The corporate then sequences the genetic materials within the pattern and generates a report about their ancestry, the chance that they could be carriers of illness markers or have a predisposition to sure sicknesses, and the way their physique might react to sure drugs. Up to now, over 15 million prospects have submitted their private genetic knowledge to 23andMe.
Because it occurs, 23AndMe shouldn’t be doing effectively as an enterprise. Its inventory has fallen by near 99% from its peak valuation of $6 billion again in 2021 and staff are being laid off in tranches.
The corporate’s complete board has resigned over a disagreement with its founder-CEO Anne Wojcicki, who mentioned that she is open to promoting the corporate—together with its large stockpile of DNA knowledge—to the very best bidder.
This will need to have come as a shock to its prospects, all of whose genetic info is now up for grabs by the very best bidder. I can’t think about any of them having thought that the DNA knowledge they have been submitting with the intention to get trivial private insights would find yourself being offered in a hearth sale.
Had the thought even entered their minds, I’m certain they’d have evaluated extra significantly whether or not the advantages they stood to obtain from the corporate have been definitely worth the threat of getting their genetic knowledge put into the fingers of an unknown third celebration.
In a latest article, privateness knowledgeable Daniel J. Solove made it clear that there’s little or no that American prospects can do to forestall this from taking place—even when they wished to.
Over 20 years in the past, when on-line toy service provider Toysmart tried to promote its database of kids’s knowledge like this, the Federal Commerce Fee had intervened, insisting that the corporate ought to solely promote this knowledge to an entity working in the identical house if it agrees to uphold the privateness insurance policies that Toysmart had put in place.
Since then, in response to Solove, all knowledge firms (together with 23AndMe) have particularly included a clause of their privateness insurance policies to the impact that, within the occasion of a “chapter, merger, acquisition, reorganization, or sale of belongings,” they may promote or switch the non-public info of their customers as part of such transactions. So the purchasers of 23AndMe might need already—though they could not understand it—supplied consent to a hearth sale.
In Europe, issues are more likely to be lots clearer. Beneath its Basic Knowledge Safety Regulation (GDPR), when private knowledge is transferred to an acquirer in a merger, the needs for which the information is processed post-acquisition have to be suitable with the unique functions for which it was collected.
If the acquirer intends to course of the information for any new goal, it should first notify prospects about it. Any acquirer of genetic knowledge could be topic to those restrictions no matter what might have been written within the privateness coverage of the acquisition goal.
How then, would this play out in India? Because it occurs, the ultimate draft of the Digital Private Knowledge Safety Act, enacted into regulation in August 2023, included a model new provision that had not featured in every other draft up till then.
Part 17(1)(e) particularly exempts from lots of the Act’s provisions the processing of digital private knowledge if such processing was obligatory in reference to the merger or amalgamation of an organization.
On account of this new provision, 23AndMe would have been below no obligation to acquire the prior consent of knowledge principals earlier than transferring their genetic info to an acquirer.
This, nonetheless, doesn’t imply that the acquirer will probably be free to course of this newly acquired genetic info because it chooses for functions aside from these set out within the privateness discover that knowledge principals had agreed to once they signed up for the service.
Whereas the exemption provided by Part 17(1)(e) is broad, it solely extends to processing that’s obligatory with the intention to full the merger. It is not going to prolong to any subsequent processing carried out—reminiscent of something undertaken by the brand new acquirer after the merger is full.
If the acquirer desires to make use of the genetic knowledge for some new goal, it’ll solely find a way to take action in accordance with the phrases of the 23AndMe privateness coverage that the client had agreed to whereas signing up for the service—or together with her recent consent.
Because it occurs, 23andMe’s privateness coverage, as is usually the case, was worded loosely. The “companies” to which it applies have been described in broad phrases; they cowl any product, software program or service that the corporate gives, whether or not now or sooner or later.
It might be comparatively trivial for any acquirer of this firm to align no matter it intends to make use of the newly acquired genetic knowledge for with what has already been permitted below the privateness coverage.
Whereas Part 17(1)(e) was launched to make it simpler for entities to finish reputable company re-structuring actions, within the context of data-heavy companies such because the one which 23AndMe is engaged in, this exemption may place specific varieties of buyer knowledge in danger.
As we watch for India’s private knowledge safety regulation to come back into drive, we will solely hope that within the weeks and months after its notification, better readability will emerge from the federal government over how points like these will probably be addressed.
