23andYou

I was on RTÉ news this morning talking about DNA company 23andMe’s filing for bankruptcy protection and its implications for people who spat in a tube and sent it to the company, or indeed anyone related to a person who spat in a tube and sent it to the company. It was before most sane people would have had their second coffee. I had not had my second coffee. People tell me I did well in my slot, but there was a lot more I wanted to share. Because this is a thing that could get ‘complicated’.

What is happening to 23andMe?

What is happening is that a US company has run out of money and has gone into Chapter 11 bankruptcy protection. This is similar to examinership in Irish law. There is a narrow window to rejigger the company so the big holes where all the money was leaking out can be plugged and a hole to allow more money to come in can be opened, usually through a sale of the company or its bits. The new owners have to figure out how to close the holes where the money was leaking out, but that’s easier because they have burned all the creditors so there is less leaking money.

23andMe is valued at $50 million (down from $6 billion) and have approximately 40 million DNA profiles according to Adam Maguire in RTÉ. So, that data (potentially the biggest asset) is worth about $1.25 per profile. The former CEO values the company at $11 million (she has tried to buy out the shareholders before it went into Chapter 11), so the DNA data is worth $0.28 per profile according to her.

There are no guarantees when the company is sold that the (somewhat flimsy) data protection promises that 23andMe made to their EU-resident customers will be honoured by the new owner. After all, they’ll need to find a way to make a profit from the purchase. If the company isn’t sold and they stop paying the people keeping that data secure and there is nobody there to delete the databases, will the liquidators have protocols in place to make sure that data left lying around for people to find if they buy a hard drive on ebay?

But it’s just data…

Yes. It’s just data. It’s data about you like your name, address, email address, age, biometric information, DNA profile data…

…and the links between you and other people with DNA profile data that matches yours (so related to you genetically)…

… as well as the indicators from your DNA of your hard-wired potential to develop medical conditions from short-sightedness and baldness (big wave to my uncles) to cancers or other illnesses.

Your DNA profile is not just data relating to you. It is, by definition, data that relates to your ancestors and descendants. Even if none of them spat in a tube, wrote their name on a label, and sent it off to a US-based company with a privacy policy that has a number of ‘interesting’ loopholes.

And it’s worth remembering that those privacy pinky promises won’t necessarily bind any successor owner of the company.

What can people do?

23andMe (for now) has a function that lets you delete your data. However, they assert that they may need to retain certain data for certain ‘legal obligations’ (my colleague Carey Lening looked at those loopholes in detail last year).

Right now, they could also possibly argue that one of those legal obligations is making sure that the value of their biggest asset doesn’t get reduced by the asset getting smaller when people delete their data. It’s a bit like a liquidator to a retailer needing to make sure staff and customers aren’t stealing the stock of fancy handbags out of the stockroom. Those bits of data are valuable (at least $0.28 per profile!).

And that is assuming that they would delete all your data anyway. “Anonymised” DNA profile data will have been shared by 23andMe with various 3rd parties such as researchers and other ‘business partners’. Ignoring for a moment how you “anonymise” data that is relatively uniquely identifying of an individual, getting that smoke back in the bottle to delete it will be “challenging” unless 23andMe adopts a policy during their Chapter 11 period of getting people they previously gave or sold data to to delete that data (note: Article 19 GDPR requires 23andMe to inform anyone they shared data with of if they receive a right of erasure request).

Good luck with that.

As 23andMe sold services into the EU, GDPR does apply to them and will apply to any successor (unless that successor decides they don’t want to do business in the EU). I’ll come back to that further on.

“But I didn’t do a 23andMe test. I’m OK”

Good for you if you didn’t spit in a tube. But did your brother, cousin, uncle, grandparent, unknown half-sibling, unknown child from a drunken fumble in university?

If they did… congratulations. 23andMe have data that relates to you but it’s going to be really difficult to get them to delete it. Because they won’t be able to look up your name and address or email address to find the data and then hit the big “SHRED-FOCKIN-EVERYTHING” button (even if such a thing exists).

But GDPR will save the day!

OK. Sit down. This might come as a shock. GDPR provides people in the EU with various rights over their personal data, and while it applies to 23andMe because they sold Spit-in-a-Tube kits to people in Europe who wanted to find out if they were descended from Vikings or Celtic royalty, or if the kids they would have with a prospective partner might be ginger. The critical thing here is enforcement and enforceability.

23andMe have a Nominated Representative for the EU. That means there is a point of contact in the EU (actually based in Ireland) for people who are affected by all of this. You can find their details in the 23andMe EU Privacy Notice (link to an archived page as who knows if the actual site will stay around). (As 23andMe is in bankruptcy we are having to assume they are still paying this company to provide this service).

Your Rights

You have the right under GDPR to request erasure of your personal data (Article 17). The data controller has to demonstrate an overriding interest in retaining your data. “We don’t want the only big number we have that isn’t in red ink to go down” is not an overriding interest.

In the EU you can exercise that right by:

1. emailing privacy@23andme.com with a request to delete your data (sample template at the bottom)
2. copying that request (use the cc field in your email) to 23andMe’s Nominated representative datarequest@datarep.com

Technically, 23andMe have one calendar month from the date you file your request to tell you they have deleted your data. They might ask for photo id. Unless they obtained photo ID from you when you spat in a tube that’s an unreasonable request and EU Data Protection authorities have previously told US tech companies that.

You can also request a copy of your data (Article 15). And you can request that 23andMe pass on your erasure request to anyone they have shared your data with (Article 19 GDPR).

Of course, all of this will depend on 23andMe having someone at the other end to open and action the emails and their Nominated Rep in Dublin having someone they can talk to in the 23andMe Head Office. Given they are in bankruptcy protection and have been laying off staff and the Data Protection function in an organisation is often just one person and a cat, this may be an optimistic hope.

Enforcing your rights

This is where it gets complicated. If 23andMe don’t comply with your request you can complain to the Data Protection Commission if you are in Ireland (or your own national data protection regulator if you are not in Ireland. Because 23andMe has no establishment in the EU, it’s a regulatory free for all).

Because 23andMe are a US based company and all your data went to the US, the EU-US Transatlantic Data Privacy Framework applies. This is intended to ensure a “meaningful equivalence” of data protection rights between EU and US and provide EU data subjects (people) with rights of redress against US companies operating in the EU without an establishment here. The problem is that the Trump Administration has put some big dents in what was already a flimsy patchwork of Executive Orders, oversight boards, and judicial oversight. Members of key oversight functions have been dismissed (PCLOB and FTC). This has lead to some concerns about the politicisation of oversight and enforcement of data protection issues. And the US government has a clear policy of “EU Regulation = Bad”.

The road to meaningful enforcement of your rights and the deletion of your data might be a long one in such a context, particularly as it’s difficult to get blood from a stone or enforce penalties on a company that no longer exists. This may come as a shock to the ICO who announced yesterday an intention to fine 23andMe arising from a 2023 data breach – note, this is NOT the same as actually fining them.

Conclusion

The 23andMe bankruptcy process raises some key issues around data protection and should spark some discussion and debate about how we handle the most sensitive and special category data. But it should also raise some uncomfortable questions about just how EU data protection rights can be meaningfully enforced against US companies under the current administration.

Of course, it’s not the first time that people like me have looked at a company that took all the DNA and then ran into financial difficulties and had to wonder “what happens to the data”?

Template Email

Dear Sir/Madam

I am [your name]. I have a 23andMe profile registered using [your email address] [note: include ANY OTHER identifiers relating to your 23andMe profile such as user name etc.].

Under Article 15 GDPR I request a copy of all personal data held by 23andMe relating to me, including details of any parties my data has been shared with. The data requested includes but is not limited to registration information, genetic information, sample information, self-reported information provided to 23andMe, biometric information, user content information, and web behaviour information and any correspondence or other data relating to me held by 23andMe..

Under Article 17 GDPR I request the deletion of all personal data relating to me including, but not limited to registration information, genetic information, sample information, self-reported information provided to 23andMe, biometric information, user content information, and web behaviour information and any correspondence or other data relating to me held by 23andMe.

Under Article 19 GDPR I request that 23andMe notify all recipients of data relating to me, including any sharing of anonymised genetic data or dna profile data, of my request to have my data erased. I also request details of such recipients who have to whom my data has been disclosed.

Best regards

[Name]