23andMe Seeks Appointment of Data ‘Representative’ in Bankruptcy Sale

DOJ’s Office of the U.S. Trustee last month recommended the court appoint a consumer privacy ombudsman (CPO) (see 2504010060). 23andMe previously argued that a court-appointed ombudsman is unnecessary given the company’s existing privacy policies and protections. The company said in its Monday filing that a CPO isn’t legally required in the case: But the company recognizes handling of customer data is of “paramount importance” and as a result has determined in its “business judgment to appoint a disinterested, independent representative,” or customer data representative (CDR).

23andMe didn’t comment Wednesday on the legal distinction between a court-appointed CPO and a CDR. 23andMe said in a Tuesday filing the CDR will provide an “objective assessment” on “whether any proposed Sale involving the transfer of Customer Data complies with the Policies and applicable data privacy laws” and “any impacts on the security of Customer Data resulting from any such transaction pursuant to” protocols laid out in its filing.

Texas Attorney General Ken Paxton (R) in a filing Wednesday argued for the appointment of a CPO, given numerous state, federal and international data privacy laws could apply. At least three Texas laws will apply, including the state’s genetic data privacy law, he said. Texas also noted that 23andMe has developed at least 22 different policies governing its data.

“Because this case presents an unprecedented situation at the intersection of bankruptcy law, consumer data rights, and the ethical use of genetic information, Texas contends that the appointment of a neutral third-party CPO to assist the Court in consideration of the sale of PII is not only appropriate and in the best interest of consumers and creditors, but mandatory under the Bankruptcy Code prior to any sale transaction involving PII,” Texas said.

There’s no concept of a “customer data representative” in the bankruptcy code itself, emailed John Loughnane, a bankruptcy attorney at White and Williams. A CDR is a “self-created position” that would address some of the same issues as a court-appointed CPO, he said: “It will be interesting to see what objections may be lodged and the form of any final order allowing the motion or whether parties will push for the Court to exercise its discretion to have the UST appoint a CPO even though one is not strictly required under the statute.”

FTC Chairman Andrew Ferguson, in response to the U.S. Trustee, said he believes 23andMe can transfer user data in its sale, but the buyer must honor the company’s original privacy terms (see 2503310057). He didn’t address the prospect of a court-appointed ombudsman.

The company said it has identified potential candidates and will consult the U.S. Trustee office on the appointment. The U.S. Trustee office declined to comment Wednesday.

The filing notes customers can delete their accounts “at any time.” 23andMe will “automatically opt the customer out of any future research that begins more than 30 days after deletion of the customer’s account, and will discard any genetic sample the customer had asked the Debtors to store,” it said.

The company acknowledged certain customers have experienced delays in deleting their accounts. News of the bankruptcy “caused an increase in traffic to the Debtors’ website and deletion requests, which made it difficult for some customers to access Debtors’ website, and which has also resulted in delays in the Debtors’ ability to provide customer care due to the increase in call volume.”

23andMe said it will retain customer data in “certain limited circumstances and as required by law.” Retention requirements are based on the Clinical Laboratory Improvement Amendments of 1988, California Business and Professions Code Section 1265 and College of American Pathologists accreditation requirements, the company said. “Other legal requirements include obligations to retain customer email addresses, account deletion request identifiers, and communications related to inquiries or complaints and legal agreements.”

Privacy laws don't apply to much of the data involved in the company's bankruptcy filing, though unfair and deceptive practices laws may apply, said Alston and Bird privacy lawyers in a blog post Monday.

State health privacy and comprehensive consumer privacy laws "exempt from their definition of a 'data sale' those transfers of data that occur in bankruptcy proceedings," said attorneys in the blog. "This means the business can transfer the genetic information during bankruptcy without triggering the normally-applicable rules for 'data sales' -- like notice and opt-out rights -- as long as the purchaser assumes the data under the same terms as the seller’s privacy policy."

The Health Insurance Portability and Accountability Act "may not apply to much of the genetic data collected from consumers," since 23andMe likely did not act as a HIPAA covered entity or business associate with respect to many of the consumers who sent in samples for genetic testing," said the lawyers: Even if HIPAA did apply, it allows "covered entities to transfer protected health information, such as genetic information, in the event of a reorganization as part of the covered entity’s 'healthcare operations.'"

However, state and federal unfair trade practices laws do apply in bankruptcy cases, said the lawyers. In the 23andMe case, it means "data cannot be sold to buyers in ways that would render the sale, or the ensuing uses or disclosures of data, unfair or deceptive to consumers," they said.