On April 28, 2025, the Office of the Privacy Commissioner of Canada and the UK Information Commissioner’s Office (collectively, the Offices) issued a joint letter to the US trustee overseeing 23andMe Holding Co.’s (23andMe) bankruptcy proceedings, highlighting privacy protection requirements under Canadian and UK privacy laws (the Letter).
In October 2023, the direct-to-consumer genetic testing company, 23andMe, experienced a global data breach, which affected millions of customers and elevated the company on the Offices’ regulatory radars. In response to allegations of 23andMe’s non-compliance with Canadian and UK privacy and data protection laws following the breach, the Offices launched a joint investigation to examine the scope of information exposed by the breach; whether 23andMe had adequate safeguards; and whether 23andMe provided adequate notification to regulators and affected individuals in accordance with applicable laws. The Offices communicated their provisional findings to 23andMe on March 4, 2025, offering the company an opportunity to respond before a joint report is issued in the coming months.
The recent Letter to 23andMe’s US trustee highlights the Offices’ concerns about the handling of sensitive personal information during bankruptcy proceedings and the potential sale of 23andMe or its assets. The Offices re-iterated that Canadian and UK privacy laws require that personal information must be collected and used only for specified purposes, and that any purchaser of 23andMe and/or its customers’ personal information must ensure that it complies with its obligations under such laws.
The Letter also states that the Offices expect any potential purchaser to have strong security safeguards in view of the highly sensitive nature of the personal information held by 23andMe, and that the Offices may investigate and take appropriate action against 23andMe (or any third parties that acquire the personal information of 23andMe customers) upon evidence of non-compliance with applicable data privacy laws.
The Offices intend to issue their final decision regarding the joint investigation in the coming weeks, and have noted that the joint investigation is an important example where regulatory collaboration can better serve to address issues of global significance.
Summary By: Steffi Tran
E-TIPS® ISSUE
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.
