In the midst of 23andMe’s bankruptcy proceedings, UK and Canadian regulators have raised concerns about customer data protection. On May 1, 2025, the UK Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) issued a joint statement urging the safeguarding of sensitive personal data. The regulators warned potential buyers that they could face legal action if the data is misused or not properly protected during and after the bankruptcy process.
The ICO and OPC stressed the importance of adhering to data protection laws, including the UK General Data Protection Regulation (GDPR) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). 23andMe has made assurances that any potential buyers will need to comply with its privacy policy and applicable laws.
However, the ICO and OPC expressed concerns that 23andMe’s privacy policy allows for changes that could undermine these commitments.
The regulators’ letter followed a US court ruling that appointed a Consumer Privacy Ombudsman to oversee 23andMe’s customer data during the bankruptcy proceedings. John Edwards, UK Information Commissioner, emphasized the importance of consumer trust and vowed to take action if the data protection regulations are violated. The ICO and OPC both welcomed the appointment of the Ombudsman as a positive step for protecting consumer privacy.
Data security concerns have been heightened due to a 2023 breach affecting over six million 23andMe customers.
Since June 2024, the ICO and OPC have been investigating the breach, with the ICO issuing provisional findings and a proposed fine of £4.59m ($6.1m). Additionally, California’s Attorney General has reminded residents of their right to request deletion of their genetic data, further adding to the scrutiny surrounding 23andMe’s data practices.
Reference:
