During the Consumer Policy Research Centre 2019 Conference, Mr. Rod Simms, the incumbent chairman of Australian Competition and Consumer Commission (‘ACCC’), addressed the issue of data security in the contemporary era of growing digital economies.
Mr. Simms discussed the examples of recent acquisition of WhatsApp, Instagram by Facebook and Fitbit by Google. Such acquisitions contravene various legal provisions if viewed from the perspective of Data Protection law. In recent times, Data Security Problems (‘DSP’) have shown a direct correlation with the Merger and Acquisitions (‘M&A’) of the digital platforms.
While analyzing the current trend of M&As, if viewed from the competition law perspective, it creates a huge impact on the market competition as it places highly sensitive and valuable private data under the near-exclusive control of few commercial enterprises, thereby making such enterprises dominant in the relevant market.
The acquisition of Fitbit by Google, which is to take effect by next year, is already causing quite a stir in legal and judicial bodies across the world. The ACCC recently brought an action against Google on the accusation of misleading consumers across Australia regarding their location services, and thereby breaching the Australian Consumer Law. Subsequently, if the charges are confirmed in the Federal Court of Australia, the ACCC would levy a penalty of up to 10% of their annual turnover (in Australia) for allegedly exploiting user data.
In the home state of the tech giant itself, California implemented the California Consumer Privacy Act which is supposedly remodeled after the EU’s GDPR. Furthermore, in the United States, the Federal Trade Commission fined Google and its subsidiary YouTube $170 million for illegally collecting information from children without the consent of their parents.
The Google-Fitbit acquisition deal will be under the review of United States Anti-Trust laws, and also considering the EU- US Privacy shield which is a framework regulating exchange of personal data between the United States and the European Union. Google will be under the jurisdiction of several data protection legislations which will definitely be a massive encumbrance to overcome. There are numerous examples of data privacy breach by Google in the past and the fines imposed on it in various jurisdictions. For example, in January 2019, Google was fined around US $57 million by the French data regulator CNIL (National Data Protection Commission) for a breach of the GDPR law, including lack of transparency, and valid consent from its users regarding ads personalization.
The recent acquisition of Fitbit is now part of Google’s health-driven initiative ‘Project Nightingale’ and has already raised several questions of legal scrutiny across governmental and privacy-protection bodies globally. Considering that Fitbit has gradually acquired troves of personal and sensitive health data, this can easily be exploited by Google for various reasons which might include targeted advertisements and the selling of data to third parties. Fitbit and its corresponding devices store data fed by the users in their servers regarding their lifestyle and dietary habits which can be classified as ‘big data’. Although the term ‘big data’ has become ubiquitous, the very concept is still in the nascent stage of development. The term Big Data suffers a definitional challenge, even the widely-quoted 2011 big data study by McKinsey highlights this, and for the same reason we refer to the Oxford English Dictionary (OED). OED defines big data as: “data of a very large size, typically to the extent that its manipulation and management present significant logistical challenges”. This data contains immense pertinence and utility for third parties, such as health professionals or insurance companies who, with the consent of the device users, can utilize the information for profit as it will be shared and subsequently used for healthcare plans or insurance policies.
The main bone of contention brought forth by bodies such as the ACCC is mainly with reference to this highly sensitive data which can be easily exploited for profit by a company such as Google.
The acquisition has taken center stage as legal agencies across the European Union will primarily be fixated upon this process and any data controller such as Google in this instance will have to comply with the GDPR regarding the basis, purpose and disclosure of all and any data collection. Since the GDPR is extraterritorially applicable, Google will have to satisfy a framework of regulations and laws which prevents it from acquiring sensitive data from Fitbit’s servers.
The Indian Scenario
Google may even find the Indian-subcontinent to pose a hurdle with the pending Personal Data Protection Bill, which was introduced in 2019 and is supposedly also modeled after the GDPR in terms of many of its rules and regulations. India, until now, did not legislate for data protection, and had to rely on the Information Technology Act, 2000 (‘IT Act’) and the subsequent 2008 amendment to the same legislation, with reliance on mainly two sections i.e. 42 and 72A.
It is worth noting that the IT Act only provided protection against the corporate entities and nowhere mentioned any public authority. The amended section 72A has a wider ambit and provides protection against any person who handles personal data under the terms of a lawful contract but still flawed. Also, The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 only deal with protection of “sensitive personal data or information of a person”. However, neither of these provisions provides any effective protection against data misuse by government entities.
These provisions are outdated and ineffective against the Twenty First Century technology. However, the pending Personal Data Protection Bill would require foreign companies like Google dealing with sensitive personal data to act only in consultation with the Data Protection Authority and concerned sectoral regulator, subsequent to which the government will give its consent.
With the unchallenged advancement of technology, countries across the world are vying to protect their citizens who will bear the cost of technology with their privacy. In this context, the extremely sensitive ‘big data’ poses a challenge for governments to advocate for the protection of any sensitive material, because as constructive technology, and no matter how big an asset it may play in our day to day lives, it comes at a cost which is not worth paying. Privacy is an elementary and fundamental right, and if profit and corporate greed take unregulated advantage of it, a catastrophe awaits which cannot be undone. Furthermore, India needs to revise and draft regulations, with continual updating in order to achieve consonance with the unregulated march of technology. The drafting of rules and regulations regarding competition and privacy laws is irrefutable and imminent in the Twenty First Century, and any lackadaisical approach by the legislature or judiciary will only lead to an ominous future for India and its citizens’ privacy.
Aman Kumar Yadav and Arjun Chakladar are students at the National Law Institute University (NLIU), Bhopal.
Since Fitbit is already in compliance with GPDR, is there really an issue? Data from Fitbit is also not entirely unique; there are a number of fitness trackers collecting the same information. Additionally, Fitbit’s API allows anyone, including Google, to read the non-identifiable data for research purposes. From a M&A perspective, the only problem I can see would be the possible horizontal problems with Fitbit and Project Nightingale. ACCC reportedly is completing their review of the deal on the 18th, so we’ll see whether Mr. Rod Simms found any issues or not.