ICO fines DNA testing company 23andMe £2.31 Million

The ICO has today issued a fine of £2.31million on 23andMe for failing to implement appropriate data security measures. Highly sensitive data of 155,592 people in the UK was compromised by the incident which affected seven million people globally.

Speaking about the joint investigation which started in 2023 with Canada’s Federal Privacy Commission, Information Commissioner John Edwards said that by pooling resources, they manage to hold global companies into account. Data protection does not stop at borders, and this case shows the ongoing importance of cyber security, he said.

“23andMe failed to take basic steps to secure peoples’ personal information which left individuals extremely anxious about their personal and financial safety. This case should be a lesson for other companies,” Edwards said.

The ICO is still monitoring the situation regarding 23andMe – any potential buyer of the company must also comply with the UK GDPR, Edwards said.

His counterpart, Canada’s Privacy Commissioner, Philippe Dufresne, said that Canada’s law does not currently enable him to issue fines. “I have been advocating a change to the law since my appointment and hope that the new Parliament will turn its attention to this issue,” he said.

The ICO’s provisional fine on the company was set at £4.59 million. The ICO said at the time that it will consider any representations from 23andMe before taking the final decision.

See:

• ICO enforcement - 23andMe