Collapsed 23andMe warned over UK customer data sale

US biotech genetic testing company 23andMe has been warned that the personal information of its UK customers remains protected by UK GDPR in any auction or sale following the collapse of the company last month.

23andMe filed for Chapter 11 bankruptcy in the US on March 24 but the UK Information Commissioner’s Office maintains it is “monitoring the situation closely” and is in contact with the company.

Ironically, the ICO issued a notice of intent to fine 23andMe £4.59mn as well as a preliminary enforcement notice for a data breach 23andMe first reported in October 2023. This follows a joint investigation between the UK ICO and the Office of the Privacy Commissioner of Canada last year.

23andMe was previously valued at $6bn in 2021, and has celebrity clients including Snoop Dogg, Eva Longoria and Warren Buffett. As of June 2020, it had sold over 250,000 genomic testing kits in the UK.

The company is now looking to flog off its data but said it intended to continue operating its business throughout the sale process, with “no changes to the way the company stores, manages, or protects customer data”.

The Chapter 11 filing would allow 23andMe, with the assistance of an independent investment banker, to actively solicit qualified bids over a 45-day process.

If multiple qualified bids are submitted during the court-supervised sale process, the company said it plans to carry out an auction to maximise the value of its assets, with any buyer required to comply with applicable law with respect to the treatment of customer data.

However, ICO deputy commissioner – regulatory supervision Stephen Bonner, warned that any genetic data from British nationals held by the company would have to be treated in accordance with UK GDPR.

He said: “Genetic information is among the most sensitive personal data that a person can entrust to a company and organisations handling such data are required to uphold a very high standard of security and governance in accordance with the UK GDPR,” Bonner said.

“We are aware that 23andMe has filed for Chapter 11 bankruptcy in the US to facilitate a sale process. We are monitoring the situation closely and are in contact with the company.

“As a matter of UK law, the protections and restrictions of the UK GDPR continue to apply and 23andMe remains under an obligation to protect the personal information of its customers.”

Industry experts predict the ICO will have to factor in affordability considerations given the solvency status of 23andMe with respect to any fine issued.