Ontario’s privacy commissioner says Canadians who use genetic testing companies should be aware that highly sensitive personal data is increasingly accessed by law enforcement agencies to solve crimes.
She says the bankruptcy protection filing by a major U.S. genealogy platform highlights the risk that the data privacy safeguards users initially sign on to may change.
San Francisco-based 23andMe filed for Chapter 11 bankruptcy protection Sunday as it looks to sell “substantially all of its assets” through a court-approved reorganization plan.
The 23andMe website states its privacy policy will still apply if user data is transferred to a new owner. That includes only providing law enforcement information if they are required to comply with a valid court order, subpoena, or search warrant.
But Kosseim says when company ownership changes hands, the terms of engagement could as well.
That could include a buyer that wants to work with law enforcement and grant them access to genetic databases to help solve cold cases.
The method was notably used in 2020 to identify the real murderer of a nine-year-old, who was abducted from Queensville, Ont., and killed 30 years earlier. In doing so, it also exonerated a man who had been wrongfully imprisoned for years.
In investigative genealogy, law enforcement uses the database of DNA samples that companies like 23andMe have access to in order to come up with suspect leads. In another prominent Canadian example, in April 2024, police identified the murderer of Erin Gilmour and Susan Tice, who were both killed in their Toronto homes in 1983.
But Kosseim says we can't always control how law enforcement uses that information, and it's important to realize it's not only your information, but your family's as well.
"You certainly may not have committed the crime, but you may be biologically related to someone who was implicated," Kosseim says.
At times, that's resulted in people being approached about family members they never knew they had, "sometimes revealing information that is not known, family relationships that could be quite damaging if revealed."
"So it could be quite upending from a personal perspective, and life changing," Kosseim says.
Kosseim says private companies can resist law enforcement requests to fork over such data, but they can also comply.
With 23andMe, its website states that they are "prepared to exhaust available legal remedies" to protect customer privacy.
"But who knows what the new purchaser will, what stance they'll take," Kosseim says.
The Privacy Commissioner of Canada’s office said in an email Tuesday that it is closely monitoring the 23andMe situation and is in contact with the company.
However, they could not provide more details since Canadian and U.K. officials are investigating a 23andMe data breach in October 2023 that exposed millions of users' data.
They said the preliminary findings of the investigation were shared with 23andMe in early March, so they have an opportunity to provide comments before the final report is released.
When it comes to the personal information in the care of 23andMe, the federal privacy commissioner's senior communications adviser Vito Pilieci said Canada’s federal private-sector privacy law applies, regardless of the company's ownership.
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), individuals have a right to withdraw consent to the use of their personal information, subject to legal or contractual restrictions and reasonable notice.
In certain circumstances this may require the company to delete the information.
Pilieci said if Canadians do want to have their data deleted, they should contact 23andMe directly.
Yann Joly, director of the Centre of Genomics and Policy at McGill University, says if his DNA was in the database he’d withdraw it as soon as possible, noting it can take time between the request and actual deletion.
He said what happens with the data will ultimately depend on who may buy 23andMe and their intentions.
But Joly says, why risk it?
“What am I gaining by staying in? Nothing.”
This report by The Canadian Press was first published March 26, 2025.
Canadian Press health coverage receives support through a partnership with the Canadian Medical Association. CP is solely responsible for this content.
Hannah Alberga, The Canadian Press
