who’s heart rate has consistent spikes.
For its part, Google says it would never sell personal information and that Fitbit data will not be used for its advertising. It also says Fitbit users will be able to review or delete their data.
“We are acquiring Fitbit to help us develop devices in the highly competitive wearables space and the deal is subject to the usual regulatory approvals, said Google to TechCrunch. “Protecting peoples’ information is core to what we do, and we will continue to work constructively with regulators to answer their questions.”
The second part of that response is likely to cause contention. Alphabet Inc. was forced to pay out $200 million for YouTube child privacy failures last year. Shortly after, it ignored an invitation to discuss privacy and security with congress. It has previously exposed 500,000 Google+ user’s private information and kept user’s location data even when they thought they’d opted out.
This month, it accidentally sent user’s Google Photos videos to random strangers. On top of all this, it was previously fined 50 million euros for GDPR violations. If protecting user’s privacy is a core value, the company should be in crisis right now.
The EU Commission says it has yet to be formally notified of the deal by Google. It’s up to the company to make the first step, but it’s possible some details are still being ironed out. Either way, it’ll be interesting to see how this story develops now that the EU has the deal firmly in its sights.