Prepared Opening Statement by Senator Chuck Grassley of Iowa
Chairman, Senate Judiciary Committee
23 and You: The Privacy and National Security Implications of the 23andMe Bankruptcy
Wednesday, June 11, 2025
Good morning.
Genetic data is the blueprint to a person.
It is sensitive, it is personal and in the wrong hands, it is dangerous.
As technology and biotechnology rapidly expand, they bring new and serious challenges.
Consumers deserve to know how their data is going to be used, and Americans deserve protection from foreign threats.
That’s why we’re here today.
The 23andMe saga has unveiled serious and concerning issues regarding consumer protection, data privacy and national security.
We’ve explored these issues in other hearings, but today’s hearing focuses on genetic data.
23andMe collected genetic data from roughly 15 million people, and when it did, it told consumers that their data would be safe.
They said it would be protected under their privacy policy.
But now 23andMe is in bankruptcy and it’s selling off this data – Americans’ genetic data – to the highest bidders.
Bidders who consumers never consented to giving their information to.
Bidders who could manipulate and repurpose the genomic data.
Bidders who could be loyal to, or controlled by, our foreign adversaries.
Without any federal law governing genomic data privacy, the only protection for American consumers was 23andMe’s own privacy policy.
Even putting aside whether consumers read and understood the privacy policy, they were required to sign it as-is or they couldn’t use the service.
Now that 23andMe is in bankruptcy, whichever company buys them can change the privacy policy on a whim, however they see fit.
Though the bankruptcy code requires a consumer-privacy ombudsman to be appointed when personally identifiable data is being sold in violation of a privacy policy, that simply isn’t enough.
On the one hand, the bankruptcy code doesn’t include “genetic data” within the definition of “personally identifiable information,” so even if a company sold genetic data in violation of their privacy policy, the Code doesn’t require an ombudsman to be appointed to protect consumer privacy interests.
On the other hand, even if an ombudsman is appointed, the timeline on which they operate, and the efficacy of their role, must be further interrogated.
Before Americans’ genetic information is sold, they should be able to decide whether, when and how their data is going to be used.
In addition to consumer rights concerns, the national security implications of 23andMe’s bankruptcy are significant.
In 2019, the Department of Defense issued guidance that service-members refrain from using direct-to-consumer DNA testing kits.
When a consumer genetics company accumulates the personal genomic blueprints of millions – many of whom are U.S. citizens, government employees or military personnel – it becomes a strategic intelligence asset.
In the wrong hands, this data access isn’t just a privacy breach; it’s a potential weapon.
Foreign governments can design targeted biological weapons and wage pathogenic warfare.
They can identify health vulnerabilities and conduct tailored attacks on key military and governmental personnel.
In light of the serious evidence that Covid-19 was created in a Chinese laboratory, the weaponization of biologics and the military applications of genomic data are no longer far-fetched fantasies of science fiction.
They’re tenable threats to national security.
The threat from China is particularly acute.
The Chinese have invested heavily in their “military-civil” fusion strategy, where they seek to erase the line between private property and military assets.
The CCP aggressively integrates developments in AI, biotech and computing into their military efforts.
They seize and acquire corporate assets to engage in unconventional and asymmetric warfare.
Just this week, for example, two Chinese nationals were charged with smuggling a dangerous pathogen used for agricultural terrorism into the United States.
The Chinese government paid for one of the nationals to research this pathogen, and a search of their electronics revealed information linking them to the CCP.
Data is a weapon, and genetic data is a particularly potent weapon.
American genetic data must be zealously defended and jealously protected.
The 23andMe bankruptcy is a massive threat to the protection of this genetic data for so many Americans.
Congress has yet to enact sufficient protections on these important issues.
There is no data privacy law that protects genomic data, no provision in the bankruptcy code that prevents this data from being compromised through a bankruptcy auction and no sufficient remedy for consumers.
I recently cosponsored Senator Cornyn’s Don’t Sell My DNA Act, which aims at filling some of these gaps.
But there’s a lot more work to do.
I look forward to hearing from our witnesses about how we can advance legislation that better protects Americans’ genetic security.
-30-