���߲ݴ�ý

“The Offices of Privacy Commissioner of Canada Philippe Dufresne and United Kingdom Information Commissioner John Edwards are jointly investigating the global data breach at 23andMe,” Vito Pilieci, a senior communications adviser with the Office of the Privacy Commissioner shared in an email to Metroland. The commissioners are expected to issue the final findings from the investigation in the next few months.

The massive breach reportedly compromised the data of more than 6.9 million people.��

When did the 23andMe data breach happen?

In October 2023, the sensitive data of millions of 23andMe users, including those of “top business magnates” were posted for sale on popular dark web cybercrime forum, BreachForums, according to .��

Data of millions of users with were being sold for $1 to $10 per account.

Later that month, the company confirmed the breach in a , and claimed it was caused by a “credential stuffing attack,” where hackers used users’ recycled passwords to infiltrate their system.

In September 2024, 23andMe agreed to pay a  to resolve more than 40 class-action lawsuits in the wake of the data breach. A few months later, in , the struggling genomics company announced it had filed for bankruptcy.

Will my 23andMe data be sold as part of the bankruptcy procedures?

A few days after the bankruptcy announcement, the company was granted by a judge to sell their customers’ medical and ancestry data to potential bidders. Offers from buyers are due May 7, with a proposed May 14 auction for the sale of its assets, including users’ data.��

As customers’ genetic and health data go up for grabs, many are left scrambling to find ways to scrub their sensitive information off the platform and withdraw consent for third-party research ahead of the auction.

Can I delete my 23andMe data before the bankruptcy auction?

While Europeans have the “right to be forgotten,” which allows individuals to request organizations delete their personal information from digital platforms, Canadian consumers may find recourse through PIPEDA.

“The general obligations under the , Canada’s federal private-sector privacy law, would continue to apply to personal information in the care of 23andMe and to any personal information that is transferred as part of a sale,” the Office of the Privacy Commissioner said.

Users may request that 23andMe delete their personal data, the OPC added. “Under PIPEDA, individuals have a right to withdraw consent to the continued use of their personal information.”

The request, will, however, be subject to “legal or contractual restrictions and reasonable notice,” which in certain circumstances may require the company to delete the information, the OPC explained.

How to delete my 23andMe data

Consumers also have the option to delete their data by logging into their account. Once logged in, they can go to their profile and click “settings,” scroll down to the bottom of the page until they see “23andMe data” and click “view.” Here, they can download their data before clicking “permanently delete data.” 

“If an individual faces any challenges in having their data deleted, they may or ,” the OPC said.

Some consumers who requested data deletion, however, were sent confirmation emails stating their genetic information and other personal information will be retained.��

The commissioners offices in Canada and the U.K. are currently “in contact with the company to obtain more information about how 23andMe’s (data) retention practices apply to users in the UK and Canada.”

According to the  clause in 23andMe’s privacy policy, certain information may be retained, even after a customer requests deletion.��

“23andMe clearly states that they retain an individual’s genetic information, date of birth, and sex even after the user deletes their account,” said Sujaya Maiyya of the University of Waterloo’s Cybersecurity and Privacy Institute in an interview with Metroland.

Data privacy and security experts raise concerns over using direct-to-consumer DNA testing

Maiyya, whose research focuses on data privacy and security, cautions consumers planning to use direct-to-consumer genetic testing.

The professor advises paying close attention to the data retention and data deletion clauses in the company’s terms and conditions.

If a person eventually decides they do not want the company to have their data, they should be guaranteed their sensitive information will be removed, she explained.

What happens when I give consent for my data to be used for research?

Maiyya says consumers should be cautious when agreeing to give consent for their sensitive data to be used for research.

While sharing your data serves to advance important research, the problem lies in researchers being able to download the data. In most cases, once consent for research use is given, anybody who’s doing research can access these data sets.

After a researcher signs a materials transfer agreement, for example, they can download the data which will then reside in their server or computer, she explained.

“Once access is given, it is difficult to revoke it and nearly impossible to ensure all parties holding the data actually delete it,” she added.

In the case of 23andMe, while users can revoke consent — which will discontinue the use of their data for future research — the company’s policy is unclear when it comes to handling previously shared data if a user deletes their account or revokes their permission to participate in research, Maiyya explained.

The company claims only data stripped of the name and contact information will be shared for research. But, Maiyya raised concerns over a clause in 23andMe’s stating there is still a chance users can be re-identified by bad actors.

23andMe did not respond to request for comment.