The Office of the Privacy Commissioner of Canada and the UK Information Commissioner’s Office have sent a joint letter to the US trustee overseeing the bankruptcy proceedings of 23andMe, a genetic testing company, to highlight their countries’ privacy protection requirements.
The two privacy authorities noted in a news release that the bankruptcy proceeding of the direct-to-consumer DNA testing service may lead to the sale or transfer of sensitive personal information for millions of customers around the globe.
“23andMe holds the highly sensitive personal information, including DNA, of millions of customers,” said Philippe Dufresne, Canada’s privacy commissioner, in the news release.
“23andMe holds some of the most personal and highly sensitive information possible about its customers, including genetic data, health reports and self-reported health conditions,” added John Edwards, UK information commissioner, in the news release.
In the letter sent on Apr. 28, the two privacy authorities asked the trustee to ensure that the handling of personal information regarding individuals in Canada and the UK complies with the two countries’ applicable privacy and data protection laws.
The letter seeks to inform the US authorities that the general obligations under Canada’s Personal Information Protection and Electronic Documents Act, 2000 (PIPEDA) will continue to apply to personal information currently held by 23andMe, regardless of the company’s future ownership.
“My Office is closely following the sale of 23andMe to ensure that any personal information relating to individuals located in Canada is handled in compliance with our federal private-sector privacy law,” Dufresne said in the news release.
Joint investigation
In June 2024, Dufresne and Edwards began a joint investigation into the global data breach at 23andMe, according to the news release of Canada’s privacy regulator. The company recently filed for bankruptcy in the US under chapter 11 of the United States Bankruptcy Code (title 11 of the U.S. Code).
The news release noted that Canadian clients have expressed concerns that the potential sale of 23andMe would result in the use and sharing of their personal information, including DNA samples, genetic information, address, and payment details.
“This is of the utmost importance given the significant concerns that Canadians may have about the protection of their personal information going forward, especially given that some of the data has previously been subject to a breach,” Dufresne said in the news release.
During a chapter 11 proceeding on Apr. 29, a bankruptcy judge appointed a consumer privacy ombudsman, who will review the handling of genetic data and other personal information and guide the court’s decisions throughout the bankruptcy proceedings.
The two privacy authorities shared that they planned to inform this ombudsman about the relevant requirements under their respective laws.
“The UK public need to trust that the bankruptcy proceedings, and any potential sale of the company or its assets, will safeguard their personal data from unauthorised use or misuse,” Edwards said in the news release. “We are here to advocate on their behalf and we will not hesitate to take action against 23andMe or any potential purchaser should data protection legislation not be adhered to.”
The two privacy authorities noted that they notified 23andMe about the provisional findings in their joint investigation. They said they plan to release their final decision in the coming weeks.