Yes, because of "The GDPR applies to 23andMe because we market and provide the Personal Genetic Service in EU Member States through our UK, EU and International sites."
The problem is that the EU parliament thinks this does not work, because US companies can be (secretly) coerced into giving data to the US government, even without telling the affected EU citizens (the EU commission has a different view). And the EU cititzen have no way of going to court over this. And a US company can't guarantee in any way to protect EU citizen data.
Which also the reason that all the *Shields failed and were killed by EU courts [0]
The view of the parliament is that you can't export personal data to the US at all as a company, so 23andMe can put up anything on the website they want, either they don't export data to the US (my Walgreen example) or they do, then they do it illegally.
So I (again, IANAL) would say this is marketing speak aimed towards users and has no relevancy.
I agree that the EU–US data transfer frameworks are unlikely to provide complete privacy safety, and this is an open problem. However, I was addressing whether 23andme is subject to the GDPR or not, and it clearly is. The data transfer frameworks are what supposedly allows them to transfer data to the US and still be GDPR-compliant. But regardless of whether they are actually compliant or not, they are indisputably subject to the GDPR.
The problem is that the EU parliament thinks this does not work, because US companies can be (secretly) coerced into giving data to the US government, even without telling the affected EU citizens (the EU commission has a different view). And the EU cititzen have no way of going to court over this. And a US company can't guarantee in any way to protect EU citizen data.
Which also the reason that all the *Shields failed and were killed by EU courts [0]
The view of the parliament is that you can't export personal data to the US at all as a company, so 23andMe can put up anything on the website they want, either they don't export data to the US (my Walgreen example) or they do, then they do it illegally.
So I (again, IANAL) would say this is marketing speak aimed towards users and has no relevancy.
[0] https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield