Language selection



Privacy authorities for Canada and the United Kingdom launch joint investigation into 23andMe data breach

June 10, 2024

The privacy authorities for Canada and the United Kingdom (UK) have launched a joint investigation into the data breach that was discovered in October 2023 at the global direct-to-consumer genetic testing company 23andMe.

Privacy Commissioner of Canada Philippe Dufresne and UK Information Commissioner John Edwards will investigate the 23andMe breach jointly, leveraging the combined resources and expertise of their two offices.

23andMe is a custodian of highly sensitive personal information including genetic information which does not change over time. It can reveal information about an individual and their family members, including about their health, ethnicity, and biological relationships. This makes public trust in these services essential.

The joint investigation reflects the regulators’ commitment to collaborate on protecting the fundamental right to privacy of individuals across jurisdictions and will examine:

  • the scope of information that was exposed by the breach and potential harms to affected individuals;
  • whether 23andMe had adequate safeguards to protect the highly sensitive information within its control; and
  • whether the company provided adequate notification about the breach to the two regulators and affected individuals as required under Canadian and UK privacy and data protection laws.

The OPC will continue to work closely with its counterparts in Quebec, British Columbia, and Alberta as the investigation proceeds.

“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination,” said Commissioner Dufresne. “Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

Commissioner Edwards said: “People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

Privacy legislation allows the privacy authorities of Canada and UK to work together on matters of impact across the two jurisdictions. Each regulator will investigate compliance with the law that it oversees.

No further comment will be made while the investigation is ongoing.

Notes to Editors

  • The Privacy Commissioner of Canada is an Agent of Parliament whose mission is to protect and promote privacy rights. The Office of the Privacy Commissioner of Canada (OPC) oversees compliance with the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law.
  • The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
  • The joint investigation will be conducted in accordance with the Memorandum of Understanding between the ICO and OPC.

For more information

Office of the Privacy Commissioner of Canada

UK Information Commissioner’s Office 

Date modified: