23andMe Bankruptcy & Data Privacy

Last month, 23andMe filed for Chapter 11 bankruptcy. As 23andMe enters bankruptcy, the genetic data from 15 million people is up for sale.

What happens to the DNA-derived genetic data 23andMe received?
The genetic data given to 23AndMe will be sold to a new owner (as per the company’s privacy policy).
When a customer gives their data to a private company like 23AndMe (not a medical services provider), that data now belongs to 23AndMe. It is their business asset. And just like in any other business bankruptcy case, assets will be sold to new owners. It just so happens that 23andMe’s core saleable asset is genetic data from over 15 million people. We have no idea who will buy all this data.
DNA information is a “blueprint” of your biological identity, and its sale could have “far-reaching consequences.” Whoever buys the company can change the privacy policy eventually, including who they share your data with.

Why Should You Be Concerned?
Think you’re safe if you never personally took a 23andMe test? Doesn’t matter – you’re probably still affected. Thank your (extended) family. If you gave your data to 23andMe, you also gave the genetic data of your parents, your siblings, your children, and even distant kin who did not consent to that.
If someone within your family (including uncles, distant cousins, etc.) did a 23andMe test, they’ve inadvertently exposed some of your data, too.

Consider The Future Privacy Risks
It might be nice to know that you’re 46% Irish and 15% Italian, but uncovering your ancestry is not where genetic data stops. The truth is that, right now, we don’t fully understand just how much information you can get about a person from their genetic data.

What we do know is that:
1) Your genome is likely to reveal a huge amount about you.
2) In the future, genetic data will reveal much more than it does today.
Your genome contains a LOT more information than we currently understand, and what we understand is also a lot more than what 23andMe reports back to their customers in the form of ancestry, disease predisposition and physical attribute information.
It’s entirely possible that genetic analysis could one day offer far deeper and more personal insights into who we are? It’s certain to offer greater insight into disease risk (heart disease, mental health, cancer, etc.) and life-expectancy, but possibly also sexual orientation, behavioral tendencies (such as risk tolerance), spirituality, IQ, and more.

This makes it a uniquely powerful source of information about you – information that is currently (and legally) used for medical, insurance and law enforcement purposes in the United States and elsewhere. What future applications will arise?”
There’s also the risk of data breaches, which even the most sophisticated companies struggle with today. Once your genetic data is in the hands of a third party, there’s no way to get it back or make it private again.

23andMe and similar companies say that your genetic data is anonymized. But a growing body of research shows that supposedly “anonymized” genetic data can be re-identified if combined with other data.
The Electronic Frontier Foundation (EFF) says that even if your data is separated from obvious identifiers like your name, genetic data is still forever linked to only one person in the world.
https://www.eff.org/deeplinks/2024/10/sale-23andmes-data-would-be-bad-privacy-heres-what-customers-can-do

What Does the Law Say About Genetic Data?
Not very much. The Health Insurance Portability and Accountability Act (HIPAA) and the Genetic Information Nondiscrimination Act of 2008 (GINA) are the two laws that deal with genetic information privacy.
However, HIPAA only applies to the results of genetic tests administered by your healthcare provider. It does not extend to direct-to-consumer (DTC) genetic testing companies like 23andMe.
And while GINA protects individuals from being discriminated against by health insurance companies and employers, it doesn’t cover other third parties or other kinds of insurance companies.

Another Wake-Up Call for Personal Data Sharing
Certain risks to genetic data privacy – like an extended family member doing a DNA test – are out of your control. But you can still take steps to protect your identity. We should all follow the same advice for protecting genetic-related data as we do for all data:
Be careful what data you share, and with whom
Genetic data is dangerous because it is totally unique to you. You cannot change your genetic signatures if they are exposed.

Personal information about you is very sensitive
But we often share it with different services like:
AI Chatbots and Smart home devices (voice assistants and connected home devices like Alexa and Siri).
Fitness apps, therapy apps and wearable devices: Fitness apps, in particular, often collect extraordinarily detailed health and location data, whereas apps for therapy, meditation, or mental well-being deal with some of our most intimate thoughts and feelings. What’s worse, these apps frequently share your data with third parties.
23AndMe is a reminder that when unalterable data goes from you to a third party, it is not necessarily at its final destination. Even if that data pertains to your health or genetics, control over it is no longer in your hands.
Tip: Not sure if you should share your data with a specific product/service?
Check out *Privacy Not Included, a buyer’s guide created by the Mozilla Foundation, a non-profit organization behind the Firefox browser. The guide evaluates how products ranging from smart home devices to dating apps collect, use, and share your personal data. https://foundation.mozilla.org/en/privacynotincluded/

What you should do right now
If you’ve used 23andMe, delete your account. Doing so will ensure your information won’t be used for future research, and your genetic samples will be discarded.