Rumours that the company is looking for a buyer have sparked a debate about what would happen if its files containing the DNA of 15 million users ended up in the hands of an insurance company
The Spanish Data Protection Agency (AEPD) is processing a file in relation to 23andMe, an American company that is a pioneer in commercial genome sequencing.
The Agency cannot provide further information on the process it is undertaking, although it clarifies that it has not received any complaints from users, which indicates that the investigation is of its own volition. The investigation coincides with rumours that 23andMe, which is experiencing financial difficulties , is listening to offers for purchase. Whoever acquires it will obtain the genetic data of its 15 million customers.
The AEPD investigation has a precedent: in 2021, it did the same with the Israeli firm MyHeritage, a platform that offers genetic analysis to build family trees. In that case, the procedure was opened following a complaint by the Organization of Consumers and Users (OCU) for improper treatment and transfer to third parties of users’ genetic data. MyHeritage was fined and forced to change its conduct.
23andMe, named after the 23 pairs of chromosomes found in human cells, became world famous in 2007 when it became the first company to sell genetic testing kits. The report it provides customers with information about their ancestry or their predisposition to contracting certain diseases.
Its method of taking saliva samples to capture DNA, now a benchmark in the sector, was named the invention of the year in 2008 by Time magazine . The tests, available from around 55 euros, are sent to your home: you spit into a tube, give it back to a courier and within a few weeks the results are available.
But the business has not performed as well as expected. Its IPO in 2021 was a disaster. Revenues are not meeting expectations, and analysts believe that at this rate it will run out of cash reserves next year. This situation has resulted in a 73% drop in its stock market value so far this year.
The search for new customers has led 23andMe to enter the lucrative business of weight loss products in search of new customers: the company announced in the summer that it will try to find genetic variations that can help its users lose weight. However, in September the entire board of directors resigned en masse, except for co-founder and CEO Anne Wojcicki, as there were no takeover offers that could rescue the company.
It’s not just you. If anyone in your FAMILY gave their DNA to 23&me, for all of your sakes, close your/their account now. This won’t solve the issue, but they will (they claim) delete some of your data.
And in the future avoid consumer DNA testing. https://t.co/6A1GuqvXGr— Meredith Whittaker (@mer__edith)October 4, 2024
Wojcicki herself was open to selling her data to third parties in September, as reported by Reuters. This has alarmed privacy experts, because the database held by 23andME (it contains the genetic data of 15 million people) is extremely sensitive. The American press has speculated that it would be a tasty morsel, for example, for an insurance company, which could know before granting a loan whether or not a client is prone to contracting certain types of cancer.
23andMe sources now assure EL PAÍS that the company is not considering any acquisition offer, and that customers have the option to delete their account at any time. “We do not share our customers’ data with third parties without their consent,” says a company spokesperson. 23andMe’s data sharing policy, however, says that customers’ personal data can be “accessed, sold or transferred.”
Is my data at risk?
This is not the first time that 23andMe has been in the spotlight. Just a year ago, the company was hacked , exposing the genetic information of millions of users . The official response was to recommend that users change their passwords and impose a two-factor authentication method to access their accounts.
The fact that 23andMe is considering (or has considered) being acquired by a company has raised the concern of some users to another level. “You can request the deletion of your data; another thing is whether the company, in the chaotic situation it is in, has the means or the interest to do so,” says Jorge García Herrero, a lawyer specialising in data protection.
When a client presses the delete button, their account disappears, but there is a clause in the terms and conditions that says that, for “legal reasons”, both 23andMe and the laboratories that have worked with the samples will keep information about the user’s sex, date of birth and genetic information. It is not specified for how long.
European regulations protect 23andMe’s European clients. “The General Data Protection Regulation (GDPR) affects not only companies working in the EU, but anyone who processes data of European citizens,” explains Borja Adsuara, a consultant and legal expert in privacy.
The difficult part is ensuring that the regulation is respected. “I think there is a lack of audits to verify that everything is being done correctly,” he adds. “If I had contracted the services of 23andMe and was worried about my data, I would expect the AEPD to act on its own initiative to remind the company that it has to respect European regulations,” says the expert. That is what seems to be happening.
Genetic data falls into a special category of personal data, listed in Article 9 of the GDPR. Its processing is prohibited, with a few exceptions, always with express consent. In fact, there is no biometric data more immutable than DNA: it is a kind of personal and non-transferable registration of each human being that allows them to be recognized unequivocally.
A person can erase their fingerprints, alter their face to try to evade facial recognition methods or even tear out their eyes to prevent their irises from being read. The genome, on the other hand, accompanies us from the first day to the last.
The most personal data
Another peculiarity of the genome is that it does not only concern one person, but their entire family. There have been cases in the US in which justice has located murderers not by having their DNA, but that of a relative . Philosopher Carissa Véliz, professor at the Institute for the Ethics of Artificial Intelligence at the University of Oxford, argues that not even the user’s consent should be sufficient to be able to manage data such as DNA, since those affected by the analysis are all their relatives.
There are also specific regulations affecting genetic analyses. “The Oviedo Convention establishes that these studies can be carried out for specific purposes, such as medical research or disease prediction, and that they always require medical advice,” says Mikel Recuero, a researcher at the University of the Basque Country and a lawyer specialising in the processing of medical data.
“These companies operate in a certain legal vacuum: you order the test online, you receive a kit, you take the sample, it is sent to a laboratory and they send you the results. The analysis does not take place in a medical environment and there is no professional advice.”
The fact is that 23andMe has already made money off of its users’ data before. In 2018, it reached an agreement with the British company GlaxoSmithKline, one of the largest pharmaceutical companies in the world, for more than 300 million dollars for the “development of new medicines.” Only the data of users who gave their consent were used.
Could 23andMe sell your data to a health insurer or a data broker (companies that collect, analyse and sell personal data), as has been speculated? In the US it would be technically possible and legal. In the EU, it would be very complicated. “One of the basic principles of the GDPR is the limitation of purpose, which means that if you collect data for a specific purpose (for example, DNA to detect a disease), you cannot then use it for another purpose, and if you do, you expose yourself to heavy sanctions or even disqualification from the service,” Recuero emphasises.
