Following 23andMe filing for bankruptcy and the major concern over the future use and privacy of their customers’ sensitive data, OpenSNP has announced it will be shutting down and deleting its customer data stores.
This announcement further opens up the conversation around customer data privacy rights and concerns.
In light of this, Tilo Weigandt, COO and Co-founder of Vaultree, comments on the future of 23andMe’s UK customer data under GDPR, and issues an advisory to customers.
23andMe is a US-based organisation operating within the UK and dealing with the sensitive health data of UK citizens, meaning they are subject to GDPR and the UK GDPR post-Brexit.
Sensitive genetic and health-related information, which are considered special category data, receive the highest level of protection under the law.
Even in the event of bankruptcy, GDPR obligations do not disappear. The appointed administrators or trustees are required to handle data according to GDPR.
This means the data cannot be sold, transferred, or repurposed without clear legal justification, and customers’ explicit consent is required for any new use of their data.
While the company’s assets may be liquidated, personal data is not just another asset. It is protected by law.
This means that if another company buys 23andMe, the company would need to demonstrate that:
- The data processing purpose is compatible with the original purpose.
- There is a valid legal basis (like renewed consent) for processing UK customers’ data.
- Data subjects are informed transparently of the change and given options, including the right to object or withdraw consent.
If any of these steps are skipped, the acquiring company risks serious legal action and GDPR penalties.
Regardless of 23andMe’s financial status or any acquisition, UK-based users still retain their right to access, rectify, or erase their data, be informed about any new controller or use, and object to data processing.
In fact, GDPR requires the new data controller (if there is one) to notify users and uphold their rights.
If those rights are violated, UK customers can complain to the ICO (Information Commissioner’s Office), which has the power to issue fines and enforce compliance.
However, customers are right to be cautious. While GDPR offers strong legal protection, enforcement is not always immediate.
There may be delays in communication about what’s happening to the data, or some data may have already been shared with third-party research or marketing partners prior to the bankruptcy.
Customers should:
- Review the privacy policy and past consents they gave to 23andMe.
- Exercise their right to data erasure (“right to be forgotten”) if they no longer wish for their data to be retained or transferred.
- Monitor the ICO or any future communications regarding the sale or restructuring of 23andMe.
This case underscores why technical guarantees of data privacy are needed in addition to legal ones.
We should all advocate for and provide solutions like data-in-use encryption, which ensures that even in situations like acquisitions or bankruptcies, data cannot be accessed or exploited without the user’s consent — because it remains encrypted and inaccessible by anyone else, by design.
In addition to this, we expect the ICO to be keeping close tabs on the situation as it evolves.
The data held by DNA processing firms is arguably about as sensitive as sensitive data can be – literally people’s personal blueprints – so it must be handled with the utmost care.
Maintaining confidentiality and integrity of the data is absolutely paramount throughout this process.
