DNADNA (Warren Umoh / Unsplash)

Canada and UK have launched an official joint investigation into the recent 23AndMe, a service that provides customers with genetic information such as ancestry and health traits, data breach that may have exposed personal information of its users to unknown threat actors.

23andMe, known for handling highly sensitive personal information, including genetic data, is under scrutiny due to the nature of the breached information. Genetic data, which remains constant over time, can provide insights into an individual’s health, ethnicity, and biological relationships, thus making the protection of such information paramount.

Scope and Objectives of the Investigation

The joint investigation by Canadian and UK privacy regulators aims to:

  1. Determine the Extent of the Data Breach: Assess the volume and type of information exposed and the potential harm to individuals affected by the breach.
  2. Evaluate Security Measures: Investigate whether 23andMe had sufficient safeguards to protect the sensitive information under its control.
  3. Assess Breach Notifications: Verify if 23andMe provided timely and adequate notification about the breach to both the regulators and the affected individuals, as mandated by Canadian and UK privacy laws.

The Office of the Privacy Commissioner (OPC) of Canada will continue collaborating with its counterparts in Quebec, British Columbia, and Alberta throughout the investigation.

Statements from Privacy Commissioners

Commissioner Philippe Dufresne emphasized the critical nature of protecting genetic information, stating, “In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is a crucial focus for privacy authorities in Canada and around the world.”

UK Information Commissioner John Edwards added, “People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

Commitment to Privacy Protection

This joint investigation underscores the commitment of both Canada and the UK to safeguard the fundamental right to privacy across their jurisdictions. The investigation will adhere to the privacy legislation that allows for collaborative efforts between the two countries.

No further comments will be made until the investigation concludes.