Canada: Office of the Privacy Commissioner of Canada and UK Information Commissioner's Office joint investigation into 23andMe's compliance with cybersecurity regulations
Progress
Current status
under investigation
24 Mar 2025 under investigation
10 Jun 2024 under deliberation
Scope
Implementers
Canada
United Kingdom
Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
other service provider
Government Branch
executive
Government Body
data protection authority
Implementation Level
bi- or plurilateral agreement
Timeline of events
UK Information Commissioner’s Office issued provisional findings and proposed fine to 23andMe following joint investigation with Office of the Privacy Commissioner of Canada regarding compliance with cybersecurity regulations
On 24 March 2025, the UK Information Commissioner’s Office (ICO) issued provisional findings, a notice of intent to impose a fine of £4.59 million, and a preliminary enforcement notice to 23andMe. This action followed a joint investigation with the …
SourceEvent type
investigation
Action type
interim ruling
Government branch
executive
Government body
data protection authority
Office of the Privacy Commissioner of Canada and UK Information Commissioner’s Office announced joint investigation into 23andMe's compliance with cybersecurity regulations
On 10 June 2024, the Office of the Privacy Commissioner of Canada (OPC) announced that they had launched a joint investigation with the United Kingdom Information Commissioner's Office (ICO) into the data breach that was discovered in October 2023 a…
SourceEvent type
investigation
Action type
announcement
Government branch
executive
Government body
data protection authority