A DNA-testing firm’s bankruptcy raises questions over whether people have a right to their genetic data

The bankruptcy of a DNA-testing firm has raised questions over rights to genetic data. Photo / 123rf

Do people have a right to control what happens to a genetic analysis of their own spit?

That is the question that attorneys-general from 27 states and the District of Columbia are raising in the bankruptcy of the DNA testing company 23andMe, filing suit on Tuesday to force a judge to determine whether the firm’s customers have an inherent right to their genetic information.

The lawsuit, in addition to a similar one filed by Texas, is pushing a bankruptcy court to consider novel legal questions more profound than a simple auction of 23andMe’s assets.

The uniquely sensitive nature of 23andMe’s trove of genetic data from more than 15 million customers is drawing scrutiny from states across the country and in Congress.

While consumers routinely share information with companies that is subsequently bought and transferred to third parties, the data gleaned about people from a sample of their saliva poses a new type of privacy challenge, the states argue.

According to the states’ lawsuit, “23andMe holds - and is proposing to sell to a third-party - an unprecedented compilation of highly sensitive and immutable personal data: a human being’s permanent and everlasting genetic identity.”

Such data can’t be replaced if stolen, the lawsuit adds.

It could even be used to identify and track people related to 23andMe customers, including those who haven’t been born, “impacting those who have no awareness of the sale as well as humans who do not even exist yet”, the suit argues.

In a statement, a spokesperson for 23andMe said that the arguments by the attorneys-general “are without merit” and that the sale is permitted.

“Customers will continue to have the same rights and protections in the hands of the winning bidder.”

Today NZT in Washington, 23andMe’s interim and former chief executives faced bipartisan scrutiny over how they protect customer privacy.

Joseph Selsavage, the interim chief executive, testified that 1.9 million customers have requested that their data be deleted from the platform since 23andMe filed for bankruptcy in March.

Brian Bianco, who chairs the intellectual property practice at Akerman LLP, said in an interview that genetic data could live on forever.

“From that perspective, the data is unique and it differentiates this case from any case that comes before it,” he said.

The state lawsuits come days before 23andMe is set to receive final offers from two bidders: TTAM Research Institute, a new non-profit started by the company’s co-founder Anne Wojcicki; and Regeneron Pharmaceuticals, a New York-based drugmaker that intends to keep offering 23andMe’s signature DNA testing service while using genetic data to power its own efforts to develop medicine.

The litigation is the latest twist in an epic corporate drama.

The company, which once boasted a stock market value of about US$6 billion ($10b), landed in bankruptcy after its efforts to expand into biotechnology and delivering healthcare services failed to put it on a sustainable footing.

Wojcicki made multiple failed bids to take 23andMe private.

Then, after reaching an agreement to be purchased by Regeneron for US$256 million, 23andMe received an offer from Wojcicki’s TTAM for $305m - and the bankruptcy judge took the rare step of reopening the auction last week to allow for final bids from the two rival suitors.

At today’s hearing in the US House of Representatives, lawmakers pressed Selsavage and Wojcicki on getting consent from customers to sell their data.

“I’m really just wondering why you think you can sell this data at an individual level to a third-party company,” said Representative Dave Min (Democrat, California).

“Why are you selling their genetic data when you don’t own it?”

“We believe customers have already consented,” Selsavage responded, apparently referring to 23andMe’s privacy policy that allows for personal information to be sold in transactions, including bankruptcy.

The states’ lawsuit challenges that position, pointing to a passage in 23andMe’s privacy policy assuring customers that their genetic data “will not be shared with employers, insurance companies or public databases without your explicit consent”.

As a result, the states argue, customers reasonably expected that their data wouldn’t be auctioned off to the highest bidder without explicitly providing consent.

Before June 2022, the states’ lawsuit claims, 23andMe’s privacy policy offered an even broader guarantee: that it “will not sell, lease or rent your individual-level information to a third party for research purposes without your explicit consent”.

The lawsuits are asking a judge to rule that customers inherently own their biological material - such as the saliva samples they provided for the genetic tests - and that 23andMe lacks sufficient rights to transfer that information without receiving their consent to do so.

That raises complicated legal and political questions, experts say, given laws on genetic data and privacy that vary from state to state. Some say resolving such conflicts may require legislation.

“Most people don’t read privacy policies,” said Uttara Ananthakrishnan, a professor of information systems at Carnegie Mellon University.

“This would be a really critical case where there could definitely be some regulation around how this data is being handled.”