Ancestry service filed for bankruptcy at the weekend after failed takeovers and a data breach.
The UK’s Information Commissioner has said it is monitoring the situation around 23andMe’s bankruptcy in the US, and the protections and restrictions of the UK GDPR continue to apply.
In a statement, ICO deputy commissioner – regulatory supervision, Stephen Bonner, said that genetic information is among the most sensitive personal data that a person can entrust to a company, and organisations handling such data are required to uphold a very high standard of security and governance in accordance with the UK GDPR.
“We are aware that 23andMe has filed for Chapter 11 bankruptcy in the US to facilitate a sale process,” he said. “We are monitoring the situation closely and are in contact with the company.
“As a matter of UK law, the protections and restrictions of the UK GDPR continue to apply and 23andMe remains under an obligation to protect the personal information of its customers.”
23andMe filed for bankruptcy in the U.S. on Sunday after struggling with weak demand for its ancestry testing kits.
According to media reports, the CEO resigned as the share price dropped, and while it will continue to operate during the sale process, the company said the bankruptcy process will not affect how it stores, manages or protects customer data.
Officials, including California Attorney General Rob Bonta, had questioned what would happen to the genetic data collected by 23andMe, though the company’s privacy policies say that the data could be sold to other firms.
“California has robust privacy laws that allow consumers to take control and request that a company delete their genetic data,” said Bonta, who offered advice on how to delete data and destroy any samples of genetic material held by the company.
23andMe said any buyer will be required to comply with applicable law about how customer data is treated, it said. The company made at least 30 deals with pharmaceutical and biotech companies such as British drugmaker GSK giving it access to its database. Most of its agreements remain undisclosed.
The company also suffered a data breach in 2023 that damaged its reputation, when attackers exposed the personal data of around seven million 23andMe customers over a five-month period.
The breach raised alarm among customers concerned about their privacy and how DNA-testing firms handle their data. 23andMe eventually agreed late last year to a $30 million settlement in a lawsuit related to the breach.
Bonner said the ICO and the Office of the Privacy Commissioner of Canada have been jointly investigating the data breach that 23andMe first reported in October 2023, and earlier this month, the UK ICO issued 23andMe with its provisional findings, a notice of intent to fine £4.59m and a preliminary enforcement notice.
“We would stress these findings are provisional and, as with all preliminary findings, are subject to representations from 23andMe including in relation to affordability considerations,” Bonner said. “The ICO will carefully consider any representations made before taking a final decision.”
Tilo Weigandt, COO and Co-founder of Vaultree, said: “While GDPR offers strong legal protection, enforcement is not always immediate. There may be delays in communication about what’s happening to the data, or some data may have already been shared with third-party research or marketing partners prior to the bankruptcy.
“This case underscores why technical guarantees of data privacy are needed in addition to legal ones. We should all advocate for and provide solutions like data-in-use encryption, which ensures that even in situations like acquisitions or bankruptcies, data cannot be accessed or exploited without the user’s consent — because it remains encrypted and inaccessible by anyone else, by design.”
Written by
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
You can contact us for more informations or ads here [email protected]