Statement on 23andMe investigation

“Genetic information is among the most sensitive personal data that a person can entrust to a company and organisations handling such data are required to uphold a very high standard of security and governance in accordance with the UK GDPR.

"The ICO and the Office of the Privacy Commissioner of Canada have been jointly investigating the data breach that 23andMe first reported to us in October 2023. Earlier this month, we issued 23andMe with our provisional findings, a notice of intent to fine £4.59m and a preliminary enforcement notice. We would stress these findings are provisional and, as with all preliminary findings, are subject to representations from 23andMe including in relation to affordability considerations. The ICO will carefully consider any representations made before taking a final decision.

"We are aware that 23andMe has filed for Chapter 11 bankruptcy in the US to facilitate a sale process. We are monitoring the situation closely and are in contact with the company. As a matter of UK law, the protections and restrictions of the UK GDPR continue to apply and 23andMe remains under an obligation to protect the personal information of its customers."