Google asked by EU data-protection regulators to review privacy impact of Fitbit deal

Google has been asked by EU data-protection authorities to conduct a privacy-impact assessment of its proposed $2.1 billion acquisition of health-tracking company Fitbit before notifying the proposed deal to the European Commission for competition approval, MLex has learned.

The European Data Protection Board — an umbrella group of the bloc's data-protection authorities — said in a statement seen by MLex that it is urging the companies "to mitigate the possible risks of the merger to the rights to privacy and data protection before notifying the merger."

The commission isn't obliged to follow the EDPB's request, and Google could decline to conduct the privacy assessment, arguing that it's not relevant to a merger review. EU merger rules don't include privacy considerations, which are the responsibility of data-protection authorities.

The request marks the first time that the EDPB has become involved in a specific merger involving Big Tech companies and potential privacy concerns. In the past, privacy authorities have said that it's "essential to assess longer-term implications for the protection of economic, data protection and consumer rights whenever a significant merger is proposed."

Privacy advocates have criticized the EU for failing to take account of major online platforms buying companies with large data sets, such as Facebook's purchase of WhatsApp in 2014.

Regarding the Google-Fitbit deal, the EDPB said that "there are concerns that the further concentration of sensitive personal data regarding people in Europe in the hands of a major tech company could entail a high level of risk to the fundamental rights to privacy and to the protection of personal data."

"The EDPB therefore reminds the parties to the proposed merger, in accordance with the principle of accountability, of their obligations under the GDPR and to conduct in a transparent way a full assessment of the data protection requirements and privacy implications of the merger," it said.

The EDPB said it would consider the implications that the merger may have for the protection of personal data in Europe, and that it "stands ready to contribute its advice on the proposed merger to the commission if so requested."

Customers who use Fitbit's wearable technology have allowed the collection of sensitive health data, including step counts, heart-rate readings, sleep time, menstrual cycles and location information.

In the US, nine privacy, social justice and consumer groups called for the Federal Trade Commission to block the Google-Fitbit deal, citing antitrust and privacy concerns.

In announcing the acquisition, Google said in a blog post that it would be transparent about the data it collects and for what purpose, would "never sell personal information to anyone," and would not use the health data for Google ads.

"We will give Fitbit users the choice to review, move, or delete their data," Google said.

A Google spokesperson said in an e-mailed statement that the company is acquiring Fitbit "to help us develop devices in the highly competitive wearables space and the deal is subject to the usual regulatory approvals."*

"Protecting peoples' information is core to what we do, and we will continue to work constructively with regulators to answer their questions," the Google spokesperson said.