23andMe settlement shows what privacy is really worth

For all the talk about the value of personal data and the importance of protecting it, a newly announced US settlement for the mass data breach of genetic testing firm 23andMe shows just how much your privacy is actually worth: about the price of a cup of coffee.

The 7 million customers of the genetic testing company – which was once worth $8.5 billion ($US6 billion) but tanked after its clients’ personal DNA data was posted online in a major 2023 data breach – will share a settlement fund worth $46.2 million ($US32.5 million).

That’s an average of $6.60 ($US4.64) per user.

It’s a far cry from the figure floated by claims administrator Kroll after a preliminary settlement in January, when litigants were pursuing damages of $68.2 billion ($US48 billion) and Kroll promised “up to $14,200 [$US10,000]” each.

The final amount, just 0.07 per cent of that original claim, shows how much protracted legal haggling diluted the settlement – with a US Bankruptcy Court ruling calling the figure “within the range of reasonableness” given 23andMe was in “desperate financial condition.”

While conceding the amount is “modest relative to the scale of the data breach,” the court ruled that “given the magnitude of the [$US48 billion] recovery contemplated, prompt resolution… is essential… to bring the claims reconciliation process to an orderly conclusion.”

Litigating the original figure, the court noted, “would expose the estates to protected, high-stakes litigation lasting months, if not years, requiring extensive discovery and the expenditure of millions of dollars… far better preserved for the benefit of stakeholders.”

That “benefit”, as it turns out, is an average payout that’s about enough to buy a latte at your favourite café – and a slap in the face for privacy regulators threatening to excoriate tech firms that violate individuals’ privacy.

Australian regulator monitors the action

Kroll has resolved 255,860 claims so far, but “thousands” are yet to be dealt with, the court noted in compensating that company $20.3 million ($US14.3 million) for its services – nearly half as much as what 23andMe’s victims will collectively receive.

23andMe’s problems aren’t quite over, with California’s attorney general announcing last month that it will sue Chrome Holding Co. – the legal corporate name of 23andMe – on behalf of 855,541 Californians compromised in the data breach.

Non-US victims of the breach, however, are expressly excluded from the settlement and will receive no compensation for having their personal data compromised, with the Office of the Australian Information Commissioner (OAIC) maintaining a watching brief.

“Although the OAIC is not taking action against 23andMe at this time, due to a range of considerations, we continue to monitor the issue and in particular the regulatory action being taken in other jurisdictions,” an OAIC spokesperson told Information Age.

“Any Australian considering providing genetic information to an organisation should carefully read its privacy policy, particularly when that organisation is overseas, to understand how their sensitive health information will be used and what they may be opting into.

“They should also consider how their information may be used in the event of the organisation ceasing operations.”

_{A US settlement for 23andMe's data breach will award affected customers an average of $6.60 ($US4.64) each. Image: Shutterstock}

Some 155,592 UK users of 23andMe were hit by what UK Information Commissioner John Edwards called “a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK”.

Despite his rhetoric, the Information Commissioner’s Office (ICO) penalised 23andMe just $4.37 million (£2.31 million) for failing to “take basic steps to protect this information” – $28 per breach of sensitive data that, he said, “cannot be changed or reissued like a password.”

Canadian privacy commissioner Philippe Dufresne, whose office investigated 23andMe and worked with the ICO, said the work meant “we were able to maximise our impact and better protect and promote the fundamental right to privacy of individuals across jurisdictions.”

A trust gap with Big Tech

Completion of the bankruptcy proceedings isn’t the end of the DNA data, however: 23andMe got a lifeline when co-founder and former CEO Anne Wojcicki last year led a $470 million ($US305 million) buyout of the firm through her non-profit TTAM Research Institute.

TTAM is described as a “nonprofit medical research organisation dedicated to helping scientists and non-scientists join together to unravel the mysteries of DNA”.

Since the compromised data is among the assets acquired by TTAM, victims of the breach may find that their DNA data continues to be used for other purposes – an uncertain future that does little to assuage concerns that Big Tech companies simply can’t be trusted.

The OAIC’s latest Australian Community Attitudes to Privacy Survey found 78 per cent of respondents felt they had very little or no control over how their personal data was collected and used, and 87 per cent were more concerned about privacy than they were five years ago.

Fully 68 per cent said they were more likely to use digital services requiring personal information if they believed their data was being handled “fairly and responsibly”.