Hacker News new | ask | show | jobs
by KingOfCoders 627 days ago
GDPR covers all personal data, that would include any DNA. It also includes the prevention of creating profiles without your consent.

But as 23andme is an US company, it is not under the jurisdiction of the GDPR. The legal situation isn't clear, the EU would claim some jurisdiction, but I (IANAL) think it's more like you go to the US, walk into a Walgreen and give up your data.
4 comments
dahart 627 days ago
According to the GDPR, its jurisdiction is global via “public international law” and mutual government agreements, but you’re right that’s not entirely clear and they are claiming untested jurisdiction. The law says it applies to non-EU companies if the company establishes any marketing or sales presence either located in the EU, or markets or sells to EU residents (which might apply if the company so much as analyzes sales data by country), or if the company is “monitoring” the behavior of EU residents in any way, where monitoring does not seem to be defined in Article 4 so could mean a lot of things including doing anything with collected data or corresponding with customers.

https://gdpr.eu/article-3-requirements-of-handling-personal-...

I’m sure there are US companies that happen to sell to EU residents that happen to acquire some PII but don’t know and can’t correlate it with the EU, and so aren’t subject to the GDPR. But according to the law’s language, it seems as though something simple on a company’s website like using Google Analytics, which does identify and “monitor” the behavior of people by location, might trigger GDPR. I might expect 23AndMe to trigger applicability for multiple reasons, including that they are using DNA to identify regional heritage and relatives, the samples may be delivered with EU addresses on them, and the samples are as personally identifying as it gets. That’s on top of whatever the website, account registration, and sale process collects.

link
KingOfCoders 627 days ago
The problem of something like Google Analytics is that a company in the EU (EU company, US subsidiary, ...) exports PII to the US which it can't do (law interpretation is not clear inside the EU, e.g. is it legal if GA doesn't store IPs or if using GA without consent is generally illegal).

And exporting data to the US is illegal because US companies can't guarantee that the EU citizen data is protected (which is the goal of the GDPR).

But then again, it is not clear if this applies if an EU citizen goes to a company in the US (real or website in US datacenter) and leaves their data there.

link
leinelissen 627 days ago
Notably, the GDPR applies depending on customer jurisdiction rather than company jurisdiction. If they’re serving EU (or UK) customers, the GDPR definitely applies.
link
Ylpertnodi 627 days ago
Happy to be told the uk falls under the actual gdpr....do they (i thought after brexit, the uk wasn't covered...and they have their own version)?
link
rsynnott 627 days ago
From the ICO website:

> The GDPR is retained in domestic law as the UK GDPR, but the UK has the independence to keep the framework under review.

The UK GDPR. It’s like the GDPR, only with a Union Jack and a bulldog slapped on the side.

Now, in practice, companies seem significantly less scared of the ‘UK GDPR’ than its full-fat European progenitor (probably for good reason; even before brexit, ICO was one of the less aggressive regulators, with its largest GDPR fine ever only being 20mn pounds), and of course the EU has a number of _newer_ consumer protections in this general area (DMA, DSA, AI Act etc) which the UK has _not_ implemented, but, for the moment at least, the UK still has some degree of data protection.

link
layer8 627 days ago
23andme markets and sells services in the EU and is therefore subject to the GDPR. And they know this very well: https://www.23andme.com/en-eu/gdpr/
link
KingOfCoders 627 days ago
Yes, because of "The GDPR applies to 23andMe because we market and provide the Personal Genetic Service in EU Member States through our UK, EU and International sites."

The problem is that the EU parliament thinks this does not work, because US companies can be (secretly) coerced into giving data to the US government, even without telling the affected EU citizens (the EU commission has a different view). And the EU cititzen have no way of going to court over this. And a US company can't guarantee in any way to protect EU citizen data.

Which also the reason that all the *Shields failed and were killed by EU courts [0]

The view of the parliament is that you can't export personal data to the US at all as a company, so 23andMe can put up anything on the website they want, either they don't export data to the US (my Walgreen example) or they do, then they do it illegally.

So I (again, IANAL) would say this is marketing speak aimed towards users and has no relevancy.

[0] https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield

link
layer8 627 days ago
I agree that the EU–US data transfer frameworks are unlikely to provide complete privacy safety, and this is an open problem. However, I was addressing whether 23andme is subject to the GDPR or not, and it clearly is. The data transfer frameworks are what supposedly allows them to transfer data to the US and still be GDPR-compliant. But regardless of whether they are actually compliant or not, they are indisputably subject to the GDPR.
link
KingOfCoders 626 days ago
Yes and my point was, to me it's open to discussion if they do transfer data to the US.
link
sgtrx 627 days ago
That's not how GDPR works. GDPR doesn't care where your company is registered or does business; if they process the personal data of EU citizens then GDPR applies.
link
notpushkin 627 days ago
Supposedly.

I was an Estonian resident a while ago, and I wanted to delete data in my old VK.com account (a Russian company). They didn’t do anything, naturally, so I wrote to Estonian data protection inspector or something. They said that (surprise!) they can’t do anything either.

Things might be better now, but my bet is if you register a company in, say, Seychelles, and your business is purely digital, you can ignore GDPR all you want.

EU can, in theory, tell payment processors to stop working with you, but I haven’t heard of such cases. Even then it won’t help if you don’t sell anything (apart from user data).

Some EU countries have started blocking websites (by spoofing DNS) – this could actually work to put some actual pressure on non-compliant companies, but also is kinda too authoritarian for EU?

Tl;dr: GDPR has good intentions, it just doesn’t work right now if the data processor is not in EU.

link
tzs 627 days ago
Correction: replace "EU citizens" with "people in the Union". That's how GDPR describes the people it covers. It's where you are that matters for GDPR rather than citizenship.
link
chgs 627 days ago
Mostly. Howver if I am in New York and walk into Sam’s deli GDpR doesn’t apply.

If Sam were to target an EU citizen then it would.

link
raverbashing 627 days ago
Correct. If 23&M sells their services in the EU (and you bought the service while in the EU) then GDPR would apply

But if you just walk into a pharmacy in the US and send your sample from there GDPR has nothing to do with it

link
KingOfCoders 627 days ago
No if this is the case, they can't service EU citizens at all because US companies can't have any EU data because they can't protect EU citizen data.

The only way to service EU customers is when we assume entering data on an US website is not exporting data from the EU to the US by the US company. Just like when I go into a Walgreen in NYC as an EU citizen.

For the last decade US and EU companies have ignored the fact that it is/was mostly illegal do transfer EU citizen data to the US (it is currently legal but will be illegal again) - also every EU company that exports data to the US (e.g. by using Mailchimp) needs to guarantee the safety of the data by auditing Mailchimp, no one does and there have been no fine for now, but I assume there will in the future.

See the discussions around

https://en.wikipedia.org/wiki/EU%E2%80%93US_Data_Privacy_Fra...

"The EU parliament raised substantial doubts that the new agreement reached by Ursula von der Leyen is actually conform with EU laws, as it still does not sufficiently protect EU citizens from US mass surveillance and severely fails to enforce basic human digital rights in the EU. In May 2023 a resolution on this matter passed the EU parliament with 306 votes in favor and only 27 against, but so far has stayed without consequences."

link
chgs 627 days ago
Someone randomly walking into a Duane trade in Seattle and purchasing a device would not be reasonably coveted under the GDPR

However if 23&me were targeting European citizens that would be different.

Despite what the adtech industry likes to claim online, Bobs Burger Joint in Baltimore does not have to be specifically concerned about abusing their customers data even if a customer happens to be an EU citizen.

Now if they shipped frozen burgers to France online then sure they would. If they sold “merch” in euros they would. But a local store with a physical premises trading in person? Not covered.

A European citizen living in Austin buying from Amazon though, could well be covered. Amazon do target EU citizens

link
chgs 627 days ago
Pretty much. If EU citizens are targetted then it applies.

“Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR. ”

https://commission.europa.eu/law/law-topic/data-protection/r...

link