EDPB Urges Companies to Conduct Data Protection Assessment Ahead of Merger
The European Data Protection Board (EDPB) has issued a statement on the privacy implications of mergers in view of Google LLC’s intention to acquire Fitbit, Inc. The EDPB is concerned that Google would gain too much control over people’s health and wellness data potentially leading to an unfair advantage over other companies.
In its statement of 19 February 2020, the EDPB urges the parties to mitigate the possible risks posed by the merger to the rights to privacy and data protection, before notifying the merger to the European Commission. (The merger has not yet been notified.) The EDPB reminds the parties of their obligations under the General Data Protection Regulation (GDPR), including their obligation to conduct a full assessment of the data protection requirements and privacy implications of the merger in a transparent way.
This does not mean that the EDPB will be involved in the review process. In an interview with Bloomberg, European Commission Executive Vice President Margrethe Vestager confirmed that neither the European Data Protection Board nor individual privacy regulators will be formally involved in a Google-Fitbit merger review.
The EDPB’s statement can be consulted here.
This is not the first time that the EDPB has pointed out the importance of a data protection impact assessment in the context of a merger. In 2018, in the context of the merger between Apple and Shazam, the EDPB made a similar statement (available here). The recommendation is important for the merging companies’ accountability under the GDPR. Whenever a merger is proposed, organisations should assess the longer-term implications for the protection of personal data and GDPR compliance.