The Spanish Data Protection Agency (AEPD) is processing a file in relation to 23andMe, a US company that is a pioneer in commercial genome sequencing. The Agency cannot provide more information about the process it has underway, although it clarifies that it has not received complaints from users, which indicates that the investigation is motu proprio. The investigation coincides in time with the rumors according to which 23andMe, which is going through financial complicationsI would be listening to purchase offers. Whoever acquires it will get the genetic data of its 15 million clients.
The AEPD’s investigation has a precedent: in 2021 it did the same with the Israeli firm MyHeritage, a platform that offers genetic analyzes to build family trees. In that case, the procedure was opened based on a claim from the Organization of Consumers and Users (OCU) for inadequate treatment and transfer of users’ genetic data to third parties. MyHeritage was fined and forced to change its behavior.
23andMe, named after the 23 pairs of chromosomes that human cells have, became globally known in 2007 when it became the first company to sell genetic testing kits. In the report they offer to clients, they provide information about the user’s ancestors or predisposition to contracting certain diseases. Its method of taking saliva samples to capture DNA, today a reference in the sector, was considered the invention of the year in 2008 by the magazine Time. The tests, available from around 55 euros, are sent to your home: you have to spit into a small tube, give it back to a courier and within a few weeks they offer the results.
But business has not performed as well as expected. Its IPO in 2021 was disastrous. Revenue is not meeting expectations, and analysts believe that at this rate it will deplete its cash reserves next year. This situation has resulted in a 73% drop in its stock market value so far this year. The search for new customers has led 23andMe to enter the lucrative business of weight loss products in search of new customers: the company announced in the summer that it will try to find genetic variations that can help its users lose weight. However, in September the entire board of directors resigned en masse, with the exception of the co-founder and CEO, Anne Wojcicki, as there were no purchase offers that could rescue the company.
It’s not just you. If anyone in your FAMILY gave their DNA to 23&me, for all of your sakes, close your/their account now. This won’t solve the issue, but they will (they claim) delete some of your data.
And in the future avoid consumer DNA testing.https://t.co/6A1GuqvXGr
— Meredith Whittaker (@mer__edith) October 4, 2024
Wojcicki herself was open to a sale to third parties in September, as reported by Reuters. And that has alarmed privacy experts, because the database held by 23andME (it has the genetic data of 15 million people) is extremely sensitive. The American press has speculated that it would be an appetizing snack, for example, for an insurer, which could know before granting a loan whether or not the client is prone to contracting certain types of cancer.
23andMe sources now assure EL PAÍS that the company is not considering any acquisition offer, and that clients have the option to delete their account at any time. “We do not share our clients’ data with third parties without their consent,” says a company spokesperson. 23andMe’s data sharing policy, however, says that customers’ personal data may be “accessed, sold or transferred.”
Is my data at risk?
This isn’t the first time 23andMe has been on the hook. Just a year ago, the company was hacked, revealing the genetic information of millions of users. The official response was to recommend that users change their password and impose a double authentication method to log into their accounts.
The fact that 23andMe is considering (or has considered) being acquired by a company has raised the concern of some users to another level. “You can request the deletion of your data; Another thing is whether the company, in the chaotic situation it is in, has the means or the interest to do so,” says Jorge García Herrero, a lawyer specializing in data protection. When a customer hits the delete button, their account disappears, but there is a clause in the terms and conditions that says that, for “legal reasons”, both 23andMe and the laboratories that have worked with the samples will keep information about the sex, date birth and genetic information of the user. It is not specified for how long.
European regulations protect 23andMe’s European customers. “The General Data Protection Regulation (GDPR) not only affects companies that work in the EU, but also anyone that processes data of European citizens,” explains Borja Adsuara, consultant and legal expert in privacy. The complicated thing is ensuring that the rule is respected. “It seems to me that there is a lack of audits to verify that everything is being done correctly,” he adds. “If I had hired the services of 23andMe and was concerned about my data, I would wait for the AEPD to act on its own initiative to remind the company that it has to respect European regulations,” says the expert. That’s what seems to be happening.
Genetic data falls within a special category of personal data, included in article 9 of the GDPR. Its processing is prohibited, with few exceptions, always with express consent. There is, in fact, no biometric data more immutable than DNA: it is a kind of personal and non-transferable license plate of each human being that allows them to be recognized unequivocally. A person can erase fingerprints, alter their face to try to defeat facial recognition methods, or even gouge out their eyes to prevent their irises from being read. The genome, on the other hand, accompanies us from the first day to the last.
The most personal information
Another peculiarity of the genome is that it not only concerns a person, but their entire family. There have been cases in the US in which Justice has located murderers not because they have their DNA, but that of a family member. Philosopher Carissa Véliz, professor at the Institute for the Ethics of Artificial Intelligence at the University of Oxford, argues that not even user consent should be enough to be able to manage data such as DNA, since those affected by the analysis are all their relatives.
Likewise, there is specific regulation that affects genetic analysis. “The Oviedo Convention establishes that these studies can be carried out for specific purposes, such as medical research or the prediction of diseases, and that they always require medical advice,” says Mikel Recuero, researcher at the University of the Basque Country and lawyer specialized in the processing of medical data. “These companies operate in a certain legal vacuum: you order the test online, you receive a kit, you take the sample, it is sent to a laboratory and they send you results. The analysis does not occur in a medical setting and there is no professional advice.”
The fact is that 23andMe has done business with its users’ data before. In 2018 reached an agreement with the British GlaxoSmithKline, one of the largest pharmaceutical companies in the world, for more than 300 million dollars for the “development of new medicines.” Only the data of users who consented was used.
Could 23andMe sell your data to a health insurer or a data broker (companies that collect, analyze and sell personal data), as has been speculated? In the US it would be technically possible and legal. In the EU, very complicated. “One of the basic principles of the GDPR is purpose limitation, which means that if you collect data for a specific purpose (for example, DNA to detect a disease), then you cannot use it for another purpose, and if you do You expose yourself to strong sanctions or even disabling of the service,” emphasizes Recuero.
