Joint letter on privacy protection during bankruptcy proceedings involving 23andMe Holding Co.

BY EMAIL

April 28, 2025

Jerry L. Jensen, Acting US Trustee
Paul A. Randolph, Assistant US Trustee
Joseph R. Schlotzhauer, Trial Attorney

Copy to: 23andMe Holding Co.

Re: Bankruptcy proceedings involving 23andMe Holding Co., et al. (Case No.25-40976-357)

 

Dear Counsel,

Following the announcement of 23andMe Holding Co.’s Chapter 11 filing, the United Kingdom Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) are concerned about how the sensitive personal information of millions of customers will be handled in the course of the bankruptcy proceedings, and the potential sale of 23andMe Inc, (23andMe) or its assets.

In this context, we write to ensure that any personal information relating to individuals located in the UK and Canada is handled in compliance with our respective data protection laws, especially considering the potential for significant harms and distress to be caused to individuals in the event of inappropriate use of, or access to, such personal information.

By way of background, in June 2024, our Offices initiated a joint investigation into 23andMe’s alleged non-compliance with the United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018), and Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). The investigation was launched following a global data breach which resulted in millions of customers’ personal information—including the raw genetic data of some customers and other forms of sensitive personal information—being compromised and offered for sale on hidden web platforms. On March 4, 2025, we communicated our provisional findings to 23andMe. 23andMe has been offered the opportunity to respond to our provisional findings and we will consider its response before finalizing our findings and issuing a joint report in the coming months.

Given that 23andMe’s bankruptcy may result in the sale or transfer of customers’ sensitive personal information, including DNA and health information, it is important for us to ensure that you are aware of the data privacy law requirements that apply to the personal information of 23andMe customers located in Canada ^{Footnote 1} and in the United Kingdom.^{Footnote 2}

PIPEDA and the UK GDPR require that personal information must be collected and used only for specified purposes.^{Footnote 3} In addition, any purchaser of 23andMe and/or its customers’ personal information must ensure that it complies with its obligations under the UK GDPR and PIPEDA, including if it proposes to use such personal information for purposes other than those for which it was originally collected (as stated in 23andMe’s privacy policy).^{Footnote 4}

In the context of business transactions, PIPEDA allows organizations that are parties to a completed business transaction, such as the sale of business, to use and disclose necessary personal information without the knowledge or consent of the individual if certain conditions are met. This includes the organizations entering into an agreement that requires the organization receiving the personal information to only use and disclose the personal information for the purposes for which it was collected, or permitted to be used or disclosed before the transaction was completed.^{Footnote 5}

Moreover, PIPEDA and the UK GDPR require organizations to implement appropriate security safeguards to protect the personal information for which they are responsible.^{Footnote 6} Given the highly sensitive nature of the personal information held by 23andMe, our Offices expect that any potential purchaser of 23andMe and/or its customers’ personal information will have strong security safeguards in place to protect the personal information against unauthorized access, or misuse.

Our Offices note that 23andMe has made recent public statements indicating that all potential buyers will be required to agree to comply with 23andMe’s privacy policy and applicable law.^{Footnote 7} While our Offices welcome these statements, we note that 23andMe’s privacy policy states that the company “may make changes to this Privacy Statement from time to time,”^{Footnote 8} potentially undermining the value of any commitments given by any purchaser of 23andMe and/or its customers’ personal information to adhere to the terms of the privacy policy as it stands at the time of the sale.

It is important that prospective buyers be made aware that our Offices will not hesitate to investigate and take appropriate action against 23andMe, or any third parties that acquire the personal information of 23andMe customers, if we consider there to be evidence of non-compliance with the applicable data privacy laws in our respective jurisdictions.

Finally, we are supportive of your request to appoint a Consumer Privacy Ombudsman to protect the personal information involved in 23andMe’s bankruptcy, and our Offices are open to discussing any questions you may have and to further cooperating in order to ensure the protection of 23andMe customers’ personal information during the Chapter 11 proceedings.

Yours sincerely,