[Senate Hearing 119-200]
[From the U.S. Government Publishing Office]
S. Hrg. 119-200
23 AND YOU: THE PRIVACY
AND NATIONAL SECURITY IMPLICATIONS
OF THE 23ANDME BANKRUPTCY
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED NINETEENTH CONGRESS
FIRST SESSION
__________
JUNE 11, 2025
__________
Serial No. J-119-22
__________
Printed for the use of the Committee on the Judiciary
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
www.judiciary.senate.gov
www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
61-889 WASHINGTON : 2025
-----------------------------------------------------------------------------------
COMMITTEE ON THE JUDICIARY
CHARLES E. GRASSLEY, Iowa, Chairman
LINDSEY O. GRAHAM, South Carolina RICHARD J. DURBIN, Illinois,
JOHN CORNYN, Texas Ranking Member
MICHAEL S. LEE, Utah SHELDON WHITEHOUSE, Rhode Island
TED CRUZ, Texas AMY KLOBUCHAR, Minnesota
JOSH HAWLEY, Missouri CHRISTOPHER A. COONS, Delaware
THOM TILLIS, North Carolina RICHARD BLUMENTHAL, Connecticut
JOHN KENNEDY, Louisiana MAZIE K. HIRONO, Hawaii
MARSHA BLACKBURN, Tennessee CORY A. BOOKER, New Jersey
ERIC SCHMITT, Missouri ALEX PADILLA, California
KATIE BOYD BRITT, Alabama PETER WELCH, Vermont
ASHLEY MOODY, Florida ADAM B. SCHIFF, California
Kolan Davis, Chief Counsel and Staff Director
Joe Zogby, Democratic Chief Counsel and Staff Director
C O N T E N T S
----------
OPENING STATEMENTS
Page
Grassley, Hon. Charles E......................................... 1
Durbin, Hon. Richard J........................................... 3
WITNESSES
Cohen, Glenn..................................................... 6
Prepared statement........................................... 33
Gotberg, Brook................................................... 8
Prepared statement........................................... 43
Klein, Adam...................................................... 9
Prepared statement........................................... 53
Selsavage, Joseph................................................ 5
Prepared statement........................................... 61
APPENDIX
Items submitted for the record................................... 75
23 AND YOU: THE PRIVACY
AND NATIONAL SECURITY IMPLICATIONS
OF THE 23ANDME BANKRUPTCY
----------
WEDNESDAY, JUNE 11, 2025
United States Senate,
Committee on the Judiciary,
Washington, DC.
The Committee met, pursuant to notice, at 10:19 a.m., in
Room 226, Dirksen Senate Office Building, Hon. Charles E.
Grassley, Chairman of the Committee, presiding.
Present: Senators Grassley [presiding], Cornyn, Hawley,
Blackburn, Britt, Moody, Durbin, Klobuchar, Coons, Padilla, and
Schiff.
OPENING STATEMENT OF HON. CHARLES E. GRASSLEY,
A U.S. SENATOR FROM THE STATE OF IOWA
Chairman Grassley. Good morning, everybody.
Genetic data is the blueprint to a person. It is sensitive,
it is personal, and in the wrong hands, it can be dangerous. As
technology and biotechnology rapidly expand, they bring new and
serious challenges. Consumers deserve to know how their data is
going to be used, and Americans deserve protection from foreign
threats. That is why we are here today.
The 23andMe saga has unveiled serious and concerning issues
regarding consumer protection, data privacy, and national
security. We have explored these issues in these hearings, but
today's hearing focuses upon genetic data. 23andMe collected
genetic data from roughly 15 million people, and when it did,
it told the consumers that their data would be safe. They said
it would be protected under their privacy policy.
But now, 23andMe is in bankruptcy, and it is selling off
its data, Americans' genetic data, your data, to the highest
bidders, bidders who consumers never consented to giving their
information to, bidders who could manipulate and repurpose the
genetic data, bidders who could be loyal to or controlled by
foreign adversaries. Without any Federal law governing genomic
data privacy, the only protection for the American consumer was
23andMe's own privacy policies.
Even putting aside whether consumers read or understood the
privacy policy, they were required to sign it as-is, or they
couldn't use the service. And now that 23andMe is in
bankruptcy, whichever company buys them can change the privacy
policy on a whim, however they see it.
That's why, just yesterday, 27 States sued to block the
sale of this data. Though the bankruptcy code requires a
consumer privacy ombudsman to be appointed when personally
identifiable data is being sold in violation of a privacy
policy, that simply is not enough. On the one hand, the
bankruptcy code doesn't include genetic data within the
definition of these three words, personally identifiable
information. So even if a company sold genetic data in
violation of their privacy policy, the code doesn't require an
ombudsman to be appointed to protect consumer privacy interest.
On the other hand, even if an ombudsman is appointed, the
timeline for on which they operate and the efficacy of their
role must be further interrogated. Before Americans' genetic
information is sold, they should be able to decide whether,
when, and how that data is going to be used.
In addition to consumer rights concerns, the national
security implications of 23andMe bankruptcy are significant. In
2019, the Department of Defense issued guidance that
servicemembers refrain from using direct-to-consumer DNA
testing kits. When a consumer genetics company accumulates the
personal genomic blueprint of millions, many of whom are U.S.
citizens, government employees, or military personnel, it
becomes a strategic intelligence asset. In the wrong hands,
this data access isn't just a privacy breach, it is a potential
weapon.
Foreign governments can design targeted biological weapons
and wage pathogenic warfare. They can identify health
vulnerabilities and conduct tailored attacks on key military
and government personnel. In light of the serious evidence that
COVID-19 was created in a Chinese laboratory, the weaponization
of biologics and the military application of genomic data are
no longer far-fetched fantasies of science fiction. They are
tenable threats to the national security.
The threat from China is particularly acute. The Chinese
have invested heavily in their military-civil fusion strategy
where they seek to erase the line between private property and
military assets. The Chinese Communist Party aggressively
integrates development of artificial intelligence, biotech, and
computing into their military efforts. They seize and acquire
corporate assets to engage in unconventional and asymmetric
warfare.
Just this week, for example, two Chinese nationals were
charged with smuggling a dangerous pathogen used for
agricultural terrorism into the United States. The Chinese
Government paid for one of the nationals to research this
pathogen, and a search of their electronics revealed
information linking them to the Chinese Communist Party.
Data is a weapon, and genetic data is particularly a potent
weapon. Americans' genetic data must be zealously defended and
jealously protected. The 23andMe bankruptcy is a massive threat
to the protection of the genetic data of so many Americans.
Congress has yet to enact sufficient protection on these
important issues. There is no data privacy law that protects
genomic data, no provision in the bankruptcy code that prevents
this data from being compromised through bankruptcy auction,
and no sufficient remedy for consumers.
I recently co-sponsored Senator Cornyn's Don't Sell My DNA
Act, which aims at filling some of these gaps, but there is a
lot more work to do. I look forward to hearing from our
witnesses about how we can advance legislation that better
protects Americans' genetic security.
With that, I will open things up to Senator Durbin to give
an opening statement. Then, we will hear from our witnesses.
OPENING STATEMENT OF HON. RICHARD J. DURBIN,
A U.S. SENATOR FROM THE STATE OF ILLINOIS
Senator Durbin. Thanks, Senator Grassley, good and timely
hearing as far as I am concerned.
23andMe has a data base containing the genetic information
of about 15 million people. If your genetic information is in
their data base, a researcher can tell you who your relatives
are, what your ethnicity is, what your eye color is, and
whether you think cilantro tastes like soap. They can also
determine a lot of information about your health. Are you at
risk of developing type 2 diabetes? How about celiac disease,
chronic kidney disease, Parkinson's?
In short, 23andMe has access to deeply personal information
about you and your health, information that you would normally
want to keep private, I guess, between you and your family and
your doctor. Yet no federal law, no federal law, prevents
23andMe from sharing this data with others, including insurance
companies, future employers, and law enforcement. Rather, a
patchwork of State laws, privacy policies are the only things
protecting the genetic information of millions of Americans.
If 23andMe's customers are anything like fellow Americans,
they likely did not read this privacy policy. According to a
survey by Pew Research, more than half Americans say they
always--well, almost always--often agree with privacy policies
without ever reading them. Who can blame them? Whether you are
activating your cell phone, setting up your Facebook account,
accessing a number of services, Americans are bombarded with
countless privacy policies to which they must agree, and
virtually all of us do.
One company who studied the issue found that Americans
would have to spend, get ready, 47 hours a month to read the
privacy policies of the most visited websites. That is more
than a full 9 to 5 workweek every single month. Get real.
When 23andMe filed for bankruptcy on March 23, a lot of
people suddenly became interested in privacy policy because
buried in the fine print of their privacy policy is the
following. Listen closely. ``If we are involved in a
bankruptcy, merger, acquisition, reorganization, or sale of
assets, your personal information may be accessed, sold, or
transferred as part of the transaction.'' Remember that clause?
Probably not.
So 23andMe's 15 million customers are left wondering, who
is going to get access to my genetic information? What are they
going to do with it? What rights do I have to stop it? That is
why we need this hearing.
Thankfully, 23andMe's privacy policy gave its customers the
right to delete their data upon request, and millions have done
so, so many, in fact, that 23andMe's website crashed with the
traffic. Again, this wasn't required by Federal law. There are
very few federal guardrails to protect the most sensitive
personal data, including your DNA and who can share it.
It is time for Congress to put some protections in place
for Americans. In the right hands, a genetic data base could
help researchers unlock lifesaving medical cures and make
incredible discoveries. But in the wrong hands, in the wrong
hands, it could enable dystopian discrimination, and
surveillance could be used by our adversaries. You were turned
down for that job? Why did they turn me down? Turns out they
knew a lot more about you than you knew about yourself.
The American people deserve to have faith that their
sensitive information will be and stay in the right hands
before they agree to share it. Yet nearly 20 years after
23andMe came on the scene, and at least that long since the
surveillance industrial complex started taking over the
internet, America still lacks a comprehensive federal law to
protect our privacy. Like other areas, including kids' online
safety, to which this Committee has dedicated a lot of time,
there is bipartisan consensus that something needs to be done
about our privacy.
There have been signs of hope, including in 2022 when the
American Data Privacy and Protection Act passed the House by a
broad bipartisan vote of 53 to 2. This is the Energy and
Commerce Committee. But the American people are still waiting.
I think we can get together and pass a bipartisan bill. This
hearing might help.
Thanks, Mr. Chairman.
Chairman Grassley. Thank you.
This is a consensus hearing, so I am going to go ahead and
introduce all the witnesses that have joined us today. Then, I
will swear them in.
Mr. Joseph Selsavage serves as interim CEO, CFO, CAO,
23andMe, joined 23andMe in November 2021 through the
acquisition of Lemonaid Health. At Lemonaid Health, he was
chief financial officer. Mr. Selsavage received a BA in
economics and financial management and his MA in accountancy
from Catholic University. He also received his MBA from
Massachusetts Institute of Technology. He is a certified public
accountant.
Next, we have Mr. Glenn Cohen, professor of law at Harvard
Law School and the faculty director of Harvard Center of Health
Law Policy, Biotechnology, and Bioethics. Professor Cohen is an
elected member of the National Academy of Medicine and has
spoken to NATO, OECD, and members of the U.S. and Korean
Congress on medical and biotech issues and policies. He
previously served as a lawyer for the U.S. Department of
Justice, Civil Division, where he handled litigation in Court
of appeals and U.S. Supreme Court.
Next, we have Ms. Brook Gotberg, professor of law, Brigham
Young University. Professor Gotberg teaches bankruptcy,
contracts, secured transactions, and other commercial law
subjects. Her scholarship focuses on debtor and creditor
relations and various impacts on the bankruptcy code and
business reorganization. Professor Gotberg earned her BA in
political science magna cum laude, Brigham Young University,
and her JD cum laude from Harvard Law School.
Mr. Adam Klein is a senior lecturer at UT Austin School of
Law and director of the Strauss Center for International
Security and Law. Previously, Mr. Klein served as chairman and
CEO of the United States Privacy and Civil Liberties Oversight
Board, overseeing counterterrorism programs at the NSA, FBI,
CIA, and the Department of Homeland Security. Before entering
government, Mr. Klein was a senior fellow at the Center for the
New American Security and National Security Think Tank. Earlier
in his career, he served as a law clerk to Justice Scalia of
the Supreme Court.
Would you please rise so I could administer the oath?
[Witnesses are sworn in.]
Chairman Grassley. Thank you. And I think we will go my
left to my right, so you start, Mr. Selsavage.
STATEMENT OF JOSEPH SELSAVAGE, INTERIM CHIEF EXECUTIVE OFFICER
AND CHIEF FINANCIAL AND ACCOUNTING OFFICER, 23ANDME HOLDING
CO., SOUTH SAN FRANCISCO, CALIFORNIA
Mr. Selsavage. Chairman Grassley, Ranking Member Durbin,
and Members of the Committee, thank you for the opportunity to
appear before you today. My name is Joseph Selsavage, and I am
the interim chief executive officer of 23andMe, a mission-
driven organization founded on the simple yet transformative
belief that individuals have the right to access, understand,
and benefit from their own genetic information. From the very
beginning, 23andMe's purpose has been clear, to help people
live healthier lives through direct access to their own DNA, to
accelerate scientific discovery, and to contribute meaningfully
to the future of personalized medicine.
We recognize that with this vision comes immense
responsibility to the millions of individuals who have chosen
to participate in something larger than themselves. We are here
today not only to answer your questions, but to reaffirm our
deep commitment to data privacy and security, transparency,
customer choice, data stewardship, and scientific integrity.
Founded in 2006, 23andMe is a personal genomics and
biotechnology company that pioneered direct-to-consumer genetic
testing. We are named after the 23 pairs of chromosomes in
every human cell. Our mission has always been to empower
consumers by providing access to information about their
personal genetics based on the latest science so that they can
make their own informed decisions about their healthcare
journey.
Our services allow customers to gain DNA insights about
their genetic risk for dozens of conditions like type 2
diabetes, Alzheimer's disease, and certain cancers. They can
also learn about their carrier status for inherited conditions
like cystic fibrosis or Tay-Sachs disease, or wellness factors
like lactose intolerance or deep sleep intolerance.
23andMe customers have consistently reported taking
positive health actions after learning about their genetics
through 23andMe's services. Eighty-two percent of our customers
with an actionable genetic result were previously unaware of
their health risks.
The value of personal genomics goes beyond the insights
people learn about themselves. Customers who register for our
services also have the option to allow their data to be shared
for research purposes, and over 80 percent of our customers
have chosen to consent to research.
Consent is a central tenet of 23andMe's research program.
We have separate research consents beyond our consents to
processing sensitive data, a privacy statement and terms of
service that customers must review and agree to if they want to
participate in our research program. We remove all identifying
information before any genetic data is shared with third
parties. Any customer who affirmatively consents to participate
in our research program can easily opt out at any time through
their account settings and have always been able to do so.
Customers are also free to delete their account and data at any
time.
Our customers who have affirmatively consented contribute
to more than 230 studies on topics that range from Parkinson's
disease to lupus to asthma and more. We collaborate with
advocacy organizations, universities, and biotech companies to
bring customers opportunities to participate in research. Since
2010, 23andMe has published 293 papers that help advance
scientific research in a wide range of fields.
Due to circumstances that I discuss in more detail in my
written testimony, 23andMe is currently conducting a sales
process supervised by a United States bankruptcy court. That
process has been a success to date. We have two remaining
bidders, both American enterprises, that will conduct a final
round of bidding later this week before the sale of the winning
bidder is presented for approval by the bankruptcy court.
Because this proceeding is ongoing, I am unable to speak about
the merits of either bid or the ongoing sale process.
Let me assure the Committee that 23andMe remains committed
to protecting customer data. We are requiring that anyone
bidding for 23andMe must agree to comply with our privacy
policies. We recognize the vital importance of protecting every
individual's right to access and control their own genetic
information. Empowering people with the knowledge about their
DNA is not only a matter of personal autonomy, it is a gateway
to proactive and personalized health, informed decisionmaking,
and greater engagement in consumer and scientific progress.
At 23andMe, we believe that when consumers are trusted with
their own data, they become partners in advancing medicine and
not just patients of it.
I appreciate the opportunity to testify before this
Committee today, and I welcome your questions.
[The prepared statement of Mr. Selsavage appears as a
submission for the record.]
STATEMENT OF I. GLENN COHEN, DEPUTY DEAN AND PROFESSOR, HARVARD
LAW SCHOOL, CAMBRIDGE, MASSACHUSETTS
Professor Cohen. Chairman Grassley, Ranking Member Durbin,
other distinguished Members of the Committee, my name is Glenn
Cohen. I'm a deputy dean and professor at Harvard Law School. I
work on the legal and ethical issues in medicine and the
biosciences, including genetics. Thank you for the opportunity
to testify before you today.
Genetic data requires special protection because it is
immutable, it inherently identifies us, it reveals information
about our blood relatives, and because many health conditions
have significant genetic components, so knowing about someone's
genes is knowing about their health. If one's genetic
information was accessed, it might reveal information on
prognosis for breast cancer, Alzheimer's disease, and many
other health conditions. It might let people identify you,
including reconstructing your face and vocal characteristics.
You might face discrimination in life, disability, and long-
term care insurance, and it might reveal misattributed
paternity.
There are additional risks to our servicemembers. Indeed,
the Pentagon warned that our enemies might use the 23andMe data
for ``mass surveillance and the ability to track individuals
without their authorization or awareness.'' And that's just
today's risks. The development of polygenic risk scores may
further reveal our risk for various diseases, and some have
begun using 23andMe data to create scores to predict behavioral
traits like risk tolerance and even educational attainment.
Since 2006, through its direct-to-consumer genetic tests,
23andMe has amassed a vast data base that includes the genetic
and personal information of more than 15 million consumers. For
many, it also holds physical specimens like saliva samples. The
main privacy protection for those customers is just a promise
the company has made in its privacy statement not to share
personal information voluntarily with insurance companies,
employers, or public data bases, or with law enforcement
agencies without a valid subpoena, search warrant, or court
order.
But if you read more closely, the privacy statement
provides much less protection than it appears to. Few customers
read or understand privacy statements or terms of use. 23andMe
reserves the right to alter the terms customers have relied on,
and moreover, the company explicitly reserves the right to
transfer customer personal information in the event of the sale
of the company or a bankruptcy.
The company has announced as part of the bankruptcy process
it will ``require anyone bidding for 23andMe to agree to comply
with our privacy policies and all applicable privacy laws.''
Well, that's all well and good, but even if that becomes a
condition of the sale, nothing prohibits Regeneron, TTAM, or
another buyer of the data from altering that privacy policy
just as there's nothing to stop 23andMe from doing so tomorrow.
It's also unclear to me what's going to happen to the saliva
samples, raising additional privacy concerns.
Trust is all about a relationship. Customers who chose
23andMe entered into a particular kind of relationship with a
particular kind of company. They shared their genetic and other
personal information, recognizing there was some privacy risk
to obtain potential ancestry and health-related insights, and
for some of them to help enable research and the development of
potential new drugs or other therapeutics.
Upon bankruptcy or sale of the assets, consumers may find
themselves in a relationship with a very different kind of
company with goals they may not support and policies that have
changed while they weren't looking. Privacy statements and
customer acquiescence have a role to play, but private ordering
solutions can only go so far to deal with these concerns.
And Federal law is not currently up to the job. The Health
Insurance Portability and Accountability Act, HIPAA, our main
health privacy law on the Federal level, will not apply to
23andMe because it's not a covered entity. The Genetic
Information Nondiscrimination Act of 2008 protects individuals
from genetic discrimination for employment or health insurance,
but unlike its equivalent in many of our peer countries, it
doesn't cover life, disability, and long-term care insurance.
It excludes military personnel and excludes protection for
individuals on the basis of conditions that have already
manifested in the individual.
In my written testimony, I've analyzed a series of possible
alternatives for you to consider, but I want to focus on two
here, two that I think are particularly promising. First, the
Don't Sell My DNA Act introduced by Members of this Committee,
Chairman Grassley, Senators Cornyn and Klobuchar, which would
introduce a strong model of affirmative consent upon
bankruptcy. We've heard a lot about consent from the company,
and the question is, why aren't they getting consent at this
moment for the transfer? Why not go back and ask people to
affirmatively consent to that transfer? And that is what your
act would help do. I would like to see it extended, in fact,
beyond the bankruptcy to other forms of sale or transfer of
genetic data and more explicitly cover the biospecimens.
The second complementary model I want to highlight is from
Florida, which in 2020 became the first U.S. State to ban
insurers from discriminating on the basis of genetic
information in areas not covered by GINA, life, long-term care,
and disability insurance. I would like to see a similar effort
on the Federal level because when it comes to--I respect
federalism, but when it comes to genetic discrimination,
really, all Americans should have this protection.
Chairman Grassley, Ranking Member Durbin, and Members of
the Committee, I'm appreciative of your focus on this important
issue, and I thank you for the opportunity to testify before
you today, and I look forward to answering your questions.
Thank you very much.
[The prepared statement of Professor Cohen appears as a
submission for the record.]
Chairman Grassley. I am going to open up the Senate.
Senator Cornyn, would you Chair while I am gone? I will be gone
about 15 or 20 minutes. Thank you.
Go ahead, Professor Gotberg.
STATEMENT OF BROOK GOTBERG, PROFESSOR OF LAW,
BYU LAW SCHOOL, PROVO, UTAH
Professor Gotberg. Okay. Thank you for the opportunity to
present to you today.
Chairman Grassley. Push the button.
Professor Gotberg. Thank you. Thank you for the opportunity
to present to you today. I'm happy to provide some perspective
on the sale of personal consumer data in bankruptcy. And the
main message that I'd like to convey is that the concerns that
you've raised are not inherently bankruptcy issues. I'd also
like to advise against passing bankruptcy-specific prohibitions
on the sale of data, and I'll explain.
Bankruptcy provides a vital public policy role in the
smooth running of our economy. Bankruptcy is not inevitable
when a company becomes insolvent, but its primary purpose is to
mitigate and manage the losses caused by a debtor's insolvency.
When a company becomes insolvent, the creditors of that company
are obligated to engage in a competition for those debtors'
limited assets. This competition looks like a race to recover
their legal rights. This is the metaphorical or actual race to
the courthouse.
The race imposes costs on creditors who have to expend
resources, sometimes fruitlessly, because they have gotten
there too late after the money has run out. Also, a piecemeal
liquidation of the debtor's assets frequently devalues those
assets or destroys value so that creditors are ultimately paid
less. That's why we want parties to choose bankruptcy when the
debtor is insolvent.
Bankruptcy isn't a haven for any party to avoid the
enforcement of outside laws. This is a primary issue in the
23andMe bankruptcy right now to determine if there are State
laws that would prohibit the sale of assets in that bankruptcy.
But we also don't want parties to avoid bankruptcy because of
specific laws that arise only in those instances.
If a company cannot sell assets in bankruptcy, it will
simply do so outside of bankruptcy, without the benefit of
court oversight or the transparency provided by bankruptcy
proceedings and probably for a lower price. This won't actually
protect consumers from the sale of their data. It will just
deny them these protections that bankruptcy is intended to
give. The primary advantage of bankruptcy is its efficiency and
its ability to maximize the value of debtor's assets.
Federal law shouldn't protect consumer data only in
bankruptcy proceedings. To the extent that Congress wants to
prohibit the sale of personal consumer data, it should do so
both inside and outside bankruptcy to prevent the strategic use
of bankruptcy for reasons that have nothing to do with the
efficiency of the proceedings.
I'm happy to answer any questions about this or any
bankruptcy-related issues, but I would really encourage the
Committee to consider holistic and universally applicable
prohibitions to the extent they exist. Thanks.
[The prepared statement of Professor Gotberg appears as a
submission for the record.]
Senator Cornyn [presiding]. Mr. Klein.
STATEMENT OF ADAM KLEIN, DIRECTOR AND SENIOR LECTURER, ROBERT
S. STRAUSS CENTER FOR INTERNATIONAL SECURITY AND LAW, (UT
AUSTIN), AUSTIN, TEXAS
Mr. Klein. Mr. Chairman, Mr. Ranking Member, and Members of
the Committee, thank you for inviting me to testify today.
Before joining the University of Texas, I served as
chairman of the United States Privacy and Civil Liberties
Oversight Board, an agency that Members of this Committee
oversee and know well. Many of our oversight projects revolved
around the insights that intelligence agencies can gain from
personal data. That is because data is not just another
commodity. When our adversaries buy or steal sensitive American
data, they use it to harm the United States. China, in
particular, has used American data to strengthen its military,
conduct hostile intelligence operations, and help its companies
displace American competitors.
Genomic data, like the DNA profiles held by 23andMe,
presents several distinct national security risks. First, China
could use DNA profiles to identify and track people of
interest, such as American intelligence officers and critics of
the CCP, the Chinese Communist Party, who live in the United
States. China has already built a genetic data base to track
and identify members of its Uyghur minority. With our genomic
data, it could do the same for Americans.
Second, access to American genomic data could help Chinese
biotech companies gain an unfair advantage over American
companies. It could also help China train specialized AI models
for biomedical research. Now, China has domestic AI datasets,
but its population is far less genetically diverse than ours,
so American genomic data would hold great value for them.
Third, China could use American genomic data for bioweapons
research. Now, that risk is speculative, but it can't be
dismissed. My written testimony lists several clues that China
might be open to this kind of research. For example, a Chinese
military textbook speculated about bioweapons designed for
specific ethnic genetic attacks. Access to American DNA
profiles with their greater genetic diversity could facilitate
research into ethnically targeted bioweapons.
There is a disturbingly high chance, as Members of this
Committee know, that we will find ourselves in an armed
confrontation with the People's Republic of China before the
decade is out, most likely over Taiwan. If so, we should expect
China to target our homeland with unconventional, asymmetric
tactics, which could include biologic attacks.
Next year, this Committee will once again consider Section
702 of the Foreign Intelligence Surveillance Act. As you do so,
I respectfully encourage you to keep in mind that law's vital
role in detecting adversarial plots against our homeland and
stopping cyber intrusions into sensitive systems, potentially
including systems like 23andMe's that store Americans' data.
I'd like to conclude on a positive note. In recent years,
Congress, including this Committee and Members of this
Committee and the executive branch, have done a great deal to
protect Americans' data from hostile foreign powers. And as
this hearing illustrates, leaders are now vigilant about the
security risks of letting adversaries buy our data. For those
reasons, I'm confident that the executive branch would block
and could block an adversary-controlled entity from buying
23andMe. But the attention of this Committee and others in
Congress is vital to help ensure an outcome to this bankruptcy
that protects the privacy and security of Americans.
Thank you, and I look forward to your questions.
[The prepared statement of Mr. Klein appears as a
submission for the record.]
Senator Cornyn. Thank you all very much. We will start with
the 5-minute rounds of questions, and I will begin.
So back in 1990, Congress authorized something called the
Human Genome Project, which was designed to map the human
genome, which gave rise to an incredible amount of information
about the human genome, which is what makes us who we are. And
it has had enormous positive benefits in terms of law
enforcement, for example, being able to use DNA as an essential
part of regular criminal investigations to identify an
assailant. For example, in a forensic analysis of a rape kit,
it can identify with virtual certainty the perpetrator of the
crime.
But at the time, it was also recognized that there could be
tremendous abuse of that information. And indeed, we have
touched on some of those, for example, discriminating against
people based on their genetic profile for insurance purposes.
For example, if you apply for life insurance or something of
that nature and someone had access to your genetic profile,
they could basically deny you because of perhaps some
indication, some evidence of a genetic defect that would lead
you to contract a disease or the like. And then, of course,
employment, where there could be discrimination by employers
against people based on their genetic profile.
So all of this is something we have anticipated to some
extent, but I don't think we have been able to predict the
extent to which this genetic profile, this genome data can be
subject to not only beneficial use, but also use by our
adversaries and for improper purposes.
Mr. Selsavage, did 23andMe do the actual testing of the
saliva samples that were submitted by the people who engaged
your company and your product?
Mr. Selsavage. We contract with LabCorp, which is an
American-based testing company to do the testing of the DNA
samples for 23andMe.
Senator Cornyn. For all of it?
Mr. Selsavage. For all of our testing, yes.
Senator Cornyn. And to your knowledge, is LabCorp--are
there efforts to attack or to basically do cyber attacks on the
data base that LabCorp maintained of 23andMe genetic samples
and data?
Mr. Selsavage. I am not aware of any particular cyber
attacks on LabCorp. However----
Senator Cornyn. Well, you are not saying that LabCorp was
somehow immune from cyber intrusions or cyber attacks, right?
Mr. Selsavage [continuing]. No, I'm not, Senator.
Senator Cornyn. So can you tell us, as you sit here today,
whether any of the genetic material that LabCorp tested that
was collected by any of our adversaries or by criminal
organizations, can you tell us with certainty that all of it
was protected?
Mr. Selsavage. To the best of my knowledge, you know, that
data has been protected by LabCorp, and there has not been any
breaches at LabCorp which has affected our data.
Senator Cornyn. Professor Cohen, generally speaking, if
there is genetic information supplied along the same lines as
23andMe, what is to protect individuals from outsourcing of
some of that testing to, let's say, labs in China?
Mr. Cohen. I don't think there's much, Senator.
Senator Cornyn. And Professor Klein, you said this is a
national security vulnerability. Why is that? Why would China,
the Chinese Communist Party, want the genetic information on
Americans?
Mr. Klein. Well, there are several potential uses, none of
which are good. One is to use genetic information as a means of
tracking and identifying people, something that every
intelligence service and law enforcement agency----
Senator Cornyn. And that could include the active-duty
military?
Mr. Klein. Active-duty military, intelligence officers
working for the United States, Chinese dissidents who are
living here and have come here to enjoy freedom and freedom of
speech but whom the CCP is tracking.
But then looking forward into the age of AI, having large
datasets with genetically diverse populations represented in
them is very attractive for training specialized AI models. We
know we're in a fierce competition with them, and we need to
keep these advantages for American companies and for the U.S.
Government.
Senator Cornyn. And would each of you agree with me that
the genetic information that is collected through one of these
saliva samples by a company like 23andMe doesn't just tell you
something about the person who provides that saliva sample. It
tells you something about their parents, about their children,
and about their grandchildren, and anybody who might be a
genetic relative of that individual.
Professor Cohen. That's right, Senator. When we say 15
million, that is kind of an underestimate when you think about
all of these generations of people who are affected.
Senator Cornyn. Senator Durbin.
Senator Durbin. So it seems to me that 23andMe tried, Mr.
Selsavage, to come up with a policy to protect its consumers,
but there is little to guarantee that the next buyer or the one
after that won't abuse that policy, is there?
Mr. Selsavage. Senator and Ranking Member, 23andMe has
required as part of the sale of the assets of the company that
any buyer of the company must comply and adopt the privacy
policy and consents that 23andMe have in place today.
Senator Durbin. So I didn't think I would ever say this in
this room, but does the rule against perpetuities apply?
[Laughter.]
Mr. Selsavage. Congressman, can you clarify that for me?
[Laughter.]
Senator Durbin. I have tried to forget every aspect of that
course in law school, but what I am suggesting to you is two or
three buyers removed, your best intentions don't mean much, do
they?
Mr. Selsavage. Senator and Ranking Member, you know, my
understanding is that, you know, 23andMe is doing everything we
can to ensure that the next buyer adopts the policies and
consents of 23andMe, and, you know, while I can't actually
testify to their future intentions, both are, you know,
American institutions with experience in genomics, and, you
know, are committed to protecting that data and continuing----
Senator Durbin. Unless we have a Federal law relative to
this issue that applies to future transactions, your best
intentions don't mean much, as far as I am concerned. And don't
take it personally.
So, Professor Cohen, there was a best-selling book a few
years ago called The Immortal Life of Henrietta Lacks,
fascinating book, story of an African-American woman who died
in 1951 of cervical cancer in Baltimore if I am not mistaken. A
sample of her tumor generated what is known as the HeLa cell
line. That cell line was mass-produced and sold to laboratories
all over the world. It has been used in scientific research,
including research into cancer, the human genome, and the
development of the polio vaccine. It is still being used today.
Famously, Henrietta Lacks never consented to the use of her
cells in this way, and despite the vast sums of money the cell
line has generated, her family has never seen a dime of
profits.
Part of what is being sold by 23andMe is a collection of
biological samples submitted by consumers who wanted their DNA
examined. They may have consented to some use of their samples,
but I question how informed it actually was. And there is no
guarantee a new owner won't change how the samples are used.
Are you familiar with this story?
Mr. Cohen. I am, Senator.
Senator Durbin. Is there anything we can learn from it in
this application?
Professor Cohen. I think to learn for the importance of
affirmative consent, and again, affirmative consent that can
explain as much as possible what you want to do with material.
And again, we still haven't heard an answer why at this stage
they're not going back to all of their customers and asking,
can you consent to the transfer of your data to this new buyer?
It's a very simple thing that the company could do. Why aren't
they doing it?
Senator Durbin. Mr. Selsavage, why aren't you doing it?
Mr. Selsavage. Senator, 23andMe believes we've obtained the
consent from our customers, and when the customer signed up to
our--to the service, they have agreed affirmatively to consent
to our privacy and terms of service, which specifically says
that we--in the event of a bankruptcy sale, that we can
actually transfer their data.
Senator Durbin. I think what Professor Cohen is suggesting
is that there is more that could be done to protect your
consumers. Would you consider it?
Mr. Selsavage. I can take that suggestion back to our team,
Senator.
Senator Durbin. I hope you will.
Professor Gotberg, I guess my conclusion from your
testimony was the bankruptcy code really didn't envision what
we are talking about here.
Professor Gotberg. So the bankruptcy code treats--it
respects law that exists outside of bankruptcy just the same in
bankruptcy proceedings as outside, so any legal prohibitions
that apply outside bankruptcy also apply inside bankruptcy. So
in a way, the bankruptcy code did anticipate that. It just
doesn't introduce new substantive law when a company files for
bankruptcy. There's not new prohibitions that exist.
Senator Durbin. But what you say is, in your testimony,
current bankruptcy law provides some oversight that can prevent
the worst privacy policy abuses in a bankruptcy sale, but it
does not prohibit the sale from taking place. Placing a
prohibition on bankruptcy sales would simply push them outside
bankruptcy proceedings where there are fewer protections. The
best policy would make any restrictions on the sale of personal
consumer data universally applicable. It is time for us to
legislate, isn't it?
Professor Gotberg. I would say if you want to protect
consumers from having their personal consumer data bought and
sold, you need to do that.
Senator Durbin. Amen. Thank you, Mr. Chairman.
Senator Cornyn. Senator Durbin, we have seen history made
today because in your long and distinguished career in the U.S.
Senate, I know you have been waiting to use the phrase rule
against perpetuities in a question, so congratulations for
that.
[Laughter.]
Senator Cornyn. Senator Blackburn.
Senator Blackburn. Thank you, Mr. Chairman.
Mr. Selsavage, I want to ask you--let me say this. We all
know that China is hard at work trying to build a virtual you
of each and every one of us, and this is why we need to have a
Federally preemptive online privacy law, which we do not have.
And whether it is 23andMe and genetic information or whether it
is data security, this is something that we need. But you seem
a bit naive to think that you haven't had any breaches or any
attacks, cyber attacks. Our critical infrastructure in this
country is hit many times a day.
So what I want you to do--and you can submit this in
writing--is to go into detail about how you anonymize and how
you mask consumers and their information. And you can submit
that during the QFR period. But I think it is important that
you lay this out so that individuals know what level of
protection that they are going to have. You all may sell, and
then there may be an immediate buyer. You sold to 23andMe. You
thought that would be a longer-term relationship. It is not.
And then there may be three or four subsequent buyers, so some
certainty and some awareness would be a good thing. And I want
that in writing. Thank you.
Mr. Selsavage. Senator, thank you for that. And I will take
that back to our team as well.
I do want to note that, you know, I'm clearly aware that,
you know, basically there are many cybersecurity threats. And
at 23andMe, security and our customers' privacy is top of mind.
And, you know, basically, we, you know, at 23andMe, do have
cybersecurity threats from our foreign adversaries and others.
And I will take your concerns back.
Senator Blackburn. Thank you. I thank you for that
clarification because we deal with that issue repeatedly and
the severe threats that exist each and every day.
Okay. Mr. Klein, I want to come to you. Talking about a
privacy standard, there are some States, including my State of
Tennessee, who have stepped forward. And Tennessee, in 2023,
enacted the Genetic Information Privacy Act. That requires
companies to protect consumers' private information and to
provide them with the ability to access their data, to delete
their data and their account, and to destroy their biological
sample. However, not all Americans enjoy this protection. So in
that regard, is the Tennessee law a model for moving forward?
Mr. Klein. Well, I haven't studied that law closely,
Senator, but it certainly sounds appealing to me as a citizen,
as a consumer. And I've been following the saga of the general
Federal privacy law that everyone seems to want for many years
now. And the Committee understands better than I do the
challenges that have arisen in coming to an agreement on
something that everybody seems to want.
I think what the bill that Senator Cornyn and the other
Members have introduced demonstrates is that even as--and the
Tennessee bill is that even as we wait for a general law, there
is possibility of making progress on sector-specific issues.
And in my testimony, I highlighted some of the very good things
that the Committee and other parts of the Congress has done on
this specific threat from hostile foreign actors. And I do
think, to Congress' credit, we've tightened that up
considerably in the past few years.
Senator Blackburn. Mr. Selsavage, the Tennessee attorney
general issued a statement after you all filed for bankruptcy,
issued a statement notifying Tennesseans of their right to
request a deletion. So talk to me about how you were moving
forward with these deletion requests.
Mr. Selsavage. At 23andMe, any one of our customers at any
time can delete their data. For our customers, it's a simple
process. All they need to do is log into their account at
23andMe, go to their settings, and request their account to be
deleted. That process is automatic. We do ask for their date of
birth just as an additional verification measure. And we've
complied with those deletion requests and over--you know,
through--you know, through the bankruptcy process and prior to
that.
Senator Blackburn. And when they delete their account, they
are also deleting their biological sample. Is that correct?
Mr. Selsavage. If a customer has consented to--for us to
biobank their saliva sample, we will also delete and destroy
that saliva sample----
Senator Blackburn. Thank you.
Mr. Selsavage [continuing]. Upon their request to delete
their data.
Senator Blackburn. I yield back.
Senator Cornyn. Senator Klobuchar.
Senator Klobuchar. Thank you. I think I will start by
following up with Senator Blackburn's good questions. And by
the way, thank you, Mr. Klein, for mentioning the need for a
general privacy bill, which we badly need.
So on this deletion issue, it is my understanding that 1.3
million consumers asked 23andMe to delete their genetic data.
Many faces technical issues. So how long is the backlog right
now? And what are you doing to make sure all the requests are
fulfilled?
Mr. Selsavage. Senator, the good news is that today there
is no backlog, that we are current on all of the deletion
requests. What did occur, you know, is when we filed for
bankruptcy and, you know, many State attorneys general
requested--or suggested to consumers that they delete their
data at 23andMe. We did receive a significant amount of
deletion requests. We quickly added additional staff and, you
know, basically were able to reduce that backlog.
Senator Klobuchar. Thank you. And will you commit to
ensuring that consumers will retain their right to have their
genetic data deleted after the bankruptcy sale is completed by
making deletion rights a condition of the sale?
Mr. Selsavage. Both of the bidders and, you know, the
bankruptcy sale of 23andMe, both Regeneron and TTAM Research
Institute, have agreed to adopt the policies of 23andMe, the
privacy policies----
Senator Klobuchar. So the answer is yes?
Mr. Selsavage. So, you know, the answer is yes.
Senator Klobuchar. Okay. During the bankruptcy process, how
is 23andMe ensured consumers could decide how information is
used and for what purposes since that is what your website has
promised consumers?
Mr. Selsavage. Our consumers consent not only to a terms of
service, a privacy policy, there are also separate consents for
our customers to--if they so choose, to engage in research at
23andMe and yet a--and then a separate consent to allow us to
engage with research with third parties. And, you know, we make
sure that customers have the right to actually opt in. We don't
default those. Customers are actually clicking yes, they will
want to conduct--or enable their data to be used for research
purposes. Many customers understand these are important for
understanding disease and genetic conditions and lifesaving
medical treatments.
Senator Klobuchar. Thank you. Professor Cohen, it is my
belief that the privacy policies aren't meeting the privacy
needs of consumers during bankruptcy. That is why I have worked
with Senator Cornyn. I appreciate his leadership, and Grassley,
to give consumers control over their genetic data with our
bill, Don't Sell My DNA Act. Why is it so important that we
require consent from the consumer before their genetic data is
sold to another company with which they have no prior
relationship?
Professor Cohen. People are engaged in a trust
relationship. You know, if my father gave me access to his
medical records and says, son, I want you to look at this and
be careful with this, and I went ahead and said, let me give it
to somebody else without asking my dad, you'd look askance at
what I was doing. The same thing is happening here. They're
essentially transferring data and transferring a trust
relationship to a new entity, and people have the right to know
who they're dealing with and the right to consent to it.
Senator Klobuchar. Do you believe that the right to control
one's personal genetic information should take precedence over
maximizing returns for creditors in a bankruptcy proceeding?
Professor Cohen. Well, I think that it would be nice for
the creditors to get paid, Senator. In this instance, I think
this information is so sensitive and so important, it's really
important to protect people's information.
Senator Klobuchar. Okay. Thank you. And Professor Gotberg,
do you believe that the current consumer privacy ombudsman
system in bankruptcy proceedings is sufficient to protect
consumers' most sensitive information?
Professor Gotberg. So the consumer privacy ombudsman is
appointed to help the court in weighing the costs and the
benefits of any particular sale of assets. If you permit
consumer--privacy--personal consumer data to be sold outside of
bankruptcy, it's permissible inside of bankruptcy as well. And
so the consumer privacy ombudsman is just trying to weigh what
would be the negative effects of that sale.
Without an understanding of the price of privacy, so to
speak, that's a very hard balancing act to perform. To my
knowledge, there's been no final litigation to determine what
the damages would be for an individual to have their privacy
violated in that way, so it makes it really hard for the
consumer privacy ombudsman to have an effective role there.
Senator Klobuchar. Okay. And sort of to end where I began
with Mr. Klein's point, why is it so important that Congress
enact a comprehensive privacy law? By the way, the same
companies that were lobbying against one, because I am also on
the Commerce Committee, say 10 years ago now want one because
of the patchwork of laws that we now have in our States, which
is very predictable, which I hope people will realize that we
need some AI rules of the road in place and tech rules of the
road in place. And it is just the worst, that people just think
they can lobby against things, and then all of a sudden they
are like, oh no. So tell me why we need a privacy law and how
that would have helped here.
Professor Gotberg. So a greater predictability for
companies when they're entering into agreements with consumers
would be--is always beneficial. So if companies know what the
legal limitations are, then they can take that into account and
creditors can take that into account whether an asset will be
available before lending to the debtor. So it's important to
have that law in place inside and outside bankruptcy.
Chairman Grassley. Oh, I am sorry. I didn't mean to
interrupt you. I thought you were done.
Senator Klobuchar. Well, good. No, I am not going over my
time. Done.
Chairman Grassley. Senator Moody.
Senator Moody. Thank you, Mr. Chair. And thank you for
conducting this hearing and for all of our witnesses that have
taken time to be here. These are complex issues and certainly
we appreciate your expertise on the matter.
I think any American sitting at home when they learned of
this bankruptcy that had submitted information to 23andMe was
probably, you know, terrified and had never thought about what
would happen to their information. So it is not just
policymakers that are worried about this. I think people all
around the United States are now concerned of what happens to
their very sensitive personal information.
And I think this is going to affect everything from data
privacy to national security to potential biotech threats. And
we cannot overState the threat to this Nation and to people
individually. I think it is both going to be from a national
security concern, but also private companies getting access to
some of this data.
I appreciate the shoutout to Florida. Florida does lead in
many of these policy areas. We are not afraid to diligently dig
in and take action quickly to protect people and their rights,
and thank you for acknowledging that. In fact, right now, as we
sit here, it is not illegal for insurance companies, life,
disability insurance to inquire about, get access to your
genetic information in all 50 States except Florida, and so we
appreciate that.
And I think it is going to be imperative that this body, as
we are presented with the sale of companies that have access to
this information--and it is not just 23andMe. There are going
to be other companies that get access to genetic information to
be used in business models, to develop strategies to maximize
profits, whether that is from their everyday course of business
or whether that is selling of assets. We are going to have to
deal with how the exchange of genetic information of Americans
is protected and whether it can even be treated as an asset.
And I want to start first, sir, we appreciate you being
here, and I know you have the best of intentions, you have
said, as it relates to the assets. And you consider the genetic
information of Americans to be assets?
Mr. Selsavage. The genetic information belongs to the
consumers and--you know, basically, and it is a very valuable
asset to those consumers, yes.
Senator Moody. But to 23andMe, you considered that to be an
asset?
Mr. Selsavage. It is an asset to 23andMe, yes. I mean----
Senator Moody. And in terms of valuing your business moving
forward or valuing your particular parts of your assets in a
bankruptcy, that is one core asset?
Mr. Selsavage. Senator, we did not value that asset, you
know, per se as part of the bankruptcy. However, the bidders
are looking at that and placing a value on it.
Senator Moody. A bidder wanting to buy your company is
assessing whether or not they can buy that data as part of how
much they are going to pay you?
Mr. Selsavage. Yes.
Senator Moody. And the more customers that delete their
information, the less of that asset is available to transfer is
what you are telling us today?
Mr. Selsavage. Senator, you know, for us at 23andMe, we've
let the buyer----
Senator Moody. Yes or no. And you are deleting that data,
and once you sell an asset off, will it be less of an asset to
sell?
Mr. Selsavage. There will be less customers with genetic
information in our data base as people delete them, yes.
Senator Moody. So the customers that don't get this notice
across the United States, the warnings from the attorneys
general that this is a problem, you need to delete your
information, if they have moved and they don't get the notice
and they don't delete it, they are part of the asset group that
goes to the other country, right?
Mr. Selsavage. Senator----
Senator Moody. Or goes to the other--could be the other
country, I am sorry, the other business.
Mr. Selsavage. Senator, we have provided notice to all of
our customers of the bankruptcy proceedings. And this week, we
will be providing notice of the sale of the company to either
Regeneron or TTAM Research Institute. And at all times, our
customers have complete control over their data. They have the
right----
Senator Moody. Except for the ones that didn't get notice
and don't know about the sale, right?
Mr. Selsavage. Senator, with all due respect, we are doing
everything we can to make sure all of our customers get that
notice of the bankruptcy and of the sale. We are--we've emailed
them----
Senator Moody. I heard that you have the best intentions.
So I am also hearing that we might need to modify Federal law
to address these intentions because when you are talking about
the sale, you list that you will not sell to any countries of
concern on your website. But I guess all other foreign nations
could presumably offer to buy, right, if they're not a country
of concern in your mind?
Mr. Selsavage. Senator, you know----
Senator Moody. Yes or no? Your limiting the exclusion of
those to countries of concern.
Mr. Selsavage. We are limiting the sale of assets to any
foreign adversary to the United States, any companies in those
countries.
Senator Moody. But another foreign adversary could buy this
information--or excuse me, another foreign nation-state could
buy this information and sell it to a foreign adversary.
Nothing prevents that, right?
Mr. Selsavage. Senator, with all due respect, we have only
two bidders left here, and both are American enterprises. Both
Regeneron is a public pharmaceutical company here based in the
U.S. and TTAM Research Institute also is an American
foundation, you know, founded by the former CEO and co-founder
of 23andMe----
Senator Moody. At the core of it, I understand you are
saying right now there are only two bidders left, but under
Federal law and under what your best intentions are permitting,
it could have allowed for a foreign State to buy these assets,
nothing would have prohibited that, and selling it to a foreign
adversary, correct? Nothing in federal law would have prevented
that.
Mr. Selsavage. Senator----
Senator Moody. Correct?
Mr. Selsavage [continuing]. I am not a lawyer, but I do
believe there are regulations, and there would have been
different oversight if any of the assets were sold to anyone
outside of the United States. And----
Chairman Grassley.
[Off mic.]
Senator Moody. Thank you, Chairman Grassley.
Chairman Grassley.
[Off mic.]
Senator Coons. Thank you, Chairman Grassley, and thank you
to each of the panelists for coming here today and testifying
on this important issue. It is particularly valuable that you
are here to shed light on two issues important to our Nation,
to our families, and frankly, also to my home State of
Delaware, namely, bankruptcy and data privacy.
As I am sure some of you know, Delaware is the most popular
State in our Nation for corporate incorporation, which also
makes it a prominent bankruptcy jurisdiction. Delaware also is
one of a small handful of States that has enacted robust data
privacy protection laws, making it a potential model for
federal legislation on data privacy, particularly in the
context of bankruptcy.
I do think it is critical that we strike the right balance
between safeguarding data and personal information and
maintaining a bankruptcy system that makes creditors whole and
gives debtors a fresh start.
If I might, Professor Gotberg, is a prospective buyer in
bankruptcy legally required to follow 23andMe's current privacy
policy?
Professor Gotberg. So the privacy policy is a contract----
Senator Coons. Right.
Professor Gotberg [continuing]. So contracts are
enforceable as between the two parties. In law school we like
to teach that a contract is a promise to perform or to pay
damages. So a company that undertakes a contract, if they don't
perform, would open itself up to a lawsuit for damages. That's
true for 23andMe, and it would be true for any subsequent
buyer. Whatever the buyer agreed to do would just be a
contract. It wouldn't be--there would be no enforcement
mechanism to force them to comply. They could just choose to
breach.
Senator Coons. Nothing other than damages enforces that
contract. And is there anything in the bankruptcy code that
specifically addresses the transfer and use of highly sensitive
personal data?
Professor Gotberg. In that situation, that is where the
consumer privacy ombudsman could be appointed.
Senator Coons. Could be.
Professor Gotberg. Right, but in that situation, their role
is primarily to advise the bankruptcy judge to weigh the costs
and benefits of any potential breach of a privacy policy. So
again, without being able to put a number on what that--those
damages are, what the cost is for a violation of privacy, it
actually becomes a pretty difficult weighing exercise.
Senator Coons. Is there any relevant precedent?
Professor Gotberg. I don't know that it's ever been
litigated. I haven't seen anything.
Senator Coons. Me neither. Professor Cohen, Delaware and a
few other States have enacted strong data privacy laws designed
to regulate entities that control sensitive data, give
individual consumers the right to access, correct, or delete
certain data. How can my colleagues and I do something similar
at the federal level and specifically in the bankruptcy context
to ensure sensitive data doesn't end up in the hands of the
wrong people or the wrong country as a result of a bankruptcy
proceeding? And what is your view on the Don't Sell My Data Act
where I have joined Senators Grassley, Cornyn, and Klobuchar as
a co-sponsor?
Professor Cohen. So I think the Don't Sell My Data Act is
exactly the right idea here. I will say that I think that the--
what's important is this idea of affirmative consent. That's
what is central to the bill upon the transfer. And again, we
still really haven't heard a good reason why we can't go back
to all of these people and ask them, can you affirmatively
consent to the transfer of your data to Regeneron or TTAM? So I
would love to see Congress push that and push it beyond
bankruptcy to other kinds of sales of information as well.
Senator Coons. Let me ask you a question about affirmative
consent. Part of the market value of 23andMe is a service that
is individually genetically identifying that gives you
information about, honestly, one of the most private things
there could be, which is whether or not you are susceptible to
certain diseases, what is your genetic ancestry, that sort of
thing. Would it not stand to reason that although logistically
challenging, going back to every individual who has given their
personally identifying genetic information to 23andMe and
affirming their consent would actually, in the end, build their
market value by reinforcing that this kind of a service is
something where people can count on it to protect their data
privacy, regardless of whether there are damages available?
Professor Cohen. I think if you build your company on a
reputation of trust and a reputation of autonomy and empowering
people, this is exactly the thing you want to sell to customers
to say, we believe so much in what we say that we're even going
to do this upon sale or bankruptcy.
Senator Coons. And I understand how it might be complex or
expensive, but in the end, I think it ultimately serves the
entire segment of personally identifying genetic consult
because it builds trust.
Thank you, Mr. Chairman. Thanks for a chance to question.
Chairman Grassley. I will take my turn now. I am going to
start with Mr. Selsavage.
In 23andMe's March 23 press release, the company indicated
that data privacy would be ``an important consideration in any
potential sale.'' But when there was a motion to appoint a
consumer privacy ombudsman in the bankruptcy, 23andMe first
opposed the appointment of an independent ombudsman to ensure
that genetic data was protected in the sale. Why did the
company oppose appointing a privacy ombudsman?
Mr. Selsavage. Yes, Mr. Chairman, 23andMe was the first to
suggest that the bankruptcy court appoint a customer data
representative, which would look at the privacy issues in this
particular bankruptcy case. 23andMe, at the time, did not
believe that a consumer privacy ombudsman was needed. And the
reason--the differentiation there is a consumer privacy
ombudsman is required in bankruptcy when, you know, there's a
change in the privacy policy from one company to the next.
In this particular case, you know, we, as part of the
bidding process for 23andMe, were requiring that any company
that was considering acquiring 23andMe's assets, including its
data base and our customers, would be required to retain the
privacy policies and consent going forward.
Chairman Grassley. I think that answers that question. So
is 23andMe's priority to sell consumer genetic information to
the highest bidder or to ensure that the genetic data it has
collected will be protected according to existing privacy
policies?
Mr. Selsavage. Mr. Chairman, our customers' data and
privacy is, you know, a top priority in this process, you know,
at 23andMe and for the special committee overseeing this
process. It is not just the highest bidder. We are--have
required that, you know, basically any bidder, as I said, and
the two remaining bidders have affirmatively said that they
would actually continue those privacy policies and consent and
put that in writing in their asset purchase agreements or
contracts to buy the company.
Chairman Grassley. Also to you, the point of bankruptcy is
to ``marshal assets in a way that maximizes their value for the
benefit primarily of creditors and then once creditors are paid
for owners.'' And in your written testimony, you agree with the
aim of maximizing the value of the business for stakeholders,
but placing as little restrictions on the customer data as
possible makes the data more valuable to the buyer. Would you
characterize genomic data as a bankruptcy asset?
Mr. Selsavage. Mr. Chairman, you know, I believe that the
genomic data is an asset and, you know, we have--23andMe is
treating it--and not only maximizing the value for our
creditors and our shareholders, but also, you know, one of the
most important pieces--parts of 23andMe is our customers and
our customers' trust, and we are putting their privacy and
their security as part of that process and it is top of mind
for the company and special committee overseeing this process.
Chairman Grassley. Okay. Based upon your ``yes'' answer,
isn't your duty to protect consumer data in tension with your
duty to maximize the value of the estate asset?
Mr. Selsavage. I think we are looking at both of those
duties combined, Mr. Chairman.
Chairman Grassley. So I think you are saying that consumer
data doesn't have a higher value than the estate. So aren't you
a little bit in conflict with some other things you said here?
Mr. Selsavage. You know, basically protecting our
consumers' data and their privacy and their consents as part of
this process is a large consideration and, as I mentioned, it
is not just accepting the highest dollar amount for the assets.
Chairman Grassley. My last question will be, Mr. Klein, in
2019, the DOD advised members of the armed services not to use
direct-to-consumer genetic testing devices. The guidance noted
the risk of mass surveillance and the ability to attract
individuals without authorization. How could foreign
adversaries use either the personalized or the aggregated
genetic information of U.S. servicemembers to harm U.S.
interest in military operations?
Mr. Klein. Thank you, Senator. Well, we know that
intelligence services and police agencies like the FBI use
genetic data to identify people of interest, and foreign
adversaries certainly have a great interest in members of our
military, where they go, what they do. So that would certainly
be a concern for me, and we can be assured that they are
looking at that and trying to use our servicemembers' genetic
data.
You also mentioned aggregate. Large datasets have great
value today for training AI models. China is trying to build
large datasets in every conceivable area, but they have some
gaps. One of those gaps is that their population is not
genetically diverse, and so they may have a large number of DNA
profiles in their country, but they don't have the diversity
that we have. And that genetic diversity is very helpful if you
want to train a model that is predictive for things benign,
like biomedical research, but also things malevolent, like
bioweapons research. We don't want them to build out their data
base of DNA profiles with the diverse and rich datasets that we
have here in America.
Chairman Grassley. Senator Schiff.
Senator Schiff. Thank you, Mr. Chairman.
Professor Gotberg, California has already passed
legislation that went into effect in 2022 requiring direct-to-
consumer genetic testing companies like 23andMe to obtain
Californians' express consent for the collection, use, or
disclosure of their genetic data. Under this law, Californians
are also able to delete their accounts and genetic data and to
destroy the biological samples they provided to these
companies.
In the context of 23andMe's bankruptcy, can Californians
still exercise these deletion rights, or does the bankruptcy
process somehow interfere with, override, or otherwise affect
our State's privacy protections?
Ms. Gotberg. Thank you. Bankruptcy proceedings do not
override any applicable law. So State law and Federal law are
recognized in bankruptcy proceedings. Whatever rights your
consumers have outside bankruptcy, they'll have inside
bankruptcy in terms of their legal rights.
Senator Schiff. And if the data base, 23andMe's data base,
is sold as a bankruptcy asset, what obligations would the
acquiring company have under Federal or California law to
maintain those same security standards?
Ms. Gotberg. So the same laws that would apply now to
23andMe would presumably apply to any buyer.
Senator Schiff. And so even if this is not a California
company operating in some other State, they would still be
bound post-bankruptcy to California's privacy standards?
Ms. Gotberg. To the extent that California privacy
standards apply, yes, they would.
Senator Schiff. And is a commitment made by an acquiring
company somehow enforceable, apart from California's law, vis-
a-vis residents of other States, is a promise made by an
acquiring company somehow legally enforceable, or is it only as
good as the person's intention to comply with that commitment?
Ms. Gotberg. So contractual promises are enforceable up to
the point that they can be enforced. That's not a great answer,
but again, our statement is a contract is a promise to perform
or to pay damages. It's possible for parties to breach that
agreement, in which case the party that--on the other side of
it would be entitled to damages for the harm that they've
experienced. But without----
Senator Schiff. You know, let's say I am acquiring
23andMe's dataset. I commit to maintaining the deletion
provisions, et cetera, complying with California law even if it
is not required somehow. I acquire the dataset, I don't
comply----
Professor Gotberg. Right.
Senator Schiff [continuing]. Has my offer to comply or my
commitment pre-bankruptcy, has that somehow turned into a
binding contract with the owners of the genetic data, the
people who have the genetic data?
Professor Gotberg. So it would depend on who you were in
privity with, I guess, in terms of the contract, to use, I
guess, a fancy legal term. A contract is between two parties,
and so you have to have an agreement between those two parties.
And I guess the question in those situations, if you were
promising to abide by the commitment, who would be on the other
side of that promise? Who would be able to enforce it?
Senator Schiff. Right. Well, it would sound like the
consumer would not be on the other side of that promise. It
would be more one of the parties to the bankruptcy, which then
we would be then relying on them to enforce that promise. Does
that analysis make sense?
Professor Gotberg. That makes sense to me.
Senator Schiff. And what controls are in place, Mr.
Selsavage--maybe I can ask you this question. What controls are
in place to prevent any unauthorized access or misuse of
information during the bankruptcy proceedings?
Mr. Selsavage. 23andMe is--you know, basically places data
security and data privacy as top of mind. You know, we
basically have continued to maintain a strong system of
security, making sure all of our data is encrypted. You know,
the genetic data is stored separately from any consumer
identifying information identifying who that genetic data
belongs to. We have enhanced our security processes, especially
around bankruptcy, understanding that there is additional
threats. And, you know, basically from--on the consumer side,
you know, we have since enacted two-factor authentication to
access--so basically, there is a second level of either an SMS
text message or an email verification when somebody is trying
to access their account and then placed additional restrictions
if sensitive----
Senator Schiff. If I could just interrupt with one last
question because my time is going to expire. How do we know
that an acquiring company or entity or person would maintain
the same security standards that you have over privacy and even
those standards were subject to hack?
Mr. Selsavage. Senator, the good news here is there is two
potential buyers at this point for 23andMe. The first is
Regeneron, an American $55 billion market cap pharmaceutical
company who actually has data security over genomic data today.
And TTAM Research Institute would be--which would be
maintaining the same security standards as 23andMe.
Senator Schiff. Thank you, Mr. Chairman.
Chairman Grassley. Senator Britt.
Senator Britt. Thank you, Mr. Chairman.
To followup on the Senator's question, so would you commit
today to the same privacy standards that you have demanding
those of the company that purchases 23andMe? Do not sell unless
they keep the same privacy standards that you have?
Mr. Selsavage. Yes, that is a requirement, you know,
basically of any--of the two buyers, and they have put that in
their asset purchase agreement.
Senator Britt. Excellent. And tell me, what all do you test
for?
Mr. Selsavage. You know, 23andMe tests for, you know,
basically a significant level of, you know, genetic traits,
ancestry, and health conditions. We actually, as part of our
process, test over 600,000 variants through our testing
process.
Senator Britt. Okay. So you are able to tell somebody maybe
it is predictability of potential disease and other things?
Mr. Selsavage. And while we can't definitively say that
that person will get the disease, we can highlight risk--and
basically when people are at higher risk for certain diseases.
Senator Britt. And so do you test for sex?
Mr. Selsavage. You know, as part of our testing, we do
identify if the DNA showed that the--if the individual is male
or female.
Senator Britt. And male is XY chromosome?
Mr. Selsavage. That is correct.
Senator Britt. And female XX?
Mr. Selsavage. Correct.
Senator Britt. On your data base though, you go into saying
that if people self-identify of another gender, that you will
attempt to give them a prognosis of the gender that they
identify with versus the gender that they test for?
Mr. Selsavage. Senator, I'm not aware of that----
Senator Britt. Oh, yes, you do. So it says, ``We understand
that sex is not always binary and the words male and female may
not accurately reflect an individual's identity. We also
recognize that being categorized by birth sex may be an
uncomfortable or triggering experience to some, and we do not
mean to delegitimize anyone's gender identity or expression. We
use your self-reported sex to customize your health and trait
reports. For example, genetic risk and what they may mean
differ between men and women.'' So men and women are different,
right? I mean, you say that here. We just talked about the
genetic testing.
But then you go on to say, ``If you tell us you are female,
your reports will contain information that is relevant to
genetic females XX. If you tell us you are male, your reports
will contain information that is relevant to genetic males XY.
Additionally, there are some sex-specific reports that are
available on individual selected profile sex such as male hair
loss or bald spot. That is because either we are not able to
build out an acceptable model for both genders or because the
trait is actually sex-specific.''
And so I guess I am wondering, did you test--like if it is
a genetic female that identified to you as a male, would you
test them for male pattern baldness?
Mr. Selsavage. Senator, you know, we--as you mentioned, we
actually do--the customer does report to us, you know, what
they believe their sex is, and we test against that, as well as
what we found in the DNA as--testing as well.
Senator Britt. I think probably the DNA is what is best for
predicting actual future disease or harm or what may come, good
or bad, for the individual.
On that note, you have about 15 million customers. Is that
right?
Mr. Selsavage. That's correct.
Senator Britt. Okay. Of that, how many are kids?
Mr. Selsavage. How many are kids?
Senator Britt. Yes.
Mr. Selsavage. Senator, I don't know that number.
Senator Britt. So you don't know. From what I read on your
website, obviously, parents can agree to have their child's DNA
tested. Is that correct?
Mr. Selsavage. That is correct.
Senator Britt. So you don't know? Of the 15 million people,
you don't know how many of those profiles are under 18?
Mr. Selsavage. I don't have that information with me today,
but I'd be happy to take that back for----
Senator Britt. Do you have a guess?
Mr. Selsavage. I don't have a reasonable guess, Senator.
Senator Britt. Sir, I think we have to be vigilant when it
comes to children and their DNA. We have talked today about all
of the potential risks that can occur from privacy to security
risk, obviously, blackmail, amongst a number of things. Would
you commit to me today that in the sell, you will sell no
child's DNA under the age of 18, that you will delete that
account?
Mr. Selsavage. Congressman--or Senator, I will take that
back and will review that.
Senator Britt. I think you absolutely should. And on that
note, when it comes to bankruptcy, Professor, tell me, you
know, when you look at a privacy ombudsman in this space, when
you are looking at minors, children, what type of protection is
currently in place, and what do we need to be doing as
Congress? And actually, I would like to open this up to
everybody to ensure that children are protected in this space.
Professor Gotberg. My understanding is that there are
specific laws protecting children's information. I'm not an
expert on those laws, but whatever laws exist outside of
bankruptcy are enforced inside of bankruptcy as well.
Senator Britt. Do you all have another--I would love your
thoughts.
Professor Cohen. You know, for human subjects research, we
have special rules for the children population, and that might
be a place to look for some comparisons.
Senator Britt. Do you have anything, Mr. Klein?
Mr. Klein. Well, as a father, I can say that I think we all
struggle with how much of our children's data or how much of
our children's lives to digitize, and so there's also a degree
of parental responsibility. And when it comes to health, these
are very tough choices sometimes for all of us.
Senator Britt. Absolutely. Thank you, Mr. Chair.
Senator Hawley [presiding]. Senator Padilla.
Senator Padilla. Thank you.
Now, colleagues, the witnesses today have explained that
our bankruptcy process is primarily designed to maximize
creditor payouts and ensure that a business, where possible,
can continue to operate. It is not designed for other goals,
but it is often called upon to fulfill other goals. Here, the
bankruptcy process is not just required to protect consumer
privacy, but also to protect our national security interests.
Professor Klein, what protections are built into the
bankruptcy process to prevent foreign adversaries from taking
advantage of the process to access sensitive information? Other
concerns are generally raised, but, you know, we are talking
about a specific area of the law, bankruptcy law here, whether
we are talking about personally identifiable information or
national security sensitive information?
Mr. Klein. Thank you for the question, Senator. And this is
one area where there actually have been encouraging changes. We
are not defenseless. In the FIRRMA law back in 2018, the
Congress did give the Committee on Foreign Investment in the
U.S. the ability to reach into the bankruptcy process and block
sales and transactions, something that it previously hadn't had
within its jurisdiction. As you all know, that body in the
executive branch is one of our main protections against key
intellectual property, sensitive data, and so forth, slipping
out the back door to foreign adversaries.
Senator Padilla. And how much of the sensitive information,
if any, can potential buyers access before a sale becomes
final? They are obviously doing due diligence in the process of
making these decisions.
Mr. Klein. That is a great question, Senator. I would refer
that to the bankruptcy experts on the panel.
Senator Padilla. Anybody?
Professor Gotberg. So can you repeat your question?
Senator Padilla. How much access to this very sensitive
information, whether it is personal sensitive information or
national security sensitive information can a potential buyer
access before a sale becomes final? Or is this an area where--
--
Professor Gotberg. So there----
Senator Padilla [continuing]. Legislative action is needed?
Professor Gotberg. Within a bankruptcy proceeding, there is
an allowance for due diligence. I think the procedures for that
will be determined by the bankruptcy court and may differ from
case to case. To the extent that there is no protections
outside bankruptcy law, I don't know that there's--you know,
bankruptcy law does not produce additional protections that
wouldn't otherwise exist.
Senator Padilla. So a potential area for needed
congressional action is what I am hearing. Since we have an
expert before us, at what point in a bankruptcy process can
CFIUS get involved? And do you have any recommendations about
whether they should be involved earlier in the process?
Professor Gotberg. So I'm afraid you will have to explain
what CFIUS is to me.
Senator Padilla. All right, Then we have an expert here. It
is okay. It is okay. We will do a followup with you because my
time is limited. I want to get to another topic, which is
national security and biotechnology. I recently served as a
member of the National Security Commission on Emerging
Biotechnology, and our findings in a recent report found that
the United States has historically not treated biological data
as a strategic asset like our agricultural base, our oil
reserves, despite its importance in advancing biotechnology and
AI.
Back to Professor Klein. What is your assessment of the
CCP's effort to sweep up as much biological data that they can
of Americans and of our allies and partners abroad to advance
their own domestic biotechnology ambitions?
Mr. Klein. Well, I think we've seen, Senator--and thank you
for the question--their ambitions are comprehensive. They want
to dominate in critical sectors. They want to use information
like this to enhance their military prowess, and potentially,
and very worryingly, given the tension between our countries,
to conduct asymmetric, unconventional attacks, potentially
including biologic attacks.
I'm sure you all saw that just in the past 2 weeks, the
Eastern District of Michigan U.S. Attorney's Office has
indicted two separate sets of Chinese national defendants on
smuggling biologic materials into the United States. We've also
seen the report on the Reedley Biolab out of the House Select
Committee where a person of Chinese nationality, citizenship,
was in California running an unregistered biolab. We don't know
exactly what was going on there.
Some of these reports are very disturbing. We don't have a
complete picture, but we know that the system, as the 9/11
Commission put it, is blinking, if not red, at least dark
orange, and we need to have the imagination--and I'm glad this
Committee's doing it, to foresee how they might conduct
unconventional attacks against our homeland in the event of an
armed conflict.
Senator Padilla. Do you have any recommended actions for
this Committee or Congress as a whole to take to better protect
our biological data while striking the important balance of
promoting scientific research that depends on these datasets?
Mr. Klein. Yes, thank you, Senator. And bankruptcy is one
vector. We're all covering down on that today. Cyber security,
cyber attacks is another major vector. We know that it is very
hard for companies to defend against a nation-state level
attack, but we can at least make it harder for them. We can at
least force them to expend their very best, most exquisite
exploits to try to get in and spread those techniques that they
have as thin as possible.
But I will also flag one other vector, insider threat. This
is something that those of us who have led organizations in the
Government dealing with classified material worry about every
day, but it's also true in the private sector. Companies do not
have the same comprehensive security clearance standards or
personnel vetting standards that government organizations are
supposed to.
There are some private sector actors that are starting to
help, for example, defense industrial-based companies do this,
but if an insider who has authorized credentials inside a
company wants to take out a bulk dataset, whether it's genomic
data or weapons designs, what does that company have in place
to prevent that exfiltration? That's another very problematic
vector.
Senator Padilla. Okay. Thank you so much.
Thank you, Mr. Chair.
Senator Hawley. Mr. Selsavage, if I could just start with
you. So how many customers do you have approximately?
Mr. Selsavage. Between 14 and 15 million customers.
Senator Hawley. Between 14 and 15 million. I think you told
Senator Britt just a minute ago that a goodly number of those
are minors. Is that correct?
Mr. Selsavage. What I said was I don't have the number of
customers that are----
Senator Hawley. You have the genetic data of a good many
minors. Is that correct?
Mr. Selsavage. We have genetic data for a particular number
of minors, and I will be providing--happy to provide----
Senator Hawley. People under the age of 18. Is that
correct?
Mr. Selsavage. That is how I am defining a minor.
Senator Hawley. So your customers--I just want to make sure
I understand your business model. Your customers give you their
genetic information for you to run various tests on. Is that
right?
Mr. Selsavage. Yes, that is correct.
Senator Hawley. And I mean, that is pretty sensitive stuff,
isn't it, somebody's genetic information? Is there anything
more personal than that?
Mr. Selsavage. I would agree with you, Senator, that
genetic data is sensitive information.
Senator Hawley. And so now you are just going to sell all
of it, 15 million people, bunches of kids, maybe millions. It
is just going to be sold in the open market?
Mr. Selsavage. Senator, you know, the good news, as I
mentioned, is that the two bidders are buyers for the company.
One is Regeneron, which is an American company.
Senator Hawley. That is the big pharma company?
Mr. Selsavage. Big--it is a----
Senator Hawley. It doesn't make me feel any better.
Mr. Selsavage. It is a large pharmaceutical company.
Senator Hawley. All right. So you are going to take 15
million Americans' genetic information, and you are going to
sell it to somebody. And your message to us is today, trust us,
it will be fine. Maybe it is a big pharma company. Maybe we
will get lucky. Maybe they will treat it right. I thought your
privacy code, your privacy commitment said that consumers had a
right not to have their information shared with anybody else
without their consent. I mean, I have got your privacy
statement right here. It says that without their consent, you
can't share their information. You are about to sell it.
Mr. Selsavage. Senator, that consent is, you know,
essentially for, you know----
Senator Hawley. Not real?
Mr. Selsavage [continuing]. Not shared for research
purposes, and we are not selling it for research purposes.
Senator Hawley. Ah, so when you tell the consumer, give us
your personal information, and we will take money from you, and
we won't give it to anybody without your consent, it is not
real. It just means, you know, maybe kind of depends on the
day.
Mr. Selsavage. Senator, you know, I will say that our
customers' data is their own. They have the right at all times
to access that information. They can edit it----
Senator Hawley. Well, sure they can, but you are about to
sell it to who knows who. They can't control it. You said to
Senator Moody that consumers have complete control of their
data, complete. How can they have complete control if you are
about to sell it without their consent?
Mr. Selsavage. Senator, they can delete that data anytime
up until the sale and after.
Senator Hawley. Oh, Okay. Okay. They can delete the data.
Have you fixed the ability of customers to go on your website
and delete it? Because right after you announced your sale,
your deletion page went down. I hold in my hand here an article
from The Wall Street Journal. ``23andMe's site goes down as
customers struggle to delete their data.'' Can they even get
onto your site to delete their data?
Mr. Selsavage. They can, Senator, and----
Senator Hawley. You fixed this?
Mr. Selsavage. That was an issue that--yes, we fixed
immediately after----
Senator Hawley. It is up and running now? Customers can go
on?
Mr. Selsavage. Customers can go on, and they can delete
their data----
Senator Hawley. What happens when they go onto your site to
delete their data?
Mr. Selsavage. When a customer logs into their account at
23andMe, they go to their settings page, and they--there's a
section there where just click ``delete my data.'' It confirms
that they want to delete their data, and it's deleted
automatically.
Senator Hawley. Is that true? Let's take a look. Let's take
a look.
Mr. Selsavage. Okay.
Senator Hawley. When they go onto your page, they get an
opportunity. It says ``permanently delete the data.'' So they
click the button that says ``permanently delete the data,'' and
then they get a notification that says ``Your account is no
longer accessible.'' If they can't access their account
anymore, how do they know their data has been deleted?
[Poster is displayed.]
Mr. Selsavage. Because we send them a notification that
their information has been deleted.
Senator Hawley. You send it once. And how long does that
take?
Mr. Selsavage. You know, our policies State that, you know,
we will delete their data within 30 days, and in most cases,
we--it is automatic and happens much more quickly.
Senator Hawley. And when you deleted it, it is deleted,
deleted. It is gone forever?
Mr. Selsavage. All the genetic data is deleted forever,
and--yes.
Senator Hawley. Really? Because that is not what your
privacy statement says in the fine print. Let's read it. What
your statement says is ``We retain personal information for as
long as necessary to provide the services and fulfill the
transactions you have requested to comply with our legal
obligations, resolve disputes, enforce agreements,'' et cetera,
et cetera. And then it goes on, ``23andMe and/or our contracted
genotyping laboratory will retain your genetic information even
if you choose to delete your account.''
Mr. Selsavage. Senator, you know, 23andMe, it does not
retain any genetic information regarding the consumer once they
delete their account. We do----
Senator Hawley. It says right here that you will retain
genetic information, including date of birth and sex, even if
you choose to delete your account. This is your privacy policy.
I am just quoting from it.
Mr. Selsavage. I'm--Senator, you know, to the best of my
knowledge, we do not maintain any genetic information.
Senator Hawley. It says, ``Even if you choose to delete
your account, we will retain.'' ``We will retain your genetic
information, date of birth and sex, even if you choose to
delete your account.''
Mr. Selsavage. There is some information that we do
retain----
Senator Hawley. Aha.
Mr. Selsavage [continuing]. But not related to the genetic
information.
Senator Hawley. Right.
Mr. Selsavage. But that--you know, such as name, email
address----
Senator Hawley. Oh.
Mr. Selsavage [continuing]. And other----
Senator Hawley. Ah. So even if--ah. Even if you delete the
account, you retain their name, you retain their email address,
you retain their date of birth, you retain their sex, and you
retain their genetic information even if they choose to delete
your account. So in other words--don't talk to your suit behind
you, talk to me. He is not testifying, you are.
You do not allow consumers actually to delete permanently
their data. And when you said a minute ago to Senator Moody, at
all times consumers have complete control of their data, that
is just not true, is it? By the terms of your own agreement,
that just is not true.
Mr. Selsavage. Senator, with all due respect, all of the
genetic data is deleted. We are only maintaining----
Senator Hawley. With all due respect, what you are telling
me is in direct contravention to what your own policy states.
``Even if you choose to delete your account.'' In fact, what
you do is you allow your consumers to delete their account
settings, but their data isn't deleted. You still have it. The
laboratory still has it. You have their name, you have their
date of birth, you have their sex, and now you are going to
sell it.
Here is my point. It is a pattern. Your consumers actually
aren't in control of anything. You are. You control their data.
You control their genetic information. Now you are about to
sell it. You promise them we won't ever sell it without your
consent, but you are doing it. You promise them we will allow
you to delete it, but you don't. In fact, you have lied to
them, have you not?
Mr. Selsavage. Senator, we have not. We--I assure you that
we are deleting all of our customers who have requested----
Senator Hawley. No, you are not. You are not because your
policies say they are not, and you are not deleting it because
if you were, your company wouldn't be worth $300 million.
No, don't read from what your guy behind you is shoveling
talking points to you now. I don't want your talking points. I
have read your policies. I have seen what they are, and I tell
you what, it is amazing to me you are not getting your socks
sued off by your customers. I hope they will. I hope they will
rush to the courthouse, even as we are here today, to sue you
into oblivion for lying to them and taking their most personal,
identifiable information and selling it for a profit and lying
to them and to the American public.
Quite frankly, Mr. Selsavage, what you are doing here has
all kinds of implications, national security implications, all
of it, but nothing is worse than taking the personal,
identifiable information of American consumers and keeping it
and lying to them about it while you make a huge profit off of
it. It is unbelievable to me. It is absolutely unbelievable.
This concludes our hearing. I want to thank each of the
witnesses for taking the time to share your experience, your
expertise, and your perspectives.
Written questions can be submitted for the record until
Wednesday, June 18, at 5 p.m. I will ask the witnesses to
answer and return questions to the Committee within 2 weeks.
The hearing is adjourned.
[Whereupon, at 11:58 a.m., the hearing was adjourned.]
[Additional material submitted for the record follows.]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
A P P E N D I X
The following submissions are available at:
https://www.govinfo.gov/content/pkg/CHRG-119shrg61889/pdf/CHRG-
119shrg
61889-add1.pdf
Submitted by Chairman Grassley:
Professors, testimony............................................ 2
Submitted by Ranking Member Durbin:
Center for AI and Digital Policy (CAIDP), letter................. 10
Professors, testimony............................................ 2
[all]