The following announcement was issued by the Office of the Privacy Commissioner of Canada on June 10. The Data Breach Times has previously reported on the 23andMe data breach.
The privacy authorities for Canada and the United Kingdom (UK) have launched a joint investigation into the data breach that was discovered in October 2023 at the global direct-to-consumer genetic testing company 23andMe.
Privacy Commissioner of Canada Philippe Dufresne and UK Information Commissioner John Edwards will investigate the 23andMe breach jointly, leveraging the combined resources and expertise of their two offices.
23andMe is a custodian of highly sensitive personal information including genetic information which does not change over time. It can reveal information about an individual and their family members, including about their health, ethnicity, and biological relationships. This makes public trust in these services essential.
The joint investigation reflects the regulators’ commitment to collaborate on protecting the fundamental right to privacy of individuals across jurisdictions and will examine:
- the scope of information that was exposed by the breach and potential harms to affected individuals;
- whether 23andMe had adequate safeguards to protect the highly sensitive information within its control; and
- whether the company provided adequate notification about the breach to the two regulators and affected individuals as required under Canadian and UK privacy and data protection laws.
The OPC will continue to work closely with its counterparts in Quebec, British Columbia, and Alberta as the investigation proceeds.
“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination,” said Commissioner Dufresne. “Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”
Commissioner Edwards said: “People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”
Privacy legislation allows the privacy authorities of Canada and UK to work together on matters of impact across the two jurisdictions. Each regulator will investigate compliance with the law that it oversees.
No further comment will be made while the investigation is ongoing