On June 10, 2024, the Privacy Commissioners of Canada and the United Kingdom announced that they have begun their joint investigation into the 23andMe (a direct-to-consumer genetic testing company) data breach that was discovered in October, 2023.

That is, Privacy Commissioner of Canada Philippe Dufresne and UK Information Commissioner John Edwards will be examining three main things:

• The scope of information that was exposed by the breach and potential harms to affected individuals.
  
• Whether 23andMe had adequate safeguards to protect the highly sensitive information within its control.
  
• Whether the company provided adequate notification about the breach to the two regulators and affected individuals as required under Canadian and UK privacy and data protection laws.

Both regulators are well aware that genetic information is highly sensitive personal information that can reveal information about an individual and their family members (including health, ethnicity, and biological relationships).

Canada’s Privacy Commissioner, Dufresne, stated, “In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination…Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

What exactly happened with this breach? Apparently, a statement from the company said that hackers gained access to roughly 6.9 million profiles on the site (nearly half its client base). Essentially, those profiles had delicate personal data ranging from birth year, geographic location, health information, and the percentage of DNA that users shared with their relatives.

Privacy expert, Professor Teresa Scassa, had the following to say after the breach’s discovery for those who are considering doing the tests: “I would not do it and if anyone asked me, I would say, ‘do not do it’.” It is easy to see that there may be concern because people are basically giving them a raw code of themselves. That is not all—the hackers have accessed family tree profile information for about 1.4 million customers.

The Privacy Commissioners of Canada and the UK have created a memorandum of understanding that sets out the terms of their arrangement. The memorandum highlighted the applicable laws, the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Data Protection Act of UK (DPA)
are the main instruments that will be referred to.

In fact, in the memorandum signed in 2019 and 2020 by Commissioners Therrien and Denham respectively (as they then were), the Commissioners acknowledged that it was in their common interests to collaborate, namely to share experiences, implement joint research projects, exchange information (but not personal information), conduct joint investigations, have bilateral meetings and similar activities.

As the current Privacy Commissioner just said at the Canada Privacy Symposium, “…protecting privacy is one of the paramount challenges of our time.”

Let us consider this an invitation to Canadians to get involved in privacy advocacy, education, promotion, and enforcement.

Meanwhile, a class action commenced in British Columbia seeking damages against 23andMe for breaches of privacy and consumer laws, breach of contract, and negligence. We will keep you posted on the investigation and results of any class actions.