The Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) have launched a joint investigation into the data breach that happened in October 2023 at the global direct-to-consumer genetic testing company 23andMe.
UK Information Commissioner John Edwards and Privacy Commissioner of Canada Philippe Dufresne will investigate the 23andMe breach jointly, leveraging the combined resources and expertise of their two offices.
23andMe is a custodian of highly sensitive personal information, including genetic information which does not change over time. It can reveal information about an individual and their family members, including about their health, ethnicity, and biological relationships. This makes public trust in these services essential.
The joint investigation reflects the regulators’ commitment to collaborate on protecting the fundamental right to privacy of individuals across jurisdictions.
It will examine:
- the scope of information that was exposed by the breach and potential harms to affected people;
- whether 23andMe had adequate safeguards to protect the highly sensitive information within its control; and
- whether the company provided adequate notification about the breach to the two regulators and affected people as required under Canadian and UK data protection laws.
John Edwards, UK Information Commissioner, said:
“People need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”
Philippe Dufresne, Privacy Commissioner of Canada, said:
“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”
Data protection and privacy legislation allows the privacy authorities of Canada and UK to work together on matters of impact across the two jurisdictions. Each regulator will investigate compliance with the law that it oversees. No further comment will be made while the investigation is ongoing.
Notes to Editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The Privacy Commissioner of Canada is an Agent of Parliament whose mission is to protect and promote privacy rights. The Office of the Privacy Commissioner of Canada (OPC) oversees compliance with the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law.
- The joint investigation will be conducted under the Memorandum of Understanding between the ICO and OPC.
