The controversial 23andMe case offers a valuable lesson on the importance of privacy and data protection regulations, especially in the European Union.
Written by Abigail Sked
Paralegal
Founded in 2006, 23andMe has popularised direct-to-consumer genetic testing. With a user base worldwide, including European countries where privacy regulations are particularly strict, the company provides ancestry and health information through saliva samples. Initially, it faced criticism over privacy issues but also received praise, including recognition from Time Magazine in 2008 for its personal genome service. Over the years, it has reduced the cost of its tests and expanded its user base while establishing partnerships for genetic research. However, concerns about data use and recent financial troubles have impacted its reputation and stability.
In 2023, the company suffered a massive data breach, compromising the personal information of over 6.9 million users, which raised concerns about the privacy of genetic data. The stolen data included information such as names, relationships, and, in some cases, dates of birth, locations, photographs, addresses, and the percentage of DNA shared with relatives. As a result, it faced multiple lawsuits and recently agreed to pay $30 million in a class-action settlement. Over the past year, 23andMe’s Board of Directors has resigned, the company’s market value has suffered a major decline, and comments by its founder, Anne Wojcicki, about her willingness to consider third-party acquisition proposals have caused concern among users about the fate of their personal data, exacerbating uncertainty about the company’s future viability.
These issues highlight the challenges in protecting sensitive personal data, and this article will analyse how the General Data Protection Regulation (GDPR) and the Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) can guide Spanish companies in dealing with issues like those faced by 23andMe. So, what can we learn from this case?
1. The GDPR can apply to companies outside the EU
The GDPR applies to all companies that process personal data of individuals residing in the European Union, regardless of the company’s location. It affects companies inside and outside the EU that offer goods or services in the EU or monitor individuals in the EU and, as such, they must comply with GDPR obligations and allow individuals to exercise their rights under the GDPR.
WHAT IS THE GENERAL DATA PROTECTION REGULATION (GDPR) AND HOW DOES IT AFFECT ME?
2. Genetic data is considered especially sensitive personal data
The GDPR categorises certain types of personal data as "special", given their potential to significantly affect individuals’ privacy and security if misused. This data requires additional protection and can only be processed under strict circumstances. Sensitive data types include:
- Ethnic or racial origin data
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (when used to uniquely identify a person, such as fingerprints or facial recognition)
- Health data (information about an individual’s physical or mental state)
- Data on sex life or sexual orientation
The GDPR permits the processing of personal data in these categories only under certain conditions, such as the explicit consent of the individual or when necessary for public interest, or for medical, employment, or public safety purposes.
WOULD YOU SELL A COPY OF YOUR IRIS FOR CRYPTOCURRENCY?
3. In case of data breach, the law may require you to notify affected individuals
Bajo el RGPD, la notificación de una brecha de seguridad es obligatoria en ciertos casos, tanto a la autoridad de control de protección de datos (en España, la Agencia Española de Protección de Datos) como a los afectados. Las circunstancias son las siguientes:
Under the GDPR, notification of personal data breaches to the data protection supervisory authority (in Spain, the Spanish Data Protection Agency) and to those affected is mandatory in certain circumstances:
-
Notification to the Supervisory Authority:
- It is mandatory to notify the data protection authority within 72 hours of detection if there is a risk to the rights and freedoms of affected individuals.
- If notification is not made within 72 hours, a reason for the delay must be provided.
- This notification should include information on the nature of the breach, the type and amount of data affected, and the measures taken to contain and manage the breach.
-
Communication to the data subjects (affected individuals):
- This is mandatory when the security breach poses a high risk to the rights and freedoms of affected individuals.
- The communication should be made without undue delay and in an understandable way, explaining the type of breach, possible consequences, measures taken or proposed, and contact details.
- There is no need to notify the data subjects if the company has taken effective measures to protect the data (e.g., through encryption), if the risk has already been mitigated, or if individual notification would require disproportionate effort (in this case, a public notification should be made).
4. It is incredibly important not to use the same password for multiple websites
Avoiding using the same password for multiple websites is crucial because it reduces the risk that a single security failure will expose multiple accounts. Additionally, using security measures like two-factor authentication is essential for protecting personal data.
How to create secure passwords
For a secure password, follow these tips:
- Length: Use long passwords; at least 12 to 16 characters.
- Character variety: Mix uppercase and lowercase letters, numbers, and special characters (such as %, &, #).
- Avoid common words and patterns: Don’t use predictable combinations like "12345," "password," or personal information such as birth dates or names.
- Use a password generator: Password managers can generate random, secure passwords and store them safely.
- Unique phrases: If you prefer to create your own password, you can use a combination of random words that’s easy to remember but hard to guess, like "DogDuckSun56!".
At Conesa Legal we use a specific software to manage individual and team passwords. Contact us and we'll give you a recommendation of a cybersecurity provider:
5. Acquiring a company doesn't mean you can do whatever you want with the personal data it collected
Imagine your company is in trouble, and you have to consider selling it. What will the new company be able to do with the personal data your company has collected?
Let's consider Article 21 of Organic Law 3/2018, which regulates data processing in business operations.
Article 21. Data processing related to certain business operations
- Unless proven otherwise, data processing, including preliminary communication, will be presumed lawful if derived from any operation involving a corporate structural change or the transfer of a business or branch of activity, provided that the processing is necessary for the operation and, where appropriate, guarantees the continuity of services.
- If the operation does not go through, the acquiring entity must immediately delete the data, and the blocking obligation set out in this organic law will not apply.
The new entity could use the personal data of your clients, but it would need to comply with current data protection regulations. Continuation of this data processing would only be possible if it ensured the protection of the rights of data subjects and if the new processing was compatible with and necessary for the original purposes for which the data was collected.
The most common legal basis in these cases is legitimate interest (Article 6.1.f of GDPR). The acquiring company has a legitimate interest in continuing to process client data to ensure business continuity. By means of a balancing test, the company must ensure that this interest does not outweigh the rights and freedoms of the data subjects.
Clients should be notified of the change in data controller and the details of the new company. This would include updating the privacy policy and providing information about the rights they may exercise, such as the right of access, rectification, erasure, and objection. The acquiring company must be prepared to respond to customer requests to delete their data if they no longer want the new company to retain it.
Summary
The 23andMe case highlights the importance of complying with data protection regulations, especially the GDPR and the LOPDGDD in Spain, when handling sensitive personal information. The data breach experienced by the company underscores the security risks in processing personal data and the responsibility companies have to protect personal data, including in the event of acquisition or restructuring. Companies must maintain ongoing transparency about data use, implement robust security measures, and notify breaches when applicable. Learning from this case can help companies avoid penalties and strengthen client trust in the protection of their privacy rights.
We can advise you on Data Protection
At CONESA LEGAL, we are here to help you protect your business and ensure compliance with data protection regulations. If you need personalised advice to implement the GDPR and the LOPDGDD in your organisation and avoid legal risks, do not hesitate to contact us. Your peace of mind and the security of your data are our priority.
