The company then sequences the genetic material in the sample and generates a report about their ancestry, the risk that they may be carriers of disease markers or have a predisposition to certain illnesses, and how their body may react to certain medications. To date, over 15 million customers have submitted their personal genetic data to 23andMe.
As it happens, 23AndMe is not doing well as an enterprise. Its stock has fallen by close to 99% from its peak valuation of $6 billion back in 2021 and employees are being laid off in tranches.
The company’s entire board has resigned over a disagreement with its founder-CEO Anne Wojcicki, who said that she is open to selling the company—along with its massive stockpile of DNA data—to the highest bidder.
This must have come as a shock to its customers, all of whose genetic information is now up for grabs by the highest bidder. I cannot imagine any of them having thought that the DNA data they were submitting in order to get trivial personal insights would end up being sold in a fire sale.
Had the thought even entered their minds, I am sure they would have evaluated more seriously whether the benefits they stood to receive from the company were worth the risk of having their genetic data put into the hands of an unknown third party.
In a recent article, privacy expert Daniel J. Solove made it clear that there is very little that American customers can do to prevent this from happening—even if they wanted to.
Over two decades ago, when online toy merchant Toysmart attempted to sell its database of children’s data like this, the Federal Trade Commission had intervened, insisting that the company should only sell this data to an entity operating in the same space if it agrees to uphold the privacy policies that Toysmart had put in place.
Since then, according to Solove, all data companies (including 23AndMe) have specifically included a clause in their privacy policies to the effect that, in the event of a “bankruptcy, merger, acquisition, reorganization, or sale of assets,” they could sell or transfer the personal information of their consumers as a part of such transactions. So the customers of 23AndMe might have already—even though they may not know it—provided consent to a fire sale.
In Europe, things are likely to be a lot clearer. Under its General Data Protection Regulation (GDPR), when personal data is transferred to an acquirer in a merger, the purposes for which the data is processed post-acquisition must be compatible with the original purposes for which it was collected.
If the acquirer intends to process the data for any new purpose, it must first notify customers about it. Any acquirer of genetic data would be subject to these restrictions regardless of what may have been written in the privacy policy of the acquisition target.
How then, would this play out in India? As it happens, the final draft of the Digital Personal Data Protection Act, enacted into law in August 2023, included a brand new provision that had not featured in any other draft up until then.
Section 17(1)(e) specifically exempts from many of the Act’s provisions the processing of digital personal data if such processing was necessary in connection with the merger or amalgamation of a company.
As a result of this new provision, 23AndMe would have been under no obligation to obtain the prior consent of data principals before transferring their genetic information to an acquirer.
This, however, does not mean that the acquirer will be free to process this newly acquired genetic information as it chooses for purposes other than those set out in the privacy notice that data principals had agreed to when they signed up for the service.
While the exemption offered by Section 17(1)(e) is broad, it only extends to processing that is necessary in order to complete the merger. It will not extend to any subsequent processing carried out—such as anything undertaken by the new acquirer after the merger is complete.
If the acquirer wants to use the genetic data for some new purpose, it will only be able to do so in accordance with the terms of the 23AndMe privacy policy that the customer had agreed to while signing up for the service—or with her fresh consent.
As it happens, 23andMe’s privacy policy, as is often the case, was worded loosely. The “services” to which it applies have been described in broad terms; they cover any product, software or service that the company provides, whether now or in the future.
It would be relatively trivial for any acquirer of this company to align whatever it intends to use the newly acquired genetic data for with what has already been permitted under the privacy policy.
While Section 17(1)(e) was introduced to make it easier for entities to complete legitimate corporate re-structuring activities, in the context of data-heavy businesses such as the one that 23AndMe is engaged in, this exemption might place particular types of customer data at risk.
As we wait for India’s personal data protection law to come into force, we can only hope that in the weeks and months after its notification, greater clarity will emerge from the government over how issues like these will be addressed.
#privacy #data #mustnt #breached #acquisition #cases
