On June 17, 2025, the Privacy Commissioner of Canada and the United Kingdom' Information Commissioner (collectively, the Commissioners) released the findings of their joint investigation into the October 2023 global data breach at 23andMe, a genetic testing company. The investigation found that 23andMe failed to implement sufficient security measures to protect the personal information of its customers, including nearly 320,000 Canadians.
The investigation found several deficiencies in safeguards that contributed to the breach:
Due to the highly sensitive nature of the compromised information and the high probability of its misuse, this breach created a real risk of harm to the individuals affected and met the breach reporting thresholds under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the UK’s General Data Protection Regulation (UK GDPR). The Commissioners concluded that 23andMe’s breach reports to their offices were not made in accordance with PIPEDA and the UK GDPR because they failed to include complete details about the personal information likely involved in the breach, namely raw DNA data. In certain instances, 23andMe’s notification to affected individuals was also not in accordance with PIPEDA and the UK GDPR because they failed to provide relevant information that was known at the time of notification, such as the details of the personal information likely involved in the breach and the fact that some breached information had been posted for sale online.
A full summary of the results of the joint investigation can be found here.
Summary By: Amy Ariganello
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.