Canada: UK Information Commissioner’s Office issued provisional findings and proposed fine to 23andMe following joint investigation with Office of the Privacy Commissioner of Canada regarding compliance with cybersecurity regulations

On 24 March 2025, the UK Information Commissioner’s Office (ICO) issued provisional findings, a notice of intent to impose a fine of £4.59 million, and a preliminary enforcement notice to 23andMe. This action followed a joint investigation with the Office of the Privacy Commissioner of Canada (OPC) into a data breach reported by the company in October 2023. The breach involved sensitive personal data, including genetic information. The ICO stated that the findings are provisional and remain subject to representations from 23andMe, including in relation to the proposed penalty’s affordability. The regulator also confirmed that it is monitoring 23andMe’s Chapter 11 bankruptcy proceedings in the United States and noted that the company continues to be subject to obligations under the UK General Data Protection Regulation (UK GDPR).