23andMe and the Role of Privacy in Bankruptcy Law

So, what can be done when a breach affects a person’s DNA or genetic information? Unfortunately, over seven million Americans were confronted with that very scenario in 2023 when genomics and biotechnology company 23andMe Holding Co. fell victim to a cyber-attack.[1] That breach and the resulting litigation were key drivers in the decision of 23andMe Holding Co. and certain of its affiliates to file bankruptcy under chapter 11 in the Eastern District of Missouri on March 23, where it seeks to sell all or substantially all of its assets.

Bankruptcy Law and Privacy Law: Compatible or Conflicting?

The aims of privacy laws are to regulate how personal data are used and disclosed, provide certain rights to individuals, and secure personal data. The overarching goal of bankruptcy, on the other hand, is to maximize the value of a debtor’s estate for the benefit of its creditors. 23andMe’s bankruptcy highlights how a bankruptcy proceeding squares these two aims.

The Bankruptcy Code attempts to address this tension in the form of a consumer privacy ombudsman (CPRO). Under the Code, a CPRO is required if “the debtor … discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case.” 11 U.S.C. § 363(b)(1). A CPRO “provide[s] to the court information to assist the court in its consideration of the facts, circumstances, and conditions of the proposed sale or lease of personally identifiable information under section 363(b)(1)(B).” 11 U.S.C. § 332(b).

Such information may include presentation of:

1. The debtor’s privacy policy.

2. The potential losses or gains of privacy to consumers if such sale or such lease is approved by the court.

3. The potential costs or benefits to consumers if such sale or such lease is approved by the court.

4. The potential alternatives that would mitigate potential privacy losses or potential costs to consumers.

Id.

23andMe is not the first company to file bankruptcy and seek to sell the sensitive personal data it maintains and will certainly not be the last. However, 23andMe is unique in the type of data it maintains. According to 23andMe, its personal genome services and the direct-to-consumer genetic testing through saliva collection accounted for approximately 76% of its total revenue in the last fiscal year. Thus, arguably its largest asset to be sold is the genetic data of over 15 million Americans. Therefore, by protecting the personal data and limiting how it can be sold for the sake of privacy, 23andMe’s largest asset is potentially devalued.

23andMe’s Intent to Sell Genetic Data

In its bankruptcy filing, 23andMe stated it intends to conduct an all-asset sale, but asserted that a CPRO is neither necessary nor required. At the first day hearing, 23andMe noted that protecting customers’ sensitive data would be of primary importance in conducting the sale, and in its motion to approve its bid procedures,[2] 23andMe asserted it would maintain its existing privacy policy, which states that, “[i]f we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity.” Additionally, the bidding procedures themselves require qualified bidders to agree to comply with, and take the customer data subject to, 23andMe’s privacy policies and terms of service. Specifically, it provides that:

The Qualified Bidder must comply in all respects with the Debtors’ consumer privacy practices, which do not restrict the transfer of personally identifiable information of the Debtors’ customers in connection with a bankruptcy, merger, acquisition, reorganization, or sale of assets, and each Bid must contain a statement acknowledging such compliance.[3]

In a letter to the Office of the US Trustee, Federal Trade Commission (FTC) Chairman Andrew Ferguson stated that, “consistent with Section 363(b)(1) of the Bankruptcy Code, these types of promises to consumers must be kept.” Chairman Ferguson went on to state that:

This means that any bankruptcy-related sale or transfer involving 23andMe users’ personal information and biological samples will be subject to the representations the Company has made to users about both privacy and data security, and which users relied upon in providing their sensitive data to the Company. Moreover, as promised by 23andMe, any purchaser should expressly agree to be bound by and adhere to the terms of 23andMe’s privacy policies and applicable law, including as to any changes it subsequently makes to those policies.

Nevertheless, according to filings, customers flocked to the 23andMe website (encouraged by several state Attorneys General) in an effort to demand their data be deleted. But, perhaps because of high traffic, many had difficulty accessing their account or deleting their data. Moreover, in the absence of a federal privacy law, 30 states do not provide their residents with the right to deletion of their data. Thus, the question remains how to protect the genetic data while maximizing its value for the sale.

23andMe’s Proposed Protections of the Data

23andMe and other parties in interest attempted to address the issue and ensure the privacy of the consumers’ personal data remains at the forefront of the sales process. The company reiterated its position that a CPRO is not statutorily required for this sale because its privacy policy expressly permits the sale or transfer of customer date in certain transactions, including in the event of a bankruptcy filing or asset sale, although as previously stated, it requires that the acquiring company abide by terms of the 23andMe privacy policy with respect to its customers’ private data. Yet, likely in a response to the public concern and to reassure stakeholders, 23andMe first filed a motion to appoint an independent customer data representative.[4] While conceptually similar to a CPRO, the proposed independent customer data representative would be selected by 23andMe, their scope of work defined by agreement, and their actions not subject to the statutory provisions of the Code. The US Trustee and more than 25 states[5] and the District of Columbia disagreed with the Debtors’ proposed protections and asserted that a customer data representative was not sufficient. They filed motions (or joinders to motions) seeking further protections by appointing a CPRO.

Objections

The US Trustee argued that not only is an independent customer data representative an inadequate substitute for a CPRO or examiner, but the Code mandates the appointment of a CPRO.[6] The US Trustee also raised the issue that it was only in June 2022 that 23andMe revised its privacy policy to include language permitting the sale of genetic data in bankruptcy, and thus that clause is likely unenforceable as to customers who submitted their genetic data prior to that amendment.

In a joint motion brought by over a dozen states,[7] the states asserted that contrary to 23andMe’s contention, its privacy policy violates aspects of their states’ privacy laws particularly as it relates to the disclosure, transfer or sale of genetic materials, and genetic data. For example, they stated that a number of states require its residents provide consent before their genetic data can be disclosed, transferred, or sold to a third party, and that some states, such as Utah and Washington, take it a step further and require the customers’ express consent to such disclosure, transfer, or sale of their genetic data to be separate and distinct from other consents. They further noted that Florida law goes so far as to criminalize the sale or transfer of a person’s genetic data without his or her express consent.

The states therefore contended that 23andMe’s assertion of its right to sell customer’s data is void, and that a CPRO must be appointed. When a CPRO has been appointed, a bankruptcy court can only grant a sale if there is no showing that the sale would violate applicable non-bankruptcy law, such as state privacy laws. 11 U.S.C. § 363(b). According to the states, this protection is necessary for 23andMe to conduct a sale of its assets, including personal genetic data. The motion also argues that there are ambiguities in the policies regarding who owns the data and thus whether 23andMe has the authority to sell the data derived from the personally identifiable information in the first place.

The states’ motion asserted that an additional step is required to protect the sensitive data — appointment of a security examiner. While the CPRO would review and report on privacy policies and practices, compliance with applicable law, and the terms of a potential sale, the examiner would report on reasonable data security measures proportional to the risk and enable 23andMe to meet its commitment to protecting the secure data.

In its own motion, Missouri echoed the points addressed in the states’ motion as to the CPRO and ambiguities concerning ownership of the data.[8] It stated the policies violate Missouri law, which requires written authorization from a person before his or her genetic data may be disclosed. Further, Missouri reiterated a point raised by the US Trustee and contended that the current policy that 23andMe is relying upon to permit its sale of data may not apply to all customers, and a CPRO should be appointed to review all prior versions of the 23andMe privacy policy and their respective applications.

Texas filed a separate motion to appoint a CPRO wherein it identified various Texas state laws that are implicated by a potential sale of the genetic data that 23andMe maintains.[9] Its motion also pointed to the prior versions of the privacy policy. Texas argued that multiple prior versions did not include any reference to bankruptcy and that some contained language requiring customers’ explicit consent for the sale of their data. Additionally, Texas raised concern about the language of 23andMe’s bidding procedure; specifically, the requirement that a qualified bidder comply with 23andMe’s “privacy practices” rather than its privacy policies. Texas argued this distinction is significant as policy “refers to formal representations to consumers that often form the basis of expectations, obligations, and regulatory compliance” compared to practices which Texas described as “operational non-binding behaviors that may not be disclosed to even documented.”

In short, all the motions filed assert in one way or another that a neutral CPRO must be appointed before 23andMe can move forward to sell their assets, including customers’ genetic data. 

Stipulation

Before the Bankruptcy Court had an opportunity to hear and rule on the various motions, 23andMe and the multiple objecting parties stipulated and agreed to the appointment of a CPRO.[10] Under the stipulation, the US Trustee will appoint a disinterested CPRO and once appointed, that CPRO may retain professionals to assist in meeting its obligations and protocols. The CPRO will conduct an examination and prepare a report for the Bankruptcy Court pursuant to the Bankruptcy Code to assist the court in considering the facts, circumstances, and conditions of any proposed sale or lease of personally identifiable information. Among the considerations the CPRO will report on are:

1. Whether such sale or lease is consistent with the debtors’ privacy policies in effect or applicable to any persons or customers as of the petition date.
2. Whether such sale or lease would not violate applicable non-bankruptcy law.
3. The potential losses or gains of privacy to consumers if such sale or lease is approved by the court.
4. The potential costs or benefits to consumers if such sale or lease is approved by the court.
5. The cybersecurity program and security controls utilized by any potential purchaser.
6. Any alternatives or changes required or warranted under federal or state laws or regulations that would mitigate potential privacy losses or potential costs to consumers.
7. The debtors’ existing cybersecurity program and security controls for the purposes of evaluating any of the items set forth in clauses one through six.

The CPRO may retain professionals to assist in meeting its obligations and protocols which would be paid through the Debtor-in Possession (DIP) budget. The DIP budget would provide $300,000 for the CPRO’s professionals.

While the stipulation addresses the issue regarding a CPRO, it does not resolve the states’ request for a security examiner. The Bankruptcy Court is holding that request in abatement for right now while the parties continue to negotiate.

On May 6, pursuant to the stipulation, the US Trustee filed a notice that Neil M. Richards, a distinguished privacy law scholar and professor at Washington University School of Law in St. Louis, Missouri, was appointed as the CPRO. 

Where Do We Go From Here?

The privacy implications and nuances here are outside the realm of what a bankruptcy court could reasonably be expected to resolve and understand without the input from a CPRO. Under the Code, the CPRO’s input is merely intended “to assist the court in its consideration of the facts, circumstances, and conditions of the proposed sale or lease of personally identifiable information.” 11 U.S.C. § 332(b). Thus, the Bankruptcy Court is not actually required to implement the CPRO’s recommendations. In practice, however, judges often defer to the CPRO.

There are a number of issues to work through first. As mentioned in multiple motions, it is unclear whether 23andMe owns the data such that it can sell it off as an asset. That finding could be determinative regarding whether 23andMe can successfully reorganize or if it will be forced into chapter 7. If a sale does proceed, there is also a question of what the privacy policies of a new buyer would look like. The bidding procedures require a new buyer to comply with 23andMe’s current practices in its treatment of customer data, but as Texas pointed out in its motion, what exactly is encompassed in 23andMe’s privacy practices is unclear. Even if the new buyer were required to comply with the 23andMe’s current privacy policy, there is no way to guarantee that the new buyer will retain those policies once it owns the data. Moreover. It is not clear that regulators such as the FTC could enforce the policy against a new buyer absent its own public representation to do so.

Currently, 23andMe is moving forward in the process to sell substantially all of its assets. An auction for the sale of substantially all of 23andMe’s assets was held on May 14. With a bid of $256 million, Regeneron Pharmaceuticals was selected as the winning bidder for substantially all of 23andMe’s assets. The CPRO will be tasked with examining the transaction and its impact on consumers’ privacy. The CPRO’s report and any objections to the sale must be filed by June 10, and a hearing to consider approval of the sale is currently set for June 17.

Given the type of data at issue in 23andMe’s bankruptcy and the widescale privacy concerns, the Bankruptcy Court will undoubtedly look to the CPRO’s expertise and knowledge in deciding whether to approve the sale. We will have to wait to learn of the terms of any proposed sale. If the terms of the sale fail to resolve privacy concerns or are in contravention of any states’ applicable privacy laws, we can expect objections to be filed and a contested sale. So, while this stipulation allows 23andMe’s customers to breathe a short sigh of relief, they will still need to pay close attention to how this bankruptcy progresses to understand how it will affect them and their data.