23andMe leadership grilled by lawmakers demanding answers about data security amid bankruptcy sale

Lawmakers across party lines on Tuesday grilled 23andMe executives throughout a hearing probing the privacy implications of the company’s sale as well as what many lawmakers portrayed as the existing vulnerability of the sensitive genetic data the company holds. 

Since the company’s March bankruptcy filing, 1.9 million of the company’s 15 million customers have chosen to delete their data, interim CEO Joe Selsavage said at the hearing. 

But that information did little to assuage lawmakers’ concerns.

“It is imperative that 23andMe … ensure there is absolutely no legal or illegal way for foreign adversaries or anyone else to access or manipulate and abuse Americans’ genetic data to advance their nefarious agendas,” committee chairman James Comer (R-TN) said in opening remarks. 

Comer cited a 2019 Department of Defense warning telling service members to avoid giving their DNA to 23andMe and similar firms for national security reasons.

National security was far from the only focus at the Committee on Oversight and Government Reform hearing, however.

The pending sale as well as 23andMe’s data practices — the firm has sold at least one pharmaceutical company access to the genetic information it holds — underscore the urgency of passing federal data privacy legislation, one member said. 

Two lawmakers criticized the company for failing to allow customers to opt in to having their genetic data sold before company ownership transfers. Another said the firm has made it too cumbersome for consumers to delete the data that is 23andMe’s biggest asset in the sale.

Selsavage and former CEO Anne Wojcicki wouldn’t commit to creating a customer opt-in mechanism allowing consumers to approve the sale of their data prior to it being transferred to a new owner despite being asked to do so by multiple committee members several times.

Many members also worried about broader data privacy threats, with Comer saying a breach of 23andMe data could, for example, lead to targeted advertising taking advantage of individuals with mental health conditions, fuel higher insurance premiums or cause restrictions on credit extensions.

Wojcicki told the committee 23andMe has saved lives and contributed to vital scientific research.

“Over a million customers learned they carried a genetic variant associated with blood clotting risk, allowing them to seek care to prevent potentially fatal clots,” she testified. “Customers also gained information about sickle cell disease, chronic kidney disease, type two diabetes and coronary artery disease.”

“Hearing from customers about how their genetic information changed their lives is what drives me every single day.”

Vetting buyers

23andMe has repeatedly stated that the company will not be sold to any entity which does not commit to adhering to its existing privacy policy. Wojcicki told lawmakers Tuesday that she hopes the TTAM Research Institute — a nonprofit medical research organization she recently formed — wins the auction.

TTAM reportedly made a last-minute $305 million bid to acquire the beleaguered direct-to-consumer genomics firm after the auction was reopened last week. The unusual move upended a $256 million cash deal with Regeneron Pharmaceuticals that was announced May 19. 

Pressed on what ethical obligation she has to protect customers' data from the Chinese government and other data privacy and national security threats, Wojcicki said she is  “very concerned about where [the data] is going and that is specifically why I have put in a bid as a nonprofit entity to acquire it.” 

“I’m trying very hard,” she said.

Whether the firm’s data will be exploited by a buyer has been a top concern for lawmakers and the Federal Trade Commission.

23andMe’s privacy statement tells users that any new owner must adhere to its existing data protection guidelines, which include not providing user data to insurers, employers, public databases or law enforcement without a court order, search warrant or subpoena.

The firm has never turned any customers’ genetic data over to law enforcement, Selsavage told lawmakers.

While 23andMe has a relatively strong data protection policy, it is far from certain that a new buyer will honor its standards, expert witness Margaret Hu, a professor at William & Mary Law School, said.

“It's a time of chaos when you're in financial duress and when you are now transferring, potentially, the company to others,” Hu said. “Even if there are promises upfront that you carry over those prior commitments, it's really uncertain, and I think that that's why people are panicking.”

Surveillance state

Rep. Rashida Tlaib (D-MI) said the 23andMe sale is emblematic of a larger, and growing, problem — a new data-driven surveillance state.

Citing how genetic ancestry firms can give data to law enforcement, how grocery stores are using customer data to charge some more than others and how the National Security Agency can intercept Americans’ communications and share it with law enforcement, Tlaib said citizens are tired of being surveilled. 

“I don't know any American — Democrat, Libertarian, independent, whatever the label … wants to live like that,” Tlaib said. “No one does.”

Another lawmaker chastised Wojcicki and Selsavage for contributing to that problem, saying 23andMe has made it too hard for consumers to delete their data, ensuring that most of the genetic data it holds can be sold.

“If there simply was a ‘delete my data’ page or button somewhere more prominent then I think it would be easier for a lot of people to feel that control,” Rep. Suhas Subramanyam (D-VA) said. 

Subramanyam shared that years ago he submitted a DNA swab to 23andMe after receiving a kit for free. 

“I was lucky enough to get a free kit, and at the time I said, ‘What's there to lose?’” 

“But I guess now, as my dad says, everything has a price.”