Remember That DNA You Gave 23andMe?

Original Article ↗ Hacker News Discussion ↗

Scope of Legal Protection (GDPR, UK GDPR, HIPAA, etc.)

  • Major debate over whether and how GDPR/UK GDPR applies to 23andMe as a US company.
  • Several argue GDPR applies based on targeting EU/UK residents; others note enforcement against non‑EU entities is weak and cross‑border data transfer to the US is legally shaky.
  • UK has “UK GDPR,” similar but perceived as less aggressively enforced.
  • Some note 23andMe itself claims GDPR applicability for EU customers.
  • HIPAA is repeatedly called out as irrelevant here: 23andMe isn’t a covered healthcare entity; HIPAA also hasn’t prevented large medical data breaches.
  • US genetic nondiscrimination laws (e.g., against insurer use of genetic info) are mentioned, but people doubt their long‑term political durability.

Data Retention, Deletion, and Breaches

  • Users discuss GDPR/CCPA/other rights and tools to request deletion, but many are skeptical anything is fully erased, especially for a struggling company.
  • 23andMe reportedly keeps DNA, sex, and DOB to comply with lab regulations; posters question whether law truly requires this or if it’s self‑serving.
  • Concern that “deletion” often just means removing user access, not wiping all copies or backups.
  • Past major breach (millions of ancestry profiles) is cited; many assume data is already in broker or dark‑web ecosystems.

Risks and Potential Misuse

  • Fears: insurance discrimination, future rollback of protections, use by law enforcement, wrongful convictions via partial DNA matches, data sales to opaque analytics firms.
  • Some worry about future capabilities like designer pathogens targeting individuals, families, or ethnic groups.
  • Others are more sanguine: government likely has or will get everyone’s DNA anyway; name/face already enough to persecute; benefits (health markers, ancestry, relatives) outweighed risks for them.

Familial and Ethical Concerns

  • Strong resentment from some toward relatives who submitted DNA, since shared genetics allows inference about non‑participants, including “shadow” profiles.
  • Debate over whether your genome is purely “your” data versus a shared family resource that can harm others.

Technical Aspects & Business Reality

  • Clarification that standard 23andMe uses genotyping (≈1M variants), not full sequencing; nonetheless, imputation can infer much of the rest.
  • Some speculate samples are retained and could be fully sequenced later as costs fall.
  • Others doubt the data’s long‑term commercial value, suggesting acquisitions may find it less useful than hoped.