this post was submitted on 24 Mar 2025
290 points (99.7% liked)
Privacy
36079 readers
544 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Hmm.
A merger or liquidation is not a valid purpose to store personal, and especially Art. 9, data, as covered by the legal basis of legal obligations, according to GDPR. So, if you are in Europe, they would have to delete it.
Uh... nope. Sorry. They specifically touch on it:
"Commonly owned entities, affiliates and change of ownership: If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity. We may also disclose Personal Information about you to our corporate affiliates to help operate our services and our affiliates’ services."
If you request to delete your data as per the GDPR, they will delete some data, but as per their legalese they will not delete all and what is not deleted falls under their Privacy Statement, where you find the above, quoted text. Worth noting that in above the use of may in practice means "will".
On top of that, once the data is out of the the EU, which they make a point to state numerous times, they rely on the DPF which focuses on how data is used or transfered to outside the EU. So, if a company is already signed to the DPF, then they can totally keep some of your data as well. Or if they transfer it using it the same framework. So the DPF does not help either. The GDPR focuses on common identifying information, off the cuff it does not seem to address the notion of how DNA can literally be used for exactly that, so, legally, as it stands the DNA data is out of scope of the GDPR. Or, at least that is what they seem to be claiming, indirectly.
So yeah, you can delete some data, but with a bunch of asterisks followed by that statement. So, sadly, your argument is not fully correct. They will delete some identifying information. But they seemto keep the most important of the data.
What I meant is that "this Privacy Statement will apply to your Personal Information as transferred to the new entity", so by itself the sale of assets is not a reason to exclude any data from anything stated there.
I am deleting my account as soon as I get transferred all the data, but what happens when I request the deletion is still valid whether or not they sold the assets.
And genetic data of any kind is absolutely covered by GDPR: https://gdpr-info.eu/recitals/no-34/
Thanks for the link. We may be slightly speaking past each other. On one hand, the link you sent is of course, correct. I had read that before and is not that I did not believe that the GDPR would include it, more so on not fully trusting 23andMe to comply.
What you may be overlooking is that in the real world, possible buyers will have access to data as part of any Due Diligence terms, whether they purchase or not. In a perfect world it should not change things but in practice it can, or does. Apparently, that bit I quoted earlier was a very recent update to their T&Cs, as they are protecting themselves for any future lawsuits. Also, I just do not trust 23andMe to have your best interest at heart and to fully comply with privacy issues at the current time, either due to willful BS or mistake. It might just not be a priority. The whole thing could collapse tomorrow, but they are still full on taking people's money. Any promise of compliance are just words at this point. I have known enough large companies collapse to see this as no different. GDPR or not. On a privacy concern, is not as if they asked everyone who is blood related for any consent, either.
This was releseased not to long ago, so the USA Feds are not really confident, either:
oag.ca.gov/news/press-releases/attorney-general-bonta-urgently-issues-consumer-alert-23andme-customers
ag.ny.gov/press-release/2025/attorney-general-james-urges-23andme-customers-contact-company-delete
But on paper, I agree that Europeans seem to have sturdier protections. Albeit Americans may have more legal options. Cheers and hope they fully delete your data without any BS.
I take the (you may call it Stoic) decision not to think about what I cannot affect. 23andMe is not a good company, it is tied to Google etc. and they are sloppy with security. I am not even trying to justify myself not taking my data away from there earlier, that is my fault, and I have been stupid and lazy.
That said, their Privacy Statement is quite clear about what should happen and none of the exception listed there apply, also because genetic data is anyway Art. 9 data.
I will act at the best of my possibilities and not concern myself more than needed with how bad of an actor anyone may be in the US (it is a bit overwhelming as an exercise, especially nowadays).