The controversial 23andMe case offers a valuable lesson on the importance of privacy and data protection regulations, especially in the European Union.
Paralegal
Founded in 2006, 23andMe has popularised direct-to-consumer genetic testing. With a user base worldwide, including European countries where privacy regulations are particularly strict, the company provides ancestry and health information through saliva samples. Initially, it faced criticism over privacy issues but also received praise, including recognition from Time Magazine in 2008 for its personal genome service. Over the years, it has reduced the cost of its tests and expanded its user base while establishing partnerships for genetic research. However, concerns about data use and recent financial troubles have impacted its reputation and stability.
In 2023, the company suffered a massive data breach, compromising the personal information of over 6.9 million users, which raised concerns about the privacy of genetic data. The stolen data included information such as names, relationships, and, in some cases, dates of birth, locations, photographs, addresses, and the percentage of DNA shared with relatives. As a result, it faced multiple lawsuits and recently agreed to pay $30 million in a class-action settlement. Over the past year, 23andMe’s Board of Directors has resigned, the company’s market value has suffered a major decline, and comments by its founder, Anne Wojcicki, about her willingness to consider third-party acquisition proposals have caused concern among users about the fate of their personal data, exacerbating uncertainty about the company’s future viability.
These issues highlight the challenges in protecting sensitive personal data, and this article will analyse how the General Data Protection Regulation (GDPR) and the Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) can guide Spanish companies in dealing with issues like those faced by 23andMe. So, what can we learn from this case?
The GDPR applies to all companies that process personal data of individuals residing in the European Union, regardless of the company’s location. It affects companies inside and outside the EU that offer goods or services in the EU or monitor individuals in the EU and, as such, they must comply with GDPR obligations and allow individuals to exercise their rights under the GDPR.
WHAT IS THE GENERAL DATA PROTECTION REGULATION (GDPR) AND HOW DOES IT AFFECT ME?
The GDPR categorises certain types of personal data as "special", given their potential to significantly affect individuals’ privacy and security if misused. This data requires additional protection and can only be processed under strict circumstances. Sensitive data types include:
The GDPR permits the processing of personal data in these categories only under certain conditions, such as the explicit consent of the individual or when necessary for public interest, or for medical, employment, or public safety purposes.
WOULD YOU SELL A COPY OF YOUR IRIS FOR CRYPTOCURRENCY?
Bajo el RGPD, la notificación de una brecha de seguridad es obligatoria en ciertos casos, tanto a la autoridad de control de protección de datos (en España, la Agencia Española de Protección de Datos) como a los afectados. Las circunstancias son las siguientes:
Under the GDPR, notification of personal data breaches to the data protection supervisory authority (in Spain, the Spanish Data Protection Agency) and to those affected is mandatory in certain circumstances:
Avoiding using the same password for multiple websites is crucial because it reduces the risk that a single security failure will expose multiple accounts. Additionally, using security measures like two-factor authentication is essential for protecting personal data.
For a secure password, follow these tips:
At Conesa Legal we use a specific software to manage individual and team passwords. Contact us and we'll give you a recommendation of a cybersecurity provider:
Imagine your company is in trouble, and you have to consider selling it. What will the new company be able to do with the personal data your company has collected?
Let's consider Article 21 of Organic Law 3/2018, which regulates data processing in business operations.
Article 21. Data processing related to certain business operations
The new entity could use the personal data of your clients, but it would need to comply with current data protection regulations. Continuation of this data processing would only be possible if it ensured the protection of the rights of data subjects and if the new processing was compatible with and necessary for the original purposes for which the data was collected.
The most common legal basis in these cases is legitimate interest (Article 6.1.f of GDPR). The acquiring company has a legitimate interest in continuing to process client data to ensure business continuity. By means of a balancing test, the company must ensure that this interest does not outweigh the rights and freedoms of the data subjects.
Clients should be notified of the change in data controller and the details of the new company. This would include updating the privacy policy and providing information about the rights they may exercise, such as the right of access, rectification, erasure, and objection. The acquiring company must be prepared to respond to customer requests to delete their data if they no longer want the new company to retain it.
The 23andMe case highlights the importance of complying with data protection regulations, especially the GDPR and the LOPDGDD in Spain, when handling sensitive personal information. The data breach experienced by the company underscores the security risks in processing personal data and the responsibility companies have to protect personal data, including in the event of acquisition or restructuring. Companies must maintain ongoing transparency about data use, implement robust security measures, and notify breaches when applicable. Learning from this case can help companies avoid penalties and strengthen client trust in the protection of their privacy rights.
At CONESA LEGAL, we are here to help you protect your business and ensure compliance with data protection regulations. If you need personalised advice to implement the GDPR and the LOPDGDD in your organisation and avoid legal risks, do not hesitate to contact us. Your peace of mind and the security of your data are our priority.