You may have seen the headlines over the last few weeks - Google has just paid US$2.1 billion to acquire Fitbit. Who would have thought that those kms you busted out this morning could be so lucrative!
With yet another major acquisition done and dusted for the tech giant, many are nervous about the potential implications for consumers, their data and privacy.
Both companies have been quick to confirm that users will remain in control of their data and that there will be transparency about what data will be collected and why. But some commentators remain sceptical in light of other recent events – including the claim that Google has acquired the medical data of up to 50 million Americans without their knowledge in a deal with Ascension (the second largest healthcare provider in the US), and the unrelated Australian Competition and Consumer Commission (ACCC) lawsuit, which alleges that Google misled consumers about how it was collecting, storing and using location data.
One thing is clear – the regulatory tide is changing. The ‘BigTech’ companies are much more than clever disruptors challenging the status quo, and regulators around the world are becoming increasingly suspicious of these giants and more activist and creative in their approach to protecting consumers.
The ACCC lawsuit against Google, which relies on its consumer law powers (rather than privacy law) is a good example of this. Another example is the new California Consumer Privacy Act (CCPA) effective in 2020, which is aimed at re-balancing the lucrative but murky ad-tech universe and providing consumers living in California with the right to access, delete and opt out of the sale of, their personal information.
Closer to home, the New Zealand Privacy Commissioner John Edwards has a no holds barred approach to tackling privacy. In a recent conference speech and article, he shared insight on his pragmatic approach to the vexed area of consent:
If you are telling customers in the “click to consent” box that their information will be used to “enhance the services we can provide you”, and page 35 of the legalese-dense privacy policy says that all your transaction information will be available to US data brokers, I may well conclude that you have not discharged your obligation under information privacy principle 3 [collection of information] (and potentially IPP 4 for unfairness, in particular for children and other vulnerable consumers), and that you are therefore in breach of the Privacy Act.
He also tackled the topic of addressing the power asymmetry of the Big Tech companies, and concluded that:
Small countries like New Zealand need to ensure that they are internally unified against the threats presented by unscrupulous digital operators, so that whether the threat presents in a context of election integrity, harmful content, privacy or consumers’ rights, we are working as one, for the people we represent.
And even more importantly, we need to combine internationally to push back against the one-sided offering we get from the companies that profit from our populations’ data.