Silicon Valley-based 23andme, which sells DNA test kits for genealogy research and medical genetic analysis, announced on Sunday that it has filed for bankruptcy protection.
The assets, including information about up to 15 million users, will be sold to the highest bidder.
Experts on digital integrity, including Professor Yann Joly, are urging customers to request that their samples and data be destroyed and deleted.
For despite a relatively robust integrity policy, which, according to the company, will also apply to a future owner, one does not know how such an owner will act.
Will they try to find loopholes? Will they continue to conduct the same research or research that one is less comfortable participating in, asks Joly, who leads the center for genomics and policy at McGill University in Montreal, Canada.
Catastrophic Consequences
The most likely buyer is a biomedicine or pharmaceutical company that wants to use the data for research or to train its AI, believes Joly.
Even if the risk is small, sensitive information could also be used by insurance companies, police, or migration authorities – or for extortion purposes.
Tazin Kahn, head of the non-profit cybersecurity organization Cyber Collective, warns of catastrophic consequences if the data is sold.
People have absolutely no power over where their data ends up, she tells CNBC.
In a data breach in 2023, hackers gained access to information from 6.9 million of the company's user accounts. Among other things, a list of people with Jewish ancestry was put up for sale on the darknet.
GDPR Applies
Over 100,000 Swedes are estimated to have taken a DNA test for genealogy purposes. It is unclear how many are in the current database.
Sinan Akdag, expert on digital consumer law at the Swedish Consumers' Association, recommends that one requests that one's data be deleted in accordance with GDPR, which also applies to companies outside the EU that process EU citizens' personal data.
When you submitted your DNA, you gave 23andme consent to process personal data. A consent under GDPR can always be withdrawn, and then the personal data must be removed, he says.
The theory of legislation and what happens in practice can, however, be two different things.
As a private individual, you can value your DNA information in different ways. But you should be aware that no data protection is impossible to circumvent. There is always a risk.
The American DNA testing company 23andme was founded in 2006 and is one of the largest on the market.
The user sends in a saliva sample and receives information about potential health risks and their genetic ancestry.
The company's product was named Invention of the Year by Time Magazine in 2008, with investors such as Google and collaboration with Glaxo Smith Kline.
According to its own statement, the company has a total of 15 million customers worldwide and has sold over 12 million DNA kits for home testing. In Europe, the company offers its services in Sweden, the Netherlands, Ireland, Finland, and Denmark.
The tests are popular among genealogists and, for those who have given their consent, the data has also been used in medical research.
Genetic data from 23andme has, among other things, been used in several research studies at the Karolinska Institute in Stockholm.