IAPP CPS 2024: OPC announces investigation into genetic testing company breach

During his opening keynote address at the IAPP Canada Privacy Symposium 2024, Privacy Commissioner of Canada Philippe Dufresne announced an investigation into the October 2023 data breach of genetic testing company 23andMe to be conducted jointly with the U.K. Information Commissioner's Office.

Dufresne said the scope of the investigation will entail a review of prior actions against the genetic testing company taken by the ICO and the OPC, respectively, to determine the extent to which genetic data was stolen and what company safeguards were in place to prevent such a cyberattack.

"Given the highly sensitive nature of genetic information, we will leverage our combined resources and expertise to examine the scope of information that was exposed by the breach and potential harms to affected individuals," Dufresne told CPS attendees. "In the wrong hands, an individual's genetic information could be misused for surveillance or discrimination."

"For these reasons, ensuring that personal information is adequately protected against attacks by malicious actors and others is an important focus for privacy authorities in Canada and around the world," he continued.

U.K. Information Commissioner John Edwards said his office looked forward to working with the Office of the Privacy Commissioner of Canada on the investigation.

"This data breach had an international impact," Edwards said in a statement. "People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place."

The 23andMe investigation represents part of a larger effort by the OPC to promote "privacy with maximum impact," according to Dufresne. Such promotion is also one of his office's three key priorities in its 2024-2027 strategic plan published in January.

In order to maximize the impact of effective data privacy practices, Dufresne reminded developers of new technologies, such as generative artificial intelligence, their products are still required to comply with current law. Additionally, he said he appreciated members of Parliament incorporating several of his 15 key recommendations into the proposed Bill C-27, the Digital Charter Implementation Act, as part of Canada’s federal privacy law modernization efforts.

"Protecting privacy with maximum impact means using existing laws to address the new increasing challenges," Dufresne said. "Another way that I see my office maximizing its impact is by advocating for law reform to better protect personal information and preparing to implement potential new privacy law for the private sector in Canada."

The two other main priorities the OPC's strategic plan lays out are "addressing and advocating for privacy in this time of technological change and championing children's privacy rights," Dufresne said.

To meet the legal challenges emerging technologies present, Dufresne highlighted the work of the Canadian Digital Regulators Forum, which he recently assumed the chair of, and indicated he looks forward to its work on generative AI. During his keynote address, he announced the forum was opening a consultation on privacy and age assurance.

Dufresne also provided a general update of the OPC's investigation into OpenAI, which is being conducted in partnership with several provincial data protection authorities and was originally announced at CPS 2023. While still ongoing, Dufresne stressed the OpenAI investigation remains a "top priority."

"In this investigation, we're examining compliance with the requirements under the relevant Canadian privacy laws in relation to consent, openness, access, accuracy and accountability," Dufresne said. "As well, the investigation is considering whether open AI is collecting using or disclosing personal information for an appropriate purpose."

In terms of the strategic goal of better protecting children's privacy, Dufresne used the example of the OPC's investigation into TikTok's data collection practices, which is also being conducted jointly with multiple provincial DPAs. He said part of the investigation entails reviewing TikTok's privacy policies and if it obtained meaningful consent to process personal data, and is "nearing completion."

To meet the goals outlined in the OPC's strategic plan over ensuing years, Dufresne opined society at-large cannot fall into the trap of a "zero-sum game" where privacy is forsaken for rapid technological development. He mentioned Canada's privacy reform efforts with Bill C-27 and general private-sector practices can help avoid the trap.

"I believe that achieving the goals set for these priorities will be a collective effort that relies on all of us in our various capacity so that we can create a future where innovation can flourish and where privacy is protected," Dufresne said. "And I would argue that innovation will flourish because privacy is protected."