If 23 and Me goes bankrupt, they will sell all of the biometric data they’ve collected over decades to the highest bidder. Why can’t the US government step in to purchase the company and establish a public trust?

  • EleventhHour@lemmy.world
    link
    fedilink
    arrow-up
    19
    arrow-down
    1
    ·
    2 months ago

    Because those people never agreed to it being used by anyone else. And it’s in the public interest to protect everyone from their highly-sensitive biometric data being misused.

    • NotNotMike@programming.dev
      link
      fedilink
      arrow-up
      11
      ·
      2 months ago

      Unfortunately, everyone who used their service did agree to it. Directly from their Privacy Policy:

      Commonly owned entities, affiliates and change of ownership

      If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity. We may also disclose Personal Information about you to our corporate affiliates to help operate our services and our affiliates’ services.

      https://www.23andme.com/legal/privacy/#data-sharing

      Whether this will hold up in court is a bit murky. But without a large, laborious court battle, they can and will sell the data and they are “legally” allowed to

      • trailee@sh.itjust.works
        link
        fedilink
        arrow-up
        6
        ·
        2 months ago

        Also interesting is the language they used in the email they sent me after I requested account/data deletion:

        We received your request to permanently delete your 23andMe account and Personal Information. The following apply when you submit your deletion request:

        • If you chose to consent to 23andMe Research by agreeing to an applicable 23andMe Research consent document, any Research involving your Genetic Information or Self-Reported Information that has already been performed or published prior to our receipt of your request will not be reversed, undone, or withdrawn.
        • Any samples for which you gave consent to be stored (biobanked) will be discarded.
        • 23andMe and the contracted genotyping laboratory will retain your Genetic Information, date of birth, and sex as required for compliance with legal obligations, pursuant to the federal Clinical Laboratory Improvement Amendments of 1988 and California laboratory regulations.
        • 23andMe will retain limited information related to your deletion request, such as your email address and Account Deletion Request Identifier, as necessary to fulfill your request, for the establishment, exercise or defense of legal claims, and as otherwise permitted or required by applicable law.

        The first bullet point makes sense - you agreed and they already published something, so too bad. The second bullet is doing the right thing. But those third and fourth bullets sound like they don’t really have to delete anything, and they’ll keep a bunch of data even if you ask them to trash it. I asked them to trash it anyway.

      • EleventhHour@lemmy.world
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        edit-2
        2 months ago

        Thanks for posting this.

        While my first point may have been flawed, by second still stands.

        • NotNotMike@programming.dev
          link
          fedilink
          arrow-up
          6
          ·
          2 months ago

          I definitely agree with your second point. And I find it ridiculous that a company can ever claim to “own” your genetic information. It’s why I’ve never dared sign up for any kind of genetic ancestry sites. I can’t give that personal of information away for free, let alone pay for it to be taken

      • xmunk@sh.itjust.works
        link
        fedilink
        arrow-up
        2
        ·
        2 months ago

        People were presented with that in the contract but I think it’s fair to argue they didn’t comprehend that their genetic data could be used punitively to deny them preferntial health insurance, a job or a loan… once this data is in the hands of slimey people it’ll be used like everything else that’s illegal to use for those purposes but “public knowledge” so the fucks use it anyways.

        This data is dangerous to public well being forever in extremely scary ways as it could be leveraged on future generations that did not consent to this contract as well with statistics.

        I think you’re correct about people being more careful with what they sign but I think you’re underestimating how much in the public interest this is.

    • L0rdMathias@sh.itjust.works
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      2 months ago

      Having ownership of something also implicitly gives you the right to sell that thing. Unless 23andMe explicitly stated in the contract that they were under obligated to never share that information. I highly doubt the had anything like that in the contract because, well, here we are.

      Also, 23andMe afaik is not a medical association, so they likely aren’t bound by things like HIPPA (idk if specific genetic encodings would be included in that anyways) to protect information.

      • EleventhHour@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        2 months ago

        That’s speculation, not fact, and I also don’t agree that owning a thing necessarily means you can sell it in an unrestricted/unregulated manner (guns, tobacco, as well as other sensitive medical info can’t just be sold willy-nilly)— especially when the “it” is sensitive biometric data whose originators never agreed to share it. That’s the problem when you and the greedy corporations you’re defending assume implicit consent rather than to ask for it: it’s damaging to the public and invades these people’s medical privacy in the name of profit.

        And whether 23andMe should be subject to HIPAA laws is debatable at best.