Senate skeptical about protection of former customers' genetic data in 23&Me bankruptcy sale

A Senate panel on Wednesday disputed testimony from the CEO of 23andMe that customers’ data may be deleted and is protected under the biotechnology company’s privacy policy, amid a pending bankruptcy sale.

“What you’re doing here has all kinds of implications – national security implications, all of it,” Senate Judiciary Committee member Sen. Josh Hawley told CEO Joseph Selsavage. “But nothing is worse than taking the personally identifiable information Americans consume, keeping it, and lying to them about it when you make a huge profit off of it.”

Selsavage said, “Anyone bidding for 23andMe must comply with the privacy policy, but I am unable to speak on the merits of the bids as the bidding is ongoing." 

Still, nothing prohibits a buyer from altering that policy, testified Glen Cohen, Harvard Law School professor and deputy dean.

The hearing took place amid a pending, $256 million bankruptcy sale that 27 states have sued to prevent. 

Through saliva-based DNA testing kits, 23andMe has provided a service for 15 million customers to learn about their ancestry and health. The biotechnology company therefore possesses two sensitive pieces of customers’ information: the user-provided saliva sample, and the detailed genetic profile created from it, according to the New York Times.

23andMe filed for Chapter 11 bankruptcy in March, two years after it suffered a data breach involving 6.9 million customer accounts.

There are currently two potential bids: the pharmaceutical company Regeneron and the nonprofit medical research organization, TTAM Research Institute, according to Selsavage.

Federal law does little to secure genetic information, testified Brook Gotberg, a bankruptcy and secured transactions professor at Brigham Young University.

23andMe does give customers the right to request the deletion of their account. According to Selsavage, customers can log into their 23andMe account, go to settings and request that their account be deleted.

Hawley, a Missouri Republican and Yale Law School graduate, argued that this was indeed not the case when examining the company’s privacy policy more closely. 

He also read an excerpt from 23andMe’s privacy policy.

“23andMe and/or our contracted genotyping laboratory will retain your genetic information, date of birth, and sex as required for compliance with applicable legal obligations … even if you choose to delete your account,” according to 23andMe’s privacy policy.

Neither the Health Insurance Portability and Accountability Act (HIPAA), nor the Genetic Information Nondiscrimination Act of 2008 (GINA) protect citizens’ genetic data from being exploited by companies like 23andMe, according to Cohen.

While genetic data has led to significant medical discoveries, lawmakers argue customers should have the right to consent to the use of their data.

As federal regulations try to catch up with technological advancements, no federal law prevents 23andMe from sharing personal medical information with insurance companies or future employers.

“Unless we have a federal law relative to this issue that applies to future transactions, your best intentions don’t mean much,” said Illinois Sen. Dick Durbin, the committee's top Democrat.

Sens. Chuck Grassley, R-Iowa; John Cornyn, R-Texas; and Amy Klobuchar, D-Minn., have introduced the bipartisan Don’t Sell My DNA Act “to safeguard consumers’ sensitive genetic data during corporate bankruptcy proceedings.”