Google’s plan to buy Fitbit took chutzpah from the start. The company was already being investigated by Congress, state attorneys general, and federal antitrust regulators, a reflection of growing alarm over a conglomerate whose dominant market share is built on unrivaled access to personal data. Now it was announcing a $2.2 billion acquisition of a firm with troves of the most intimate details of its users’ physical health, from their heart rate to their exercise routines to how many hours they sleep at night. Fitbit was apparently worried enough about the threat of the deal being blocked that it negotiated a $250 million breakup fee in case of “a failure to obtain Antitrust Approvals.”

A week later, almost on cue, Makan Delrahim, the top antitrust official at the Department of Justice, suggested at a conference at Harvard that federal enforcers might start treating data privacy as a relevant issue in evaluating mergers. “It would be a grave mistake to believe that privacy concerns can never play a role in antitrust analysis,” he said. So there was some reason to wonder whether the Google-Fitbit deal would be the first casualty of the growing antitrust techlash.

And that was all before the Wall Street Journal reported this week on Google’s Project Nightingale, a mostly secret deal with one of the country’s largest nonprofit hospital networks granting Google free access to tens of millions of complete, nonanonymized patient records, which it is using to train an AI platform that will be able to customize patient care. (This is apparently legal, somehow, under the Health Insurance Portability and Accountability Act, or HIPAA.) In return for the data, according to the Journal, the hospital network, Ascension, will get free use of the new software, which Google intends to sell to other health care providers. In a blog post after the story came out, Google Cloud executive Tariq Shaukat wrote, “All of Google’s work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and come [sic] with strict guidance on data privacy, security and usage.” That didn’t stop the Office for Civil Rights in the Department of Health and Human Services from announcing an investigation into the project on Wednesday.

Together, the Fitbit merger and Project Nightingale present an immediate challenge to Delrahim’s claim that antitrust regulators are ready to treat data collection as a competition issue. Since the late 1970s, the federal government’s approach to merger review has essentially narrowed to the question of whether the reduction in competition caused by two companies combining will be bad for consumers. That analysis has in turn tended to focus even more narrowly on whether the post-merger firm will raise prices. Bringing user data concerns into antitrust, as Delrahim suggested, would require asking a similar question: Will the reduction in competition lead to consumers having to accept inferior privacy protections?

“What I’m telling my students is, this is a great test case,” said Maurice Stucke, an antitrust expert at the University of Tennessee College of Law. “The agencies say they’re concerned about these data-opolies. They’re going to scrutinize their data-driven acquisition of these smaller firms. Here you have this established firm that’s already established a significant treasure trove of personal data. So, is anything going to change?”

The WIRED Guide to Your Personal Data (and Who Is Using It) Information about you, what you buy, where you go, even where you look is the oil that fuels the digital economy.

Change would mean, for starters, being skeptical of companies’ promises when it comes to privacy policies. Google and Fitbit insist that that Fitbit health data won’t be used for Google ads. But regulators have been burned by similar assurances in the recent past. In 2012 and 2013, Google paid nearly $40 million in fines to settle charges that it had lied to users about how it would track their online behavior following the company’s purchase of the DoubleClick ad platform. Facebook, similarly, insisted it wouldn’t undermine WhatsApp’s privacy protections by integrating its data when it acquired the messaging app in 2014—and then paid a $122 million fine in Europe for doing just that a few years later. These punishments have all been slaps on the wrist in financial terms—a cost of doing business. But they only came about because regulators let Facebook and Google buy WhatsApp and DoubleClick in the first place.