A genetic data giant is falling, and it’s unclear what will happen to millions of people’s most intimate personal information in the aftermath.
On March 23, DNA testing company 23andMe announced it was filing for Chapter 11 bankruptcy, a move intended to facilitate its sale — along with the genetic data of over 15 million customers worldwide. A bankruptcy court hearing is set to begin March 26.
The San Francisco–based company has been reeling since a 2023 data breach exposed ancestry information — and, in some cases, health data — of about 7 million users. Bankruptcy documents made public by 404 Media show that more than 50 class-action lawsuits followed.
The situation reignites long-standing concerns about genetic privacy. The 2018 arrest of the Golden State Killer, identified through a public ancestry database, first raised alarms about the safety of genetic data. With a patchwork of state-level legislation and no clear federal oversight beyond a rule prohibiting genetic discrimination by employers and health insurance companies — but not life insurance or other entities — genetic testing companies have been free to create their own rules, says sociologist of science Alondra Nelson of the Institute for Advanced Study in Princeton, N.J.
“We have gotten 20 years into this industry, and we are about to have a major exchange of 15 million sets of people’s data, and we have still not figured out policies that are protective for people,” Nelson says.
23andMe has assured customers that bankruptcy “does not change how we store, manage, or protect customer data.” Any future buyer, the company says, will adhere to those data standards. But California Attorney General Rob Bonta has urged Californians to instruct 23andMe to delete their data and destroy any biological samples stored at the company. Other attorney generals across the country are echoing that call and making residents aware of their rights.
The stakes go beyond privacy. Genetic researchers have used 23andMe data in studies of human ancestry and disease causation. If customers scrub their data, this cache of genetic information could be lost. Moreover, the company collects approximately 2 million survey responses a week about lifestyle, health and traits, legal health privacy scholar Anya Prince of the University of Iowa and bioethicist Kayte Spector-Bagdady of the University of Michigan wrote in the Feb. 25 JAMA. These data, they note, could drive a range of applications from pharmaceutical research to targeted marketing campaigns.
To unpack what’s at stake, Science News spoke with Nelson, a former acting director of the White House Office of Science and Technology Policy, and Prince, who studies the ethical, legal and social implications of genetic testing. The conversations have been edited for length and clarity.
SN: Why is 23andMe declaring bankruptcy such a big deal?
Prince: It’s such a big deal because, if you think about why 23andMe was valued as high as $6 billion, it’s because of the promise of the monetary value of the data that they hold. If John Deere went into bankruptcy, it would be selling the tractor parts, selling the factories. That is easier than having the asset be millions of people’s data, and not just millions of people’s data, but millions of people’s very sensitive genetic and health data.
Nelson: By 23andMe’s own accounting, 15 million customers counted on them to stay in business and to be able to keep their data safe. Part of the service that 23andMe provided was saying that they could tell people things about themselves and their families, intimate details to which they might not otherwise have access. You expect a company or relationship that’s going to claim to tell you such things about yourself to stick around.
We didn’t exactly know what to do when the data breach occurred, and it’s not quite clear what’s going to happen with the data vis-à-vis the bankruptcy. We’ve had a legislative and policy failure around what to do about direct-to-consumer genetic testing. What we know about genetic testing is that it can be used for forensic applications, it can be used for health care applications. The laws that we have around privacy and protection of health care data like HIPAA or the regulations and norms that we have around forensic data don’t apply to consumer genetic testing.
There were a lot of companies that started doing similar tests that went out of business or got acquired by other companies. So there has been a pattern in the industry in which we don’t know exactly what was happening with these data as the companies get acquired or as they’re traded.
SN: Should people delete their data from 23andMe, or should they keep it so researchers can use it?
Prince: I, for example, am a very, very private person, and so if my data was in a company like 23andMe, I would want to delete it because I’m less comfortable with sharing my data and I’m more controlled about it. I know plenty of other people who are just as rational actors who say, “No, I would love my data to be used for research.”
It makes sense for some people to say, “I understand the risks. I understand that I can’t control who buys my data and how it’s used because of gaps in our federal privacy laws.” If somebody is OK with that, then maybe they don’t need to delete it.
But if people say, “No, I’m worried about accessing insurance. I’m worried about just having my data out there. I’m worried how law enforcement could gain access to it,” — whatever it is that people could be tangibly concerned about — or just wanting their data to be private and know who it’s being shared with, then I think deleting the data is a good step. There are other ways to provide data to help research that might align more with people’s goals or comfort level.
Nelson: We have to open up a broad aperture of things that we can do — and we need to do it quickly — to help people secure their data. If they want to use it for research, great.
The bigger problem is how do you know that your data has been deleted? Is it deleted from everything? Are there collaborations ongoing with other partners, where the data might get circulated into laboratories, research labs and other places? So, sure, ask for the data to be deleted, but I think we also want to have a forensic accounting of the data.
This is not just somebody’s Facebook profile. If you want to delete it, you want to be sure that it’s deleted. How can we create a protocol or a norm, or really call upon 23andMe to act nobly and provide assurances to people that the data is actually deleted out of every database, every hard drive, every collaborator’s research computer?
SN: What worries you most about 23andMe being sold to another entity?
Prince: This whole thing just highlights how little people know about how their data can be shared.
[For instance, 23andMe’s] privacy policy says in the event of bankruptcy, the genetic data can be sold. It says that the new company would have to comply with the existing privacy policy. But the existing privacy policy also says that it can be changed at any time.
It just really leaves consumers with little recourse. The one power that we do have is deleting the data. The challenge of that is that it is a rich resource for research, so that’s a shame.
Nelson: I worry about the 15 million customers, many of whom, if they’re not following the news, may not know that this is happening. They might not have known about the breach in 2023.
I worry in particular about marginalized and vulnerable communities that have histories of repression and oppression [based on] ideas about genetics, and what that means for communities of African descent and communities of Jewish descent.
In 2019, the Department of Defense wrote to all of its employees, particularly those that worked in sensitive areas, and said, “You know what? We’re going to suggest that you not get for Christmas or for Hanukkah these direct-to-consumer genetic tests, because we are worried about the ability of this information to leak, and we’re worried about the ability of this information to be used by malign foreign actors.” It’s dangerous to have people’s personal data circulating in the world.
One would not be foolish to be skeptical of 23andMe offering assurances that they’re going to abide by whatever rules they have. The company is under distress and is seeking to be sold. What are the trade-offs that are going to be made in the negotiation for this sale? Will data privacy of 15 million people be one of those trade-offs?
Source link