The privacy authorities for Canada and the United Kingdom have launched a joint investigation into the data breach that was discovered in October 2023 at genetic testing company 23andMe.
Privacy Commissioner of Canada Philippe Dufresne and UK Information Commissioner John Edwards will investigate the 23andMe breach jointly.
The joint investigation will collaborate on protecting the fundamental right to privacy of individuals across jurisdictions and will examine:
- the scope of information that was exposed by the breach and potential harms to affected individuals;
- whether 23andMe had adequate safeguards to protect the highly sensitive information within its control; and
- whether the company provided adequate notification about the breach to the two regulators and affected individuals as required under Canadian and UK privacy and data protection laws.
Canada’s Office of the Privacy Commission will continue to work closely with its counterparts in Quebec, British Columbia, and Alberta as the investigation proceeds.
“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination,” said Commissioner Dufresne. “Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”