Inquiry into 23andMe's Management of User Data by Congress
In the wake of 23andMe's bankruptcy filing in March, concerns about the privacy of customers' genetic data have come to the forefront. Republican lawmakers, including Brett Guthrie (R-KY), Gus Bilirakis (R-FL), and Gary Palmer (R-AL), have voiced their concerns, particularly in light of the potential transfer or sale of 23andMe's genetic data [1][2].
The company's genetic data, considered its most valuable asset, has been acquired by TTAM Research Institute, a nonprofit linked to 23andMe's former CEO, for $305 million. TTAM has pledged to uphold privacy standards and comply with data protection laws [4]. However, critics argue that current legal frameworks inadequately address the unique nature of genetic data in bankruptcy sales, urging lawmakers to enact stronger protections to prevent commodification and misuse of DNA information [4].
To address these concerns, an independent Consumer Privacy Ombudsman (CPO), Neil Richards, a leading privacy law expert, was appointed during the bankruptcy proceedings to advise the court on the complex privacy and ethical questions relating to the sale of 23andMe’s genetic data [2]. Privacy regulators and attorneys general from 27 states have also been actively involved, highlighting possible violations of state privacy laws if the sale proceeds without satisfying stringent consumer protections [2].
Several safeguards have been emphasized or pledged by involved parties. Any acquirer of 23andMe’s data must adhere to the existing privacy policies, and not materially alter data usage without explicit notice and consumer consent [1]. The acquirer is also bound to maintain elevated security measures stemming from a 2023 breach settlement [1]. Genetic data cannot be shared with third parties such as law enforcement, insurance companies, or employers without valid legal requests or consumer approval [1].
In response to the concerns, 23andMe has repeatedly promised to continue protecting customers' information. The data privacy assurances that the company currently promises will be carried over to the company that buys the business [5]. Users can still request the deletion of their information from 23andMe through a process described by the Electronic Frontier Foundation [3].
However, some customers have reported difficulties in deleting their accounts and information, and the letter asks 23andMe to explain how many of those deletion requests have been fulfilled [1]. The letter also asks whether 23andMe has a "vetting process" in place to determine whether its prospective buyer has a history of implementing data security protections and compliance with sectoral, state, or any other data privacy and security laws [1].
The previous data leak at 23andMe has raised concerns about the safety of user data. Gizmodo reached out to 23andMe for comment regarding the concerns about user data [6]. The Republican letter's criticism of a lack of a "federal comprehensive data privacy" law is not entirely justified, given the multiple failed attempts to pass such a law by lawmakers [7]. The letter expresses concern about the safety of Americans' most sensitive personal information due to the lack of a federal comprehensive data privacy and security law [7].
In summary, the privacy concerns raised by Republican lawmakers and regulators around 23andMe center on safeguarding genetic data during bankruptcy-driven ownership changes. The company and the acquirer are addressing these by committing to consumer consent, maintaining stringent privacy policies, appointing a privacy ombudsman, and complying with existing laws, but ongoing calls for stronger legislation remain to fully protect genetic privacy [1][2][4].
- Gizmodo reported concerns about the safety of user data at 23andMe following a previous data leak.
- Despite the acquisition of 23andMe's genetic data by TTAM Research Institute, critics argue that current legal frameworks inadequately address the unique nature of genetic data in bankruptcy sales.
- Republican lawmakers have voiced their concerns about the privacy of customers' genetic data, urging lawmakers to enact stronger protections to prevent commodification and misuse of DNA information.
