23andMe

Data protection digest 18 Mar – 2 Apr 2025: 23andMe bankruptcy case, digital spring cleaning

23andMe genetic data

The 23andMe genetic company filed for bankruptcy in the US after struggling with weak demand for its ancestry testing kits and a 2023 data breach that damaged its reputation, Reuters reports. US officials had questioned what would happen to the genetic data collected by 23andMe, although the company’s privacy policies state that the data could be sold to other companies. 23andMe reassured customers that the bankruptcy process will not affect how it stores, manages, or protects customer data. 

Given the uncertainties about the future of the company, the amount of data it has, and the risks inherent in the use of these tests, the French CNIL presents the procedure to follow to have your data permanently deleted in your profile settings. Also, the purchase of a genetic test on the Internet by people residing in France is punishable by a fine of 3,750 euros. Similarly, carrying out a genetic test outside the medical and scientific fields is prohibited and punishable by a fine of 15,000 euros and one year in prison for people or companies offering these tests.

Digital spring cleaning in Germany

Digital documents and paper files containing personal data may only be retained for as long as necessary, reminds the Hamburg data protection authority. At least once a year, taking stock of what’s still stored and whether this data or files will be needed for longer is recommended. Professional data processors handle this automatically. Where no automated routines are in place, deletion must be done manually.

Plus, German companies and authorities should check whether their deletion routines already take into account the new statutory retention periods that will apply from 2025. Specifically, some retention periods have been lowered by federal lawmakers, which means that the impacted data must also be removed sooner. (The Fourth Act to Reduce Bureaucracy). Changes, among other things, have been made to the German Commercial Code and the German Fiscal Code. Accounting paperwork, the most significant case group in practice, must now be kept for eight years rather than the prior ten before being destroyed. You can find more business document retention periods here. 

BCRs approval

The procedure for approving Binding Corporate Rules for controllers and processors for intragroup transfers of EU personal data to non-EU countries is laid out by provisions in Art—47, 63, 64 and 65 of the GDPR. As a result, BCRs are to be approved by the competent supervisory authority in the relevant jurisdiction by the consistency mechanism, under which the EDPB will issue a non-binding opinion on the draft decision by the competent regulator. As the intracompany groups applying for the BCR approval may have entities in more than one Member State, this procedure will involve all the concerned supervisory authorities in those countries from where the data transfers are to take place. To that end, the EDPB has just revised its approval process to shorten the time it takes for a BCR to be approved. 

Privacy policy shortcomings

23andMe

The Latvian data protection inspectorate DVI conducted a preventive inspection of the privacy policies published on the websites of thirty Latvian-registered merchants whose main activity is related to retail sales by mail order or in online stores. The content of the privacy policies was checked for compliance with the requirements of Art. 13 and 14 of the GDPR. At least some shortcomings were found in each inspected document.

The regulator assumes that it is initially more difficult to prepare such a document because there is not sufficient understanding of its necessity and content. At the same time, it reminds controllers that their responsibility for customers’ data is proven not by a written statement that it processes data appropriately but by clear implementation of the rules. Other shortcomings in the published policies were related to the failure to provide or incorrect provision of information, particularly the contact information of the supervisory authority, the rights of the data subject, information about processors and partners to whom the customer’s data has been transferred, but most often involving incorrectly specified purposes and lawful grounds for data processing. 

Data breach form

The Corporate Data Protection Association, (Switzerland), has published a data breach report template. Data security breaches can trigger various reporting obligations under the Swiss Data Protection Act, the EU’s GDPR, the new Swiss Information Security Act, and the EU NIS2 Directive. The template is intended to contribute to the practical implementation of digital regulatory requirements and can be used freely by companies. The template is initially available in German. An English version is currently being developed.

More from supervisory authorities

Online stores security: The Lithuanian regulator VDAI meanwhile monitored the security measures for personal data processed by online stores and provided some recommendations: a) ensure control over the management of access rights, b) develop and implement effective data deletion, c) use advanced encryption, (during transmission and storage), d) improve management change processes, (eg, implementation of new systems), e) regularly review and update your policies, (using both the latest legal requirements and best practices).

Connected cars: Modern cars act as “chatterboxes on wheels”, collecting information on everything from your daily routines to biometric data. How does this affect the protection of your data? The Danish Datatilsynet advises you to check the privacy settings on your automobile carefully and to be cautious about sharing personal information:

  • Unclear consent (Many drivers are forced to accept terms of use that require the sharing of personal data to use the car’s features).
  • Data abuse (Data about your driving and location may end up with third-party companies or there is a risk that hackers will gain access).
  • Targeted marketing (Car manufacturers can share your data with companies without your full knowledge.
  • Negative impact (Worse insurance terms, warranty termination, shutdown of services).

Multi-factor authentication (MFA): The French CNIL publishes recommendations to support users and providers of multi-factor authentication solutions, (in French). In particular, it explains: 

  • the conditions under which the use of MFA is appropriate for security needs;
  • on compliance with the principles of the GDPR, including a legal basis, data minimisation, the retention periods and the exercise of rights by the data subjects;
  • on the determination of the qualification of the actors involved;
  • on the choice of modalities, (authentication factors: knowledge, possession, inherence), and their GDPR compliance, etc.

Receive our digest by email

Sign up to receive our digest by email every 2 weeks

Honda privacy fine
23andMe

The California Privacy Protection Agency, (CPPA), has issued a decision that requires American Honda Motor Co. to change its business practices and pay a 632,500-dollar fine to resolve claims that the company violated the CCPA. The investigation arose from the Enforcement Division’s ongoing review of data privacy practices by connected vehicle manufacturers and related technologies. Honda violated Californians’ privacy rights by:

  • requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit;
  • using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way;
  • making it difficult for Californians to authorise other individuals or organisations to exercise their privacy rights; and
  • sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.

Human research samples

Finland’s Data Protection Commissioner has requested information from the University of Helsinki on how it has implemented the transfer of data related to human research samples to a Chinese company. The regulator is investigating whether the university protected personal data in the manner required by data protection legislation when the data was transferred to China. According to the University of Helsinki, it has purchased genetic analysis services from the Chinese genetic technology company BGI Group.

No adequacy decision has been made for China, and the European Commission has not yet examined the level of data protection in China, (in connection with the Irish investigation into TikTok). At the moment, personal data can be transferred freely within the European Economic Area. Data can also be transferred directly to a country for which the Commission has made a so-called adequacy decision. These include the US, the UK, Japan and South Korea.

More enforcement decisions

Apple ATT sanction: The French Competition Authority fined Apple for abusing its dominant position due to the implementation of the App Tracking Transparency, (ATT), system. In its competitive analysis, the authority took into account the opinions issued by the data protection regulator CNIL. Since 2021, app publishers who want to track their users for advertising purposes across multiple apps or sites have been required to obtain explicit permission from the user through a partially standardized window designed by Apple

The competition authority received complaints from several online advertising trade associations against Apple. The implementation of the agreement appeared to be neither necessary nor proportionate to Apple’s stated objective of protecting personal data due to the constraints weighing on publishers and users. The CNIL had previously considered that the ATT system could be adapted in order to allow actors to obtain valid consent within the meaning of the GDPR and to avoid, in particular, double solicitations.

Software provider fine: The UK’s ICO has fined Advanced Computer Software Group Ltd, (Advanced), 3.07m pounds for security failings that put the personal information of 79,404 people at risk.  Advanced provides IT and software services to organisations, including the NHS and other healthcare providers, and processes people’s personal information on behalf of these organisations. The fine relates to a ransomware incident in August 2022. Hackers accessed certain systems of Advanced’s health and care subsidiary via a customer account that did not have multi-factor authentication. The cyber attack was widely reported at the time, with reports of disruption to critical services and access to patient records.  

Scientific research and data reuse

The EDPB has published a final study on the secondary use of personal data in the context of scientific research, which highlighted the lack of a uniform approach among Member States. The legislation analysed was not limited to the GDPR but included international agreements or documents containing data protection rules, (such as Council of Europe Convention 108+), and ethical standards, (such as the World Medical Association (WMA)’s Declaration of Helsinki, (DH), and EU sectoral legal frameworks, (e.g. on clinical trials, biobanks). 

AI cameras in shops

According to the CNIL, some tobacconists in France have deployed AI-based cameras to estimate the age of customers and avoid the sale of prohibited products to minors. In practice, these cameras scan the person’s face at the time of purchase to assess whether they are a minor or an adult and inform the merchant using a warning light (e.g. a green or red light). The use of these devices pursues a dual objective of public interest: protecting young people and the preservation of public health. However, the fact that this verification is carried out through algorithmic processing of automated image analysis is not trivial and may entail risks for the protection of personal data and the privacy of individuals.

In case you missed it 

US technology risks: The Netherlands’ House of Representatives approved a resolution on risk assessments and exit strategy for US tech corporations’ cloud services on March 18. According to the motion, all government cloud services that are now purchased from American suppliers must go through a risk assessment and, if required, have a written exit strategy that enables them to switch to Dutch or European providers. By the end of 2025, this procedure is expected to be finished.

Outdated IT systems and AI: According to the Guardian newspaper, the UK government’s goal to increase efficiency by integrating AI into every aspect of its operations runs the risk of being hampered by outdated technology, low-quality data, and a shortage of qualified personnel. The cross-party public accounts committee report revealed that over 20 government IT systems were classified as “legacy,” which means outdated and unsupported. A January official strategy for the technology, however, called for the government to “rapidly pilot” AI-powered services, claiming that doing so would boost productivity. 

Do you need support on data protection, privacy or GDPR? TechGDPR can help.

Request your free consultation

Tags

Show more +