And that was all before the Wall Street Journal reported this week on Google’s Project Nightingale, a mostly secret deal with one of the country’s largest nonprofit hospital networks granting Google free access to tens of millions of complete, nonanonymized patient records, which it is using to train an AI platform that will be able to customize patient care. (This is apparently legal , somehow, under the Health Insurance Portability and Accountability Act, or HIPAA.) In return for the data, according to the Journal, the hospital network, Ascension, will get free use of the new software, which Google intends to sell to other health care providers. In a blog post after the story came out, Google Cloud executive Tariq Shaukat wrote, “All of Google’s work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and come [sic] with strict guidance on data privacy, security and usage.” That didn’t stop the Office for Civil Rights in the Department of Health and Human Services from announcing an investigation into the project on Wednesday.
Together, the Fitbit merger and Project Nightingale present an immediate challenge to Delrahim’s claim that antitrust regulators are ready to treat data collection as a competition issue. Since the late 1970s, the federal government’s approach to merger review has essentially narrowed to the question of whether the reduction in competition caused by two companies combining will be bad for consumers. That analysis has in turn tended to focus even more narrowly on whether the post-merger firm will raise prices. Bringing user data concerns into antitrust, as Delrahim suggested, would require asking a similar question: Will the reduction in competition lead to consumers having to accept inferior privacy protections?
“What I’m telling my students is, this is a great test case,” said Maurice Stucke, an antitrust expert at the University of Tennessee College of Law. “The agencies say they’re concerned about these data-opolies. They’re going to scrutinize their data-driven acquisition of these smaller firms. Here you have this established firm that’s already established a significant treasure trove of personal data. So, is anything going to change?”
LEARN MOREThe WIRED Guide to Personal Data Change would mean, for starters, being skeptical of companies’ promises when it comes to privacy policies. Google and Fitbit insist that that Fitbit health data won’t be used for Google ads. But regulators have been burned by similar assurances in the recent past. In 2012 and 2013, Google paid nearly $40 million in fines to settle charges that it had lied to users about how it would track their online behavior following the company’s purchase of the DoubleClick ad platform. Facebook, similarly, insisted it wouldn’t undermine WhatsApp’s privacy protections by integrating its data when it acquired the messaging app in 2014—and then paid a $122 million fine in Europe for doing just that a few years later. These punishments have all been slaps on the wrist in financial terms—a cost of doing business. But they only came about because regulators let Facebook and Google buy WhatsApp and DoubleClick in the first place.