One of the largest biotechnology companies in the world, 23andMe, could go bankrupt soon, spurring fears that the genetic data of millions of its customers could be sold if that happens.
But experts say you still have time to act and delete your data.
23andMe rode the wave of popular excitement and investor interest in genetics. It wasn’t alone. By 2022 the direct-to-consumer genetic testing market was valued at US$3 billion. The three largest players – 23andMe, AncestryDNA and MyHeritage – together hold the genetic data of almost 50 million people globally.
There are dozens of smaller players too, with some focusing on emerging markets such as MapMyGenome in India and 23mofang and WeGene in China.
23andMe has had a rapid downfall after the 2021 high of its public listing.
Its value has dropped more than 97 per cent. In 2023 it suffered a major data breach affecting almost seven million users and settled a class-action lawsuit for US$30 million.
Last month its seven independent directors resigned amid news that the original founder is planning to take the company private once more. The company has never made a profit and is reportedly on the verge of bankruptcy.
What this might mean for its vast stores of genetic data is unclear.
What does it mean for your data?
Experts say that if you have taken a genetic test at 23andMe, it might be prudent to track any news of sales, mergers or acquisitions.
“23andme’s privacy policy, which users have agreed to when uploading their data, specifically states that the data can be transferred during mergers, acquisitions, or bankruptcies,” said Julien Richard, director of information security at the cybersecurity firm Lastwall.
Get daily National news
“This is worrisome because the data could be transferred to third-parties that may misuse the data or have a lack of adequate protection.”
Canada’s federal privacy commissioner told Global News the Personal Information Protection and Electronic Documents Act (PIPEDA) does allow for personal information to be shared in business transactions.
“In the context of business transactions, PIPEDA allows for the use and disclosure of personal information without consent, provided that certain conditions are met,” a spokesperson for the privacy commissioner said.
“The general obligations under PIPEDA would continue to apply to personal information that is transferred as part of a merger or acquisition. For example, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes. Also, personal information must be protected by appropriate safeguards relative to the sensitivity of the information.”
And while Canada has legislation prohibiting genetic discrimination — third parties demanding data from genetic tests and using it to deny or discriminate against people in processes like insurance — the question now is how Canadians’ data could be used if sold to foreign companies.
This is also not the first time 23andMe has had privacy concerns.
The company is under a joint investigation by Canada and the United Kingdom after a data breach in December last year left the data of 6.9 million users compromised.
How can you delete your data?
There might still be time to delete your data, before it’s too late.
“There is still the option to delete the data, but users should act quickly. Once a company enters bankruptcy proceedings or is sold, it might become significantly more difficult to have the data removed,” Richard said.
A 23andMe user can go into their account settings and simply click the “permanently delete data” button.
However, this does not mean that all of your data will be deleted.
“While we will delete the majority of your Personal Information, we are required to retain some information to comply with our legal obligations,” the company says on its website.
The company said in its privacy statement that it can retain “Genetic Information, date of birth, and sex as required for compliance with applicable legal obligations… even if you chose to delete your account.”
It can also retain information related to your account and data deletion request, “including but not limited to, your email address, account deletion request identifier, communications related to inquiries or complaints and legal agreements for a limited period of time as required by law, contractual obligations, and/or as necessary for the establishment, exercise or defense of legal claims and for audit and compliance purposes.”
Richard said, “It is important for users to periodically review their consent and privacy options for any services they use that contain sensitive information. In 23andMe’s case, they should specifically look if they have opted into having their data used in research or with third parties.”
There is bad news for anyone affected by the 2023 data breach, Richard said: their data might already be compromised. However, he said it is important to delete the data anyway to limit the scope of the damage.
— with files from Reuters
Comments