Out-Law / Your Daily Need-To-Know

Out-Law News 1 min. read

Genetic testing company faces data breach investigation


Data protection authorities in the UK and Canada are undertaking a joint investigation into a data breach experienced by a genetic testing company last year.

The UK’s Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) said they will check whether 23andMe, which sells genetic testing direct to consumers, broke data protection laws in their respective jurisdictions.

In October 2023, 23andMe announced that hackers had gained access to some online user accounts, subsequently confirming that this enabled them to access data on approximately 6.9 million people whose information was connected to those accounts. The information compromised included “information such as display name, predicted relationships, and percentage of DNA shared with matches”, the company said.

Data protection law expert Jaya Handa of Pinsent Masons said genetic data is “some of people’s most sensitive personal data” and that it was therefore no surprise that the data breach had drawn regulatory scrutiny.

“Unlike a credit card number or email address, genetic data cannot be changed after a data incident and can reveal private health information, biological information, paternity details of not just customers but their relatives too,” Handa said. “This is some of people’s most sensitive personal data and in the wrong hands could lead to discrimination and substantive harm; it is rightly an area of regulatory concern and should be subject to the highest levels of scrutiny.”

“It is widely accepted that there is a need for a more coordinated approach when regulating global organisations. This co-operation between the ICO and OPC is timely as it follows the ICO’s campaign for more international cooperation in order to increase individual control over their personal data and drive positive outcomes. It will be interesting to see the outcome of the investigation and whether this is the sign of more collaborative global investigations on the horizon,” she said.

In their statement, the ICO and OPC confirmed that their joint investigation will examine the scope of information exposed in the data breach and the potential harms to individuals affected; whether 23andMe had adequate safeguards to protect the highly sensitive information within its control; and whether the company met its legal obligations to notify the personal data breach to them and impacted individuals.

John Edwards, UK information commissioner, said: “People need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

Philippe Dufresne, Canada’s privacy commissioner, said: “In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.