The European Data Protection Board (EDPB) has ordered Google to conduct “a full assessment of the data protection requirements and privacy implications” of its acquisition of wearables giant Fitbit. 

In a plenary session on February 20, concerns were raised about the privacy implications of a merger of obligations under the EU’s General Data Protection Regulation (GDPR). 

The Board urged both firms “to mitigate possible risks to the rights to privacy and data protection before notifying the merger to the European Commission”.

It added that the EDPB will “consider any implications for the protection of personal data in the European Economic Area”.  

Google and Fitbit did not respond to requests for comments from HIMSS Media.

WHY IT MATTERS 

There have been questions around what will happen to Fitbit’s sensitive health and wellness data, since Google announced the acquisition in November last year.

UK’s data watchdog, the Information Commissioner’s Office (ICO), and the US Department of Justice are both looking into privacy concerns around the deal. 

In a blog post about the acquisition, Google’s senior vice president of devices and services, Rick Osterloh, reassured consumers that “privacy and security are paramount”.

He wrote: “Similar to our other products, with wearables, we will be transparent about the data we collect and why. We will never sell personal information to anyone. Fitbit health and wellness data will not be used for Google ads. And we will give Fitbit users the choice to review, move, or delete their data.”

THE LARGER CONTEXT 

It is not the first time Google has faced privacy concerns over its acquisitions. Following the purchase of the British artificial intelligence lab DeepMind in 2014, an investigative report from the New Scientist claimed that Google would have access to NHS patients’ health data without consent. 

Although DeepMind and the NHS announced an agreement addressing the concerns, an independent panel report released in 2017 still raised data security and privacy issues. 

Meanwhile, Fitbit recently unveiled a new feature, which allows users to check blood oxygen level variability on its Sp02-enabled devices including Versa, Versa Lite, Versa 2, Charge 3 and Iconic. 

ON THE RECORD

The EDPB said: “Following the announcement of Google LLC’s intention to acquire Fitbit, the EDPB adopted a statement highlighting that the possible further combination and accumulation of sensitive personal data regarding people in Europe by a major tech company could entail a high level of risk to privacy and data protection.”

An ICO spokesperson said: “We are aware of Google’s acquisition of Fitbit and we are considering the potential impact on the privacy rights of UK users.”