UK and Canadian Regulators Demand Robust Data Protection Amid 23andMe

Posted on by Admin
UK and Canadian Regulators Demand Robust Data Protection Amid 23andMe

Related Post


Amid bankruptcy proceedings and a search for a buyer, UK and Canadian regulators have jointly called for the protection of 23andMe customers’ sensitive personal data, warning potential acquirers of possible action for any misuse.

On May 1, 2025, the UK Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) called for the protection of the sensitive personal data of 23andMe’s customers during and after the bankruptcy proceedings.

The ICO and OPC said they want to prevent unauthorized use or misuse of consumers personal data and have warned potential buyers that they will not hesitate to take appropriate action against 23andMe for any failings.

The joint letter highlights requirements under UK and Canadian law for both 23andMe and any potential buyer of either the company or its customers’ personal data to adhere to UK General Data Protection Regulation (GDPR) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

23andMe has made statements indicating that all potential buyers will be required to agree and comply with its privacy policy and applicable law.

However, the ICO and OPC noted that 23andMe’s privacy policy states that the company “may make changes to this Privacy Statement from time to time.”

The joint letter said that this statement potentially undermines the value of any commitments given by any purchaser of 23andMe and/or its customers’ personal information to adhere to the terms of the privacy policy as it stands at the time of the sale.

The statement from the UK and Canada comes following a hearing on April 29, 2025, in which a US bankruptcy judge ordered the appointment of a Consumer Privacy Ombudsman to oversee the handling of 23andMe’s customers’ personal information during the proceedings.

The ICO and OPC welcomed this development.

“The UK public need to trust that the bankruptcy proceedings, and any potential sale of the company or its assets, will safeguard their personal data from unauthorized use or misuse. We are here to advocate on their behalf and we will not hesitate to take action against 23andMe or any potential purchaser should data protection legislation not be adhered to,” commented John Edwards, UK Information Commissioner.  

In March 2025, California Attorney General Rob Bonta published an advisory reminding Californian customers of their right to direct 23andMe to delete their genetic data.

Concerns around the data security and privacy of genetic information held by 23andMe has under scrutiny since the fallout from a 2023 data breach which saw over six million individuals affected.

The ICO and OPC have been jointly investigating the 2023 data breach and alleged non-compliance with UK GDPR and Data Protection Act 2018 as well as Canada’s PIPEDA since June 2024.

In March 2025, the ICO issued provisional findings and a Notice of Intent to impose a fine of £4.59m ($6.1m), and a Preliminary Enforcement Notice. The regulator said it is currently considering representations from 23andMe before making a final decision. 

Image credit: michelmond / Shutterstock.com



Source link

Leave a Comment