The collapse of 23andMe and its swift acquisition by Regeneron Pharmaceuticals has sent shockwaves through the tech and biotech sectors—not just for its financial implications, but for what it reveals about the fragile state of genetic data privacy.

With the personal DNA of over 15 million users now in the hands of a pharmaceutical giant, this high-profile case is a wake-up call: the world urgently needs stronger, unified laws to protect the most intimate form of personal data—our genetic code.

The recent bankruptcy and subsequent acquisition of 23andMe by Regeneron Pharmaceuticals has spotlighted critical vulnerabilities in the protection of consumer genetic data. With over 15 million individuals’ genetic information at stake, the transaction underscores the urgent need for robust global legal frameworks to govern the collection, use, and transfer of such sensitive data.

The 23andMe Acquisition: A Case Study in Data Privacy Challenges

In March 2025, 23andMe filed for Chapter 11 bankruptcy, leading to its acquisition by Regeneron for $256 million. The deal encompasses 23andMe’s Personal Genome Service, Total Health, Research Services, and a biobank containing genetic data from millions of users. Notably, the acquisition excludes 23andMe’s telehealth service, Lemonaid Health, which will be discontinued. Regeneron has pledged to uphold 23andMe’s privacy standards and cooperate with a court-appointed ombudsman to ensure ethical data handling .

However, the transaction has raised significant concerns among privacy regulators. The UK Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) have jointly called for the protection of 23andMe customer data during and after the bankruptcy proceedings. They emphasized the necessity for compliance with UK GDPR and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), warning that they would take action if this data is not properly protected .

---

The Need for Enhanced Global Legal Protections

The 23andMe case highlights significant gaps in existing data privacy laws concerning genetic information. While regulations like the Genetic Information Nondiscrimination Act (GINA) in the U.S. provide some protections, they are limited in scope and enforcement. GINA, for instance, does not cover life or disability insurance, and enforcement is largely reactive, addressing issues after they arise .

Furthermore, the rapid advancement of biotechnology and data analytics has outpaced legislative efforts to safeguard consumer privacy. As genetic data becomes increasingly valuable for research and commercial purposes, the potential for misuse grows, necessitating comprehensive and proactive legal frameworks.

Recommendations for Strengthening Global Genetic Data Privacy Laws

To address these challenges, the following legal reforms are recommended:

1. Universal Genetic Data Protection Standards: Establish international agreements to create uniform standards for the collection, storage, and use of genetic data, ensuring consistency across jurisdictions.
2. Explicit Consent Requirements: Mandate clear and informed consent from individuals before their genetic data is collected or shared, with provisions for easy withdrawal of consent.
3. Enhanced Enforcement Mechanisms: Implement stricter penalties for non-compliance with data protection laws and establish independent bodies to oversee enforcement.
4. Consumer Education Initiatives: Promote awareness among consumers about their rights regarding genetic data and the potential risks associated with its misuse.
5. Cross-Border Data Transfer Regulations: Develop frameworks to regulate the transfer of genetic data across borders, ensuring that data protection standards are upheld internationally.

Conclusion

The acquisition of 23andMe by Regeneron Pharmaceuticals serves as a pivotal moment in the ongoing discourse on genetic data privacy. It underscores the necessity for comprehensive global legal frameworks to protect individuals’ genetic information from misuse and exploitation. As genetic data continues to play a central role in personalized medicine and research, the implementation of robust legal protections is imperative to maintain public trust and safeguard individual rights.

---

Call to Action:

Legal professionals, policymakers, and privacy advocates must collaborate to develop and implement comprehensive global standards for genetic data protection. By doing so, we can ensure that individuals’ genetic information is safeguarded against misuse and that their privacy rights are upheld in the face of advancing biotechnological research.