1. Business
  2. Medical marvels
February 11, 2021updated 27 Oct 2021 10:19am

23andMe to go public, sparking fresh consumer DNA testing privacy fears

By Ellen Daniel

Genomics and biotechnology company 23andMe has announced that it is going public through a deal with Virgin.

Under the deal, 23andMe will merge with VG Acquisition Corp, a special purpose acquisition company sponsored by Virgin Group.

The agreement, which values the company at $3.5 billion, will mean that 23andMe can go public on the New York Stock Exchange without an initial public offering.

23andMe CEO and co-founder Anne Wojcicki and Virgin Group’s Sir Richard Branson will each invest $25m into the $250m private investment in the public equity offering. Other investors include Fidelity Management & Research Company, Altimeter Capital, Casdin Capital, and Foresite Capital.

Current shareholders of 23andMe will own 81% of the combined company, with the deal expected to close in the second quarter of 2021.

The deal is part of 23andMe’s shift in focus from ancestry to the health and wellness market.

“As a fellow industry disruptor as well as an early investor in 23andMe, we are thrilled to partner with Sir Richard Branson and VG Acquisition Corp. As we approach the next phase of our business, which will create new opportunities to revolutionise personalised healthcare and medicine,” said Anne Wojcicki, CEO, and co-founder of 23andMe.

“We have always believed that healthcare needs to be driven by the consumer, and we have a huge opportunity to help personalise the entire experience at scale, allowing individuals to be more proactive about their health and wellness. Through a genetics-based approach, we fundamentally believe we can transform the continuum of healthcare.”

Launched in 2006, 23andMe offers genetic testing services to consumers. By providing a saliva sample, customers can find out about their ancestry and predisposition to certain health conditions.

According to MIT Technology Review, as of 2019 over 26 million have used a commercial genetic testing service, with 23andMe having more than 12,000,000 customers.

While services are growing in popularity, they have long been the subject of privacy concerns, as well as fears that data breaches could have serious consequences. Some have highlighted that customers may be unaware of how their data is being used.

This debate was reignited in 2018 when notorious serial killer Joseph James DeAngelo, also known as the Golden State Killer, was identified as a suspect using DNA samples uploaded to GEDmatch, a DNA database that allows users to upload DNA data files which can be used to identify possible relatives.

23andMe has said that it “has never turned over any customer data to law enforcement or any other government agency”.

However, in its guide for law enforcement, it says that “in certain circumstances, however, 23andMe may be required by law to comply with a valid court order, subpoena, or search warrant for genetic or personal information”.

On its website, 23andMe states that it is “committed to complying with all applicable privacy and data protection laws and empowering our customers to make informed decisions about how their information is used and shared.”

It only shares individual-level information with third parties with explicit consent, and also shares aggregate information with third parties with consent. All information is de-identified.

Customers can choose for their data to be used for research purposes, a process that is overseen by a third party institutional review board to ensure all of research is conducted in accordance with all legal and ethical guidelines. According to the company over 80% of its customers have opted-in to participate in its research.

The company has been open about the sharing of anonymised data with third parties for research purposes, announcing in 2018 that it would share customers’ anonymised genetic data with pharmaceutical company GlaxoSmithKline as part of a deal.

“It was inevitable that someone like Richard Branson would be interested in 23andMe, this merger only goes to show that the data being amassed has massive commercial value,” said Ray Walsh, digital privacy expert at ProPrivacy.

“The problem with genetic material is that it can be used to track an individual at any time in their life, and it can be used to find genetic markers that reveal predispositions to disease – not only for the initial test subject – but potentially also their family members and offspring.

“Due to the sensitive nature of the data, any time that it is shared and transferred very serious data security concerns exist because if mistakes are made, and that data is breached or accidentally leaked, the repercussions for data subjects are extremely serious.”

A spokesperson from 23andMe told Verdict:

“VGAC and Virgin companies do not have access to any 23andMe customer data. As stated in our Privacy Statement, in the event that 23andMe goes through a business transition such as a merger or acquisition by another company customer information would remain subject to the promises made in any pre-existing privacy statement.

“Also noted in our privacy statement, whenever material changes to this privacy statement are made, we will provide you with notice before the modifications are effective, such as by posting a notice on our website or sending a message to the email address associated with your account.”

However, despite these assurances, the new partnership will likely spark renewed scepticism, with a vast database of DNA data invaluable to many third parties if they were permitted to access it.

“The question in all situations like this is where the data is going and why these different companies and investors have a financial interest in your genetic data,” Jennifer King, privacy and data policy fellow at the Stanford Institute for Human-Centered Artificial Intelligence told The Guardian.

Geneticist Dr Adam Rutherford, author of How to Argue with a Racist, tweeted: “Remember kids: 23&Me’s stated aim was always to monetise your genome by selling it on *after you paid to give it to them* in exchange for some geegaw. Their plan was always to curate and sell the biggest dataset in the known universe.”

Furthermore, the deal brings the issue of how data privacy laws relate to health data back into focus.

Partner and head of data protection and privacy at international law firm Taylor Wessing, Vinod Bange said:

“There aren’t many more examples of data that are so personal and so highly sensitive to the individual it relates to, and where the potential impact on the individual can be highly intrusive. This is why GDPR, and increasingly new data privacy laws around the world, has been intentionally upgraded to include genetic data within the scope of personal data definitions.”

“GDPR compliance baselines have been raised. With greater risks to privacy, comes more significant obligations to demonstrate your compliance, and ultimately accountability. The risk is the same, regardless of whether it’s related to a cyber risk, or the adverse risks from alternative use of genetic data.”

Read More: Genetic forensics: How the controversial technique helped convict the Golden State Killer.