[Senate Hearing 119-200]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 119-200

                        23 AND YOU: THE PRIVACY
                   AND NATIONAL SECURITY IMPLICATIONS
                       OF THE 23ANDME BANKRUPTCY

=======================================================================

                                HEARING

                              BEFORE THE

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                    ONE HUNDRED NINETEENTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 11, 2025

                               __________

                          Serial No. J-119-22

                               __________

         Printed for the use of the Committee on the Judiciary
         
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]         


                        www.judiciary.senate.gov
                            www.govinfo.gov
                            
                               __________

                   U.S. GOVERNMENT PUBLISHING OFFICE                    
61-889                    WASHINGTON : 2025                  
          
-----------------------------------------------------------------------------------                            
                            
                            
                            
                       COMMITTEE ON THE JUDICIARY

                  CHARLES E. GRASSLEY, Iowa, Chairman
LINDSEY O. GRAHAM, South Carolina    RICHARD J. DURBIN, Illinois,       
JOHN CORNYN, Texas                       Ranking Member
MICHAEL S. LEE, Utah                 SHELDON WHITEHOUSE, Rhode Island
TED CRUZ, Texas                      AMY KLOBUCHAR, Minnesota
JOSH HAWLEY, Missouri                CHRISTOPHER A. COONS, Delaware
THOM TILLIS, North Carolina          RICHARD BLUMENTHAL, Connecticut
JOHN KENNEDY, Louisiana              MAZIE K. HIRONO, Hawaii
MARSHA BLACKBURN, Tennessee          CORY A. BOOKER, New Jersey
ERIC SCHMITT, Missouri               ALEX PADILLA, California
KATIE BOYD BRITT, Alabama            PETER WELCH, Vermont
ASHLEY MOODY, Florida                ADAM B. SCHIFF, California

             Kolan Davis, Chief Counsel and Staff Director
         Joe Zogby, Democratic Chief Counsel and Staff Director

                            C O N T E N T S

                              ----------                              

                           OPENING STATEMENTS

                                                                   Page

Grassley, Hon. Charles E.........................................     1
Durbin, Hon. Richard J...........................................     3

                               WITNESSES

Cohen, Glenn.....................................................     6
    Prepared statement...........................................    33
Gotberg, Brook...................................................     8
    Prepared statement...........................................    43
Klein, Adam......................................................     9
    Prepared statement...........................................    53
Selsavage, Joseph................................................     5
    Prepared statement...........................................    61

                                APPENDIX

Items submitted for the record...................................    75

 
                        23 AND YOU: THE PRIVACY
                   AND NATIONAL SECURITY IMPLICATIONS
                       OF THE 23ANDME BANKRUPTCY

                              ----------                              


                        WEDNESDAY, JUNE 11, 2025

                              United States Senate,
                                Committee on the Judiciary,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:19 a.m., in 
Room 226, Dirksen Senate Office Building, Hon. Charles E. 
Grassley, Chairman of the Committee, presiding.
    Present: Senators Grassley [presiding], Cornyn, Hawley, 
Blackburn, Britt, Moody, Durbin, Klobuchar, Coons, Padilla, and 
Schiff.

        OPENING STATEMENT OF HON. CHARLES E. GRASSLEY, 
             A U.S. SENATOR FROM THE STATE OF IOWA

    Chairman Grassley. Good morning, everybody.
    Genetic data is the blueprint to a person. It is sensitive, 
it is personal, and in the wrong hands, it can be dangerous. As 
technology and biotechnology rapidly expand, they bring new and 
serious challenges. Consumers deserve to know how their data is 
going to be used, and Americans deserve protection from foreign 
threats. That is why we are here today.
    The 23andMe saga has unveiled serious and concerning issues 
regarding consumer protection, data privacy, and national 
security. We have explored these issues in these hearings, but 
today's hearing focuses upon genetic data. 23andMe collected 
genetic data from roughly 15 million people, and when it did, 
it told the consumers that their data would be safe. They said 
it would be protected under their privacy policy.
    But now, 23andMe is in bankruptcy, and it is selling off 
its data, Americans' genetic data, your data, to the highest 
bidders, bidders who consumers never consented to giving their 
information to, bidders who could manipulate and repurpose the 
genetic data, bidders who could be loyal to or controlled by 
foreign adversaries. Without any Federal law governing genomic 
data privacy, the only protection for the American consumer was 
23andMe's own privacy policies.
    Even putting aside whether consumers read or understood the 
privacy policy, they were required to sign it as-is, or they 
couldn't use the service. And now that 23andMe is in 
bankruptcy, whichever company buys them can change the privacy 
policy on a whim, however they see it.
    That's why, just yesterday, 27 States sued to block the 
sale of this data. Though the bankruptcy code requires a 
consumer privacy ombudsman to be appointed when personally 
identifiable data is being sold in violation of a privacy 
policy, that simply is not enough. On the one hand, the 
bankruptcy code doesn't include genetic data within the 
definition of these three words, personally identifiable 
information. So even if a company sold genetic data in 
violation of their privacy policy, the code doesn't require an 
ombudsman to be appointed to protect consumer privacy interest.
    On the other hand, even if an ombudsman is appointed, the 
timeline for on which they operate and the efficacy of their 
role must be further interrogated. Before Americans' genetic 
information is sold, they should be able to decide whether, 
when, and how that data is going to be used.
    In addition to consumer rights concerns, the national 
security implications of 23andMe bankruptcy are significant. In 
2019, the Department of Defense issued guidance that 
servicemembers refrain from using direct-to-consumer DNA 
testing kits. When a consumer genetics company accumulates the 
personal genomic blueprint of millions, many of whom are U.S. 
citizens, government employees, or military personnel, it 
becomes a strategic intelligence asset. In the wrong hands, 
this data access isn't just a privacy breach, it is a potential 
weapon.
    Foreign governments can design targeted biological weapons 
and wage pathogenic warfare. They can identify health 
vulnerabilities and conduct tailored attacks on key military 
and government personnel. In light of the serious evidence that 
COVID-19 was created in a Chinese laboratory, the weaponization 
of biologics and the military application of genomic data are 
no longer far-fetched fantasies of science fiction. They are 
tenable threats to the national security.
    The threat from China is particularly acute. The Chinese 
have invested heavily in their military-civil fusion strategy 
where they seek to erase the line between private property and 
military assets. The Chinese Communist Party aggressively 
integrates development of artificial intelligence, biotech, and 
computing into their military efforts. They seize and acquire 
corporate assets to engage in unconventional and asymmetric 
warfare.
    Just this week, for example, two Chinese nationals were 
charged with smuggling a dangerous pathogen used for 
agricultural terrorism into the United States. The Chinese 
Government paid for one of the nationals to research this 
pathogen, and a search of their electronics revealed 
information linking them to the Chinese Communist Party.
    Data is a weapon, and genetic data is particularly a potent 
weapon. Americans' genetic data must be zealously defended and 
jealously protected. The 23andMe bankruptcy is a massive threat 
to the protection of the genetic data of so many Americans.
    Congress has yet to enact sufficient protection on these 
important issues. There is no data privacy law that protects 
genomic data, no provision in the bankruptcy code that prevents 
this data from being compromised through bankruptcy auction, 
and no sufficient remedy for consumers.
    I recently co-sponsored Senator Cornyn's Don't Sell My DNA 
Act, which aims at filling some of these gaps, but there is a 
lot more work to do. I look forward to hearing from our 
witnesses about how we can advance legislation that better 
protects Americans' genetic security.
    With that, I will open things up to Senator Durbin to give 
an opening statement. Then, we will hear from our witnesses.

         OPENING STATEMENT OF HON. RICHARD J. DURBIN, 
           A U.S. SENATOR FROM THE STATE OF ILLINOIS

    Senator Durbin. Thanks, Senator Grassley, good and timely 
hearing as far as I am concerned.
    23andMe has a data base containing the genetic information 
of about 15 million people. If your genetic information is in 
their data base, a researcher can tell you who your relatives 
are, what your ethnicity is, what your eye color is, and 
whether you think cilantro tastes like soap. They can also 
determine a lot of information about your health. Are you at 
risk of developing type 2 diabetes? How about celiac disease, 
chronic kidney disease, Parkinson's?
    In short, 23andMe has access to deeply personal information 
about you and your health, information that you would normally 
want to keep private, I guess, between you and your family and 
your doctor. Yet no federal law, no federal law, prevents 
23andMe from sharing this data with others, including insurance 
companies, future employers, and law enforcement. Rather, a 
patchwork of State laws, privacy policies are the only things 
protecting the genetic information of millions of Americans.
    If 23andMe's customers are anything like fellow Americans, 
they likely did not read this privacy policy. According to a 
survey by Pew Research, more than half Americans say they 
always--well, almost always--often agree with privacy policies 
without ever reading them. Who can blame them? Whether you are 
activating your cell phone, setting up your Facebook account, 
accessing a number of services, Americans are bombarded with 
countless privacy policies to which they must agree, and 
virtually all of us do.
    One company who studied the issue found that Americans 
would have to spend, get ready, 47 hours a month to read the 
privacy policies of the most visited websites. That is more 
than a full 9 to 5 workweek every single month. Get real.
    When 23andMe filed for bankruptcy on March 23, a lot of 
people suddenly became interested in privacy policy because 
buried in the fine print of their privacy policy is the 
following. Listen closely. ``If we are involved in a 
bankruptcy, merger, acquisition, reorganization, or sale of 
assets, your personal information may be accessed, sold, or 
transferred as part of the transaction.'' Remember that clause? 
Probably not.
    So 23andMe's 15 million customers are left wondering, who 
is going to get access to my genetic information? What are they 
going to do with it? What rights do I have to stop it? That is 
why we need this hearing.
    Thankfully, 23andMe's privacy policy gave its customers the 
right to delete their data upon request, and millions have done 
so, so many, in fact, that 23andMe's website crashed with the 
traffic. Again, this wasn't required by Federal law. There are 
very few federal guardrails to protect the most sensitive 
personal data, including your DNA and who can share it.
    It is time for Congress to put some protections in place 
for Americans. In the right hands, a genetic data base could 
help researchers unlock lifesaving medical cures and make 
incredible discoveries. But in the wrong hands, in the wrong 
hands, it could enable dystopian discrimination, and 
surveillance could be used by our adversaries. You were turned 
down for that job? Why did they turn me down? Turns out they 
knew a lot more about you than you knew about yourself.
    The American people deserve to have faith that their 
sensitive information will be and stay in the right hands 
before they agree to share it. Yet nearly 20 years after 
23andMe came on the scene, and at least that long since the 
surveillance industrial complex started taking over the 
internet, America still lacks a comprehensive federal law to 
protect our privacy. Like other areas, including kids' online 
safety, to which this Committee has dedicated a lot of time, 
there is bipartisan consensus that something needs to be done 
about our privacy.
    There have been signs of hope, including in 2022 when the 
American Data Privacy and Protection Act passed the House by a 
broad bipartisan vote of 53 to 2. This is the Energy and 
Commerce Committee. But the American people are still waiting. 
I think we can get together and pass a bipartisan bill. This 
hearing might help.
    Thanks, Mr. Chairman.
    Chairman Grassley. Thank you.
    This is a consensus hearing, so I am going to go ahead and 
introduce all the witnesses that have joined us today. Then, I 
will swear them in.
    Mr. Joseph Selsavage serves as interim CEO, CFO, CAO, 
23andMe, joined 23andMe in November 2021 through the 
acquisition of Lemonaid Health. At Lemonaid Health, he was 
chief financial officer. Mr. Selsavage received a BA in 
economics and financial management and his MA in accountancy 
from Catholic University. He also received his MBA from 
Massachusetts Institute of Technology. He is a certified public 
accountant.
    Next, we have Mr. Glenn Cohen, professor of law at Harvard 
Law School and the faculty director of Harvard Center of Health 
Law Policy, Biotechnology, and Bioethics. Professor Cohen is an 
elected member of the National Academy of Medicine and has 
spoken to NATO, OECD, and members of the U.S. and Korean 
Congress on medical and biotech issues and policies. He 
previously served as a lawyer for the U.S. Department of 
Justice, Civil Division, where he handled litigation in Court 
of appeals and U.S. Supreme Court.
    Next, we have Ms. Brook Gotberg, professor of law, Brigham 
Young University. Professor Gotberg teaches bankruptcy, 
contracts, secured transactions, and other commercial law 
subjects. Her scholarship focuses on debtor and creditor 
relations and various impacts on the bankruptcy code and 
business reorganization. Professor Gotberg earned her BA in 
political science magna cum laude, Brigham Young University, 
and her JD cum laude from Harvard Law School.
    Mr. Adam Klein is a senior lecturer at UT Austin School of 
Law and director of the Strauss Center for International 
Security and Law. Previously, Mr. Klein served as chairman and 
CEO of the United States Privacy and Civil Liberties Oversight 
Board, overseeing counterterrorism programs at the NSA, FBI, 
CIA, and the Department of Homeland Security. Before entering 
government, Mr. Klein was a senior fellow at the Center for the 
New American Security and National Security Think Tank. Earlier 
in his career, he served as a law clerk to Justice Scalia of 
the Supreme Court.
    Would you please rise so I could administer the oath?
    [Witnesses are sworn in.]
    Chairman Grassley. Thank you. And I think we will go my 
left to my right, so you start, Mr. Selsavage.

STATEMENT OF JOSEPH SELSAVAGE, INTERIM CHIEF EXECUTIVE OFFICER 
  AND CHIEF FINANCIAL AND ACCOUNTING OFFICER, 23ANDME HOLDING 
              CO., SOUTH SAN FRANCISCO, CALIFORNIA

    Mr. Selsavage. Chairman Grassley, Ranking Member Durbin, 
and Members of the Committee, thank you for the opportunity to 
appear before you today. My name is Joseph Selsavage, and I am 
the interim chief executive officer of 23andMe, a mission-
driven organization founded on the simple yet transformative 
belief that individuals have the right to access, understand, 
and benefit from their own genetic information. From the very 
beginning, 23andMe's purpose has been clear, to help people 
live healthier lives through direct access to their own DNA, to 
accelerate scientific discovery, and to contribute meaningfully 
to the future of personalized medicine.
    We recognize that with this vision comes immense 
responsibility to the millions of individuals who have chosen 
to participate in something larger than themselves. We are here 
today not only to answer your questions, but to reaffirm our 
deep commitment to data privacy and security, transparency, 
customer choice, data stewardship, and scientific integrity.
    Founded in 2006, 23andMe is a personal genomics and 
biotechnology company that pioneered direct-to-consumer genetic 
testing. We are named after the 23 pairs of chromosomes in 
every human cell. Our mission has always been to empower 
consumers by providing access to information about their 
personal genetics based on the latest science so that they can 
make their own informed decisions about their healthcare 
journey.
    Our services allow customers to gain DNA insights about 
their genetic risk for dozens of conditions like type 2 
diabetes, Alzheimer's disease, and certain cancers. They can 
also learn about their carrier status for inherited conditions 
like cystic fibrosis or Tay-Sachs disease, or wellness factors 
like lactose intolerance or deep sleep intolerance.
    23andMe customers have consistently reported taking 
positive health actions after learning about their genetics 
through 23andMe's services. Eighty-two percent of our customers 
with an actionable genetic result were previously unaware of 
their health risks.
    The value of personal genomics goes beyond the insights 
people learn about themselves. Customers who register for our 
services also have the option to allow their data to be shared 
for research purposes, and over 80 percent of our customers 
have chosen to consent to research.
    Consent is a central tenet of 23andMe's research program. 
We have separate research consents beyond our consents to 
processing sensitive data, a privacy statement and terms of 
service that customers must review and agree to if they want to 
participate in our research program. We remove all identifying 
information before any genetic data is shared with third 
parties. Any customer who affirmatively consents to participate 
in our research program can easily opt out at any time through 
their account settings and have always been able to do so. 
Customers are also free to delete their account and data at any 
time.
    Our customers who have affirmatively consented contribute 
to more than 230 studies on topics that range from Parkinson's 
disease to lupus to asthma and more. We collaborate with 
advocacy organizations, universities, and biotech companies to 
bring customers opportunities to participate in research. Since 
2010, 23andMe has published 293 papers that help advance 
scientific research in a wide range of fields.
    Due to circumstances that I discuss in more detail in my 
written testimony, 23andMe is currently conducting a sales 
process supervised by a United States bankruptcy court. That 
process has been a success to date. We have two remaining 
bidders, both American enterprises, that will conduct a final 
round of bidding later this week before the sale of the winning 
bidder is presented for approval by the bankruptcy court. 
Because this proceeding is ongoing, I am unable to speak about 
the merits of either bid or the ongoing sale process.
    Let me assure the Committee that 23andMe remains committed 
to protecting customer data. We are requiring that anyone 
bidding for 23andMe must agree to comply with our privacy 
policies. We recognize the vital importance of protecting every 
individual's right to access and control their own genetic 
information. Empowering people with the knowledge about their 
DNA is not only a matter of personal autonomy, it is a gateway 
to proactive and personalized health, informed decisionmaking, 
and greater engagement in consumer and scientific progress.
    At 23andMe, we believe that when consumers are trusted with 
their own data, they become partners in advancing medicine and 
not just patients of it.
    I appreciate the opportunity to testify before this 
Committee today, and I welcome your questions.
    [The prepared statement of Mr. Selsavage appears as a 
submission for the record.]

STATEMENT OF I. GLENN COHEN, DEPUTY DEAN AND PROFESSOR, HARVARD 
              LAW SCHOOL, CAMBRIDGE, MASSACHUSETTS

    Professor Cohen. Chairman Grassley, Ranking Member Durbin, 
other distinguished Members of the Committee, my name is Glenn 
Cohen. I'm a deputy dean and professor at Harvard Law School. I 
work on the legal and ethical issues in medicine and the 
biosciences, including genetics. Thank you for the opportunity 
to testify before you today.
    Genetic data requires special protection because it is 
immutable, it inherently identifies us, it reveals information 
about our blood relatives, and because many health conditions 
have significant genetic components, so knowing about someone's 
genes is knowing about their health. If one's genetic 
information was accessed, it might reveal information on 
prognosis for breast cancer, Alzheimer's disease, and many 
other health conditions. It might let people identify you, 
including reconstructing your face and vocal characteristics. 
You might face discrimination in life, disability, and long-
term care insurance, and it might reveal misattributed 
paternity.
    There are additional risks to our servicemembers. Indeed, 
the Pentagon warned that our enemies might use the 23andMe data 
for ``mass surveillance and the ability to track individuals 
without their authorization or awareness.'' And that's just 
today's risks. The development of polygenic risk scores may 
further reveal our risk for various diseases, and some have 
begun using 23andMe data to create scores to predict behavioral 
traits like risk tolerance and even educational attainment.
    Since 2006, through its direct-to-consumer genetic tests, 
23andMe has amassed a vast data base that includes the genetic 
and personal information of more than 15 million consumers. For 
many, it also holds physical specimens like saliva samples. The 
main privacy protection for those customers is just a promise 
the company has made in its privacy statement not to share 
personal information voluntarily with insurance companies, 
employers, or public data bases, or with law enforcement 
agencies without a valid subpoena, search warrant, or court 
order.
    But if you read more closely, the privacy statement 
provides much less protection than it appears to. Few customers 
read or understand privacy statements or terms of use. 23andMe 
reserves the right to alter the terms customers have relied on, 
and moreover, the company explicitly reserves the right to 
transfer customer personal information in the event of the sale 
of the company or a bankruptcy.
    The company has announced as part of the bankruptcy process 
it will ``require anyone bidding for 23andMe to agree to comply 
with our privacy policies and all applicable privacy laws.'' 
Well, that's all well and good, but even if that becomes a 
condition of the sale, nothing prohibits Regeneron, TTAM, or 
another buyer of the data from altering that privacy policy 
just as there's nothing to stop 23andMe from doing so tomorrow. 
It's also unclear to me what's going to happen to the saliva 
samples, raising additional privacy concerns.
    Trust is all about a relationship. Customers who chose 
23andMe entered into a particular kind of relationship with a 
particular kind of company. They shared their genetic and other 
personal information, recognizing there was some privacy risk 
to obtain potential ancestry and health-related insights, and 
for some of them to help enable research and the development of 
potential new drugs or other therapeutics.
    Upon bankruptcy or sale of the assets, consumers may find 
themselves in a relationship with a very different kind of 
company with goals they may not support and policies that have 
changed while they weren't looking. Privacy statements and 
customer acquiescence have a role to play, but private ordering 
solutions can only go so far to deal with these concerns.
    And Federal law is not currently up to the job. The Health 
Insurance Portability and Accountability Act, HIPAA, our main 
health privacy law on the Federal level, will not apply to 
23andMe because it's not a covered entity. The Genetic 
Information Nondiscrimination Act of 2008 protects individuals 
from genetic discrimination for employment or health insurance, 
but unlike its equivalent in many of our peer countries, it 
doesn't cover life, disability, and long-term care insurance. 
It excludes military personnel and excludes protection for 
individuals on the basis of conditions that have already 
manifested in the individual.
    In my written testimony, I've analyzed a series of possible 
alternatives for you to consider, but I want to focus on two 
here, two that I think are particularly promising. First, the 
Don't Sell My DNA Act introduced by Members of this Committee, 
Chairman Grassley, Senators Cornyn and Klobuchar, which would 
introduce a strong model of affirmative consent upon 
bankruptcy. We've heard a lot about consent from the company, 
and the question is, why aren't they getting consent at this 
moment for the transfer? Why not go back and ask people to 
affirmatively consent to that transfer? And that is what your 
act would help do. I would like to see it extended, in fact, 
beyond the bankruptcy to other forms of sale or transfer of 
genetic data and more explicitly cover the biospecimens.
    The second complementary model I want to highlight is from 
Florida, which in 2020 became the first U.S. State to ban 
insurers from discriminating on the basis of genetic 
information in areas not covered by GINA, life, long-term care, 
and disability insurance. I would like to see a similar effort 
on the Federal level because when it comes to--I respect 
federalism, but when it comes to genetic discrimination, 
really, all Americans should have this protection.
    Chairman Grassley, Ranking Member Durbin, and Members of 
the Committee, I'm appreciative of your focus on this important 
issue, and I thank you for the opportunity to testify before 
you today, and I look forward to answering your questions. 
Thank you very much.
    [The prepared statement of Professor Cohen appears as a 
submission for the record.]
    Chairman Grassley. I am going to open up the Senate. 
Senator Cornyn, would you Chair while I am gone? I will be gone 
about 15 or 20 minutes. Thank you.
    Go ahead, Professor Gotberg.

         STATEMENT OF BROOK GOTBERG, PROFESSOR OF LAW, 
                  BYU LAW SCHOOL, PROVO, UTAH

    Professor Gotberg. Okay. Thank you for the opportunity to 
present to you today.
    Chairman Grassley. Push the button.
    Professor Gotberg. Thank you. Thank you for the opportunity 
to present to you today. I'm happy to provide some perspective 
on the sale of personal consumer data in bankruptcy. And the 
main message that I'd like to convey is that the concerns that 
you've raised are not inherently bankruptcy issues. I'd also 
like to advise against passing bankruptcy-specific prohibitions 
on the sale of data, and I'll explain.
    Bankruptcy provides a vital public policy role in the 
smooth running of our economy. Bankruptcy is not inevitable 
when a company becomes insolvent, but its primary purpose is to 
mitigate and manage the losses caused by a debtor's insolvency. 
When a company becomes insolvent, the creditors of that company 
are obligated to engage in a competition for those debtors' 
limited assets. This competition looks like a race to recover 
their legal rights. This is the metaphorical or actual race to 
the courthouse.
    The race imposes costs on creditors who have to expend 
resources, sometimes fruitlessly, because they have gotten 
there too late after the money has run out. Also, a piecemeal 
liquidation of the debtor's assets frequently devalues those 
assets or destroys value so that creditors are ultimately paid 
less. That's why we want parties to choose bankruptcy when the 
debtor is insolvent.
    Bankruptcy isn't a haven for any party to avoid the 
enforcement of outside laws. This is a primary issue in the 
23andMe bankruptcy right now to determine if there are State 
laws that would prohibit the sale of assets in that bankruptcy. 
But we also don't want parties to avoid bankruptcy because of 
specific laws that arise only in those instances.
    If a company cannot sell assets in bankruptcy, it will 
simply do so outside of bankruptcy, without the benefit of 
court oversight or the transparency provided by bankruptcy 
proceedings and probably for a lower price. This won't actually 
protect consumers from the sale of their data. It will just 
deny them these protections that bankruptcy is intended to 
give. The primary advantage of bankruptcy is its efficiency and 
its ability to maximize the value of debtor's assets.
    Federal law shouldn't protect consumer data only in 
bankruptcy proceedings. To the extent that Congress wants to 
prohibit the sale of personal consumer data, it should do so 
both inside and outside bankruptcy to prevent the strategic use 
of bankruptcy for reasons that have nothing to do with the 
efficiency of the proceedings.
    I'm happy to answer any questions about this or any 
bankruptcy-related issues, but I would really encourage the 
Committee to consider holistic and universally applicable 
prohibitions to the extent they exist. Thanks.
    [The prepared statement of Professor Gotberg appears as a 
submission for the record.]
    Senator Cornyn [presiding]. Mr. Klein.

 STATEMENT OF ADAM KLEIN, DIRECTOR AND SENIOR LECTURER, ROBERT 
   S. STRAUSS CENTER FOR INTERNATIONAL SECURITY AND LAW, (UT 
                     AUSTIN), AUSTIN, TEXAS

    Mr. Klein. Mr. Chairman, Mr. Ranking Member, and Members of 
the Committee, thank you for inviting me to testify today.
    Before joining the University of Texas, I served as 
chairman of the United States Privacy and Civil Liberties 
Oversight Board, an agency that Members of this Committee 
oversee and know well. Many of our oversight projects revolved 
around the insights that intelligence agencies can gain from 
personal data. That is because data is not just another 
commodity. When our adversaries buy or steal sensitive American 
data, they use it to harm the United States. China, in 
particular, has used American data to strengthen its military, 
conduct hostile intelligence operations, and help its companies 
displace American competitors.
    Genomic data, like the DNA profiles held by 23andMe, 
presents several distinct national security risks. First, China 
could use DNA profiles to identify and track people of 
interest, such as American intelligence officers and critics of 
the CCP, the Chinese Communist Party, who live in the United 
States. China has already built a genetic data base to track 
and identify members of its Uyghur minority. With our genomic 
data, it could do the same for Americans.
    Second, access to American genomic data could help Chinese 
biotech companies gain an unfair advantage over American 
companies. It could also help China train specialized AI models 
for biomedical research. Now, China has domestic AI datasets, 
but its population is far less genetically diverse than ours, 
so American genomic data would hold great value for them.
    Third, China could use American genomic data for bioweapons 
research. Now, that risk is speculative, but it can't be 
dismissed. My written testimony lists several clues that China 
might be open to this kind of research. For example, a Chinese 
military textbook speculated about bioweapons designed for 
specific ethnic genetic attacks. Access to American DNA 
profiles with their greater genetic diversity could facilitate 
research into ethnically targeted bioweapons.
    There is a disturbingly high chance, as Members of this 
Committee know, that we will find ourselves in an armed 
confrontation with the People's Republic of China before the 
decade is out, most likely over Taiwan. If so, we should expect 
China to target our homeland with unconventional, asymmetric 
tactics, which could include biologic attacks.
    Next year, this Committee will once again consider Section 
702 of the Foreign Intelligence Surveillance Act. As you do so, 
I respectfully encourage you to keep in mind that law's vital 
role in detecting adversarial plots against our homeland and 
stopping cyber intrusions into sensitive systems, potentially 
including systems like 23andMe's that store Americans' data.
    I'd like to conclude on a positive note. In recent years, 
Congress, including this Committee and Members of this 
Committee and the executive branch, have done a great deal to 
protect Americans' data from hostile foreign powers. And as 
this hearing illustrates, leaders are now vigilant about the 
security risks of letting adversaries buy our data. For those 
reasons, I'm confident that the executive branch would block 
and could block an adversary-controlled entity from buying 
23andMe. But the attention of this Committee and others in 
Congress is vital to help ensure an outcome to this bankruptcy 
that protects the privacy and security of Americans.
    Thank you, and I look forward to your questions.
    [The prepared statement of Mr. Klein appears as a 
submission for the record.]
    Senator Cornyn. Thank you all very much. We will start with 
the 5-minute rounds of questions, and I will begin.
    So back in 1990, Congress authorized something called the 
Human Genome Project, which was designed to map the human 
genome, which gave rise to an incredible amount of information 
about the human genome, which is what makes us who we are. And 
it has had enormous positive benefits in terms of law 
enforcement, for example, being able to use DNA as an essential 
part of regular criminal investigations to identify an 
assailant. For example, in a forensic analysis of a rape kit, 
it can identify with virtual certainty the perpetrator of the 
crime.
    But at the time, it was also recognized that there could be 
tremendous abuse of that information. And indeed, we have 
touched on some of those, for example, discriminating against 
people based on their genetic profile for insurance purposes. 
For example, if you apply for life insurance or something of 
that nature and someone had access to your genetic profile, 
they could basically deny you because of perhaps some 
indication, some evidence of a genetic defect that would lead 
you to contract a disease or the like. And then, of course, 
employment, where there could be discrimination by employers 
against people based on their genetic profile.
    So all of this is something we have anticipated to some 
extent, but I don't think we have been able to predict the 
extent to which this genetic profile, this genome data can be 
subject to not only beneficial use, but also use by our 
adversaries and for improper purposes.
    Mr. Selsavage, did 23andMe do the actual testing of the 
saliva samples that were submitted by the people who engaged 
your company and your product?
    Mr. Selsavage. We contract with LabCorp, which is an 
American-based testing company to do the testing of the DNA 
samples for 23andMe.
    Senator Cornyn. For all of it?
    Mr. Selsavage. For all of our testing, yes.
    Senator Cornyn. And to your knowledge, is LabCorp--are 
there efforts to attack or to basically do cyber attacks on the 
data base that LabCorp maintained of 23andMe genetic samples 
and data?
    Mr. Selsavage. I am not aware of any particular cyber 
attacks on LabCorp. However----
    Senator Cornyn. Well, you are not saying that LabCorp was 
somehow immune from cyber intrusions or cyber attacks, right?
    Mr. Selsavage [continuing]. No, I'm not, Senator.
    Senator Cornyn. So can you tell us, as you sit here today, 
whether any of the genetic material that LabCorp tested that 
was collected by any of our adversaries or by criminal 
organizations, can you tell us with certainty that all of it 
was protected?
    Mr. Selsavage. To the best of my knowledge, you know, that 
data has been protected by LabCorp, and there has not been any 
breaches at LabCorp which has affected our data.
    Senator Cornyn. Professor Cohen, generally speaking, if 
there is genetic information supplied along the same lines as 
23andMe, what is to protect individuals from outsourcing of 
some of that testing to, let's say, labs in China?
    Mr. Cohen. I don't think there's much, Senator.
    Senator Cornyn. And Professor Klein, you said this is a 
national security vulnerability. Why is that? Why would China, 
the Chinese Communist Party, want the genetic information on 
Americans?
    Mr. Klein. Well, there are several potential uses, none of 
which are good. One is to use genetic information as a means of 
tracking and identifying people, something that every 
intelligence service and law enforcement agency----
    Senator Cornyn. And that could include the active-duty 
military?
    Mr. Klein. Active-duty military, intelligence officers 
working for the United States, Chinese dissidents who are 
living here and have come here to enjoy freedom and freedom of 
speech but whom the CCP is tracking.
    But then looking forward into the age of AI, having large 
datasets with genetically diverse populations represented in 
them is very attractive for training specialized AI models. We 
know we're in a fierce competition with them, and we need to 
keep these advantages for American companies and for the U.S. 
Government.
    Senator Cornyn. And would each of you agree with me that 
the genetic information that is collected through one of these 
saliva samples by a company like 23andMe doesn't just tell you 
something about the person who provides that saliva sample. It 
tells you something about their parents, about their children, 
and about their grandchildren, and anybody who might be a 
genetic relative of that individual.
    Professor Cohen. That's right, Senator. When we say 15 
million, that is kind of an underestimate when you think about 
all of these generations of people who are affected.
    Senator Cornyn. Senator Durbin.
    Senator Durbin. So it seems to me that 23andMe tried, Mr. 
Selsavage, to come up with a policy to protect its consumers, 
but there is little to guarantee that the next buyer or the one 
after that won't abuse that policy, is there?
    Mr. Selsavage. Senator and Ranking Member, 23andMe has 
required as part of the sale of the assets of the company that 
any buyer of the company must comply and adopt the privacy 
policy and consents that 23andMe have in place today.
    Senator Durbin. So I didn't think I would ever say this in 
this room, but does the rule against perpetuities apply?
    [Laughter.]
    Mr. Selsavage. Congressman, can you clarify that for me?
    [Laughter.]
    Senator Durbin. I have tried to forget every aspect of that 
course in law school, but what I am suggesting to you is two or 
three buyers removed, your best intentions don't mean much, do 
they?
    Mr. Selsavage. Senator and Ranking Member, you know, my 
understanding is that, you know, 23andMe is doing everything we 
can to ensure that the next buyer adopts the policies and 
consents of 23andMe, and, you know, while I can't actually 
testify to their future intentions, both are, you know, 
American institutions with experience in genomics, and, you 
know, are committed to protecting that data and continuing----
    Senator Durbin. Unless we have a Federal law relative to 
this issue that applies to future transactions, your best 
intentions don't mean much, as far as I am concerned. And don't 
take it personally.
    So, Professor Cohen, there was a best-selling book a few 
years ago called The Immortal Life of Henrietta Lacks, 
fascinating book, story of an African-American woman who died 
in 1951 of cervical cancer in Baltimore if I am not mistaken. A 
sample of her tumor generated what is known as the HeLa cell 
line. That cell line was mass-produced and sold to laboratories 
all over the world. It has been used in scientific research, 
including research into cancer, the human genome, and the 
development of the polio vaccine. It is still being used today. 
Famously, Henrietta Lacks never consented to the use of her 
cells in this way, and despite the vast sums of money the cell 
line has generated, her family has never seen a dime of 
profits.
    Part of what is being sold by 23andMe is a collection of 
biological samples submitted by consumers who wanted their DNA 
examined. They may have consented to some use of their samples, 
but I question how informed it actually was. And there is no 
guarantee a new owner won't change how the samples are used. 
Are you familiar with this story?
    Mr. Cohen. I am, Senator.
    Senator Durbin. Is there anything we can learn from it in 
this application?
    Professor Cohen. I think to learn for the importance of 
affirmative consent, and again, affirmative consent that can 
explain as much as possible what you want to do with material. 
And again, we still haven't heard an answer why at this stage 
they're not going back to all of their customers and asking, 
can you consent to the transfer of your data to this new buyer? 
It's a very simple thing that the company could do. Why aren't 
they doing it?
    Senator Durbin. Mr. Selsavage, why aren't you doing it?
    Mr. Selsavage. Senator, 23andMe believes we've obtained the 
consent from our customers, and when the customer signed up to 
our--to the service, they have agreed affirmatively to consent 
to our privacy and terms of service, which specifically says 
that we--in the event of a bankruptcy sale, that we can 
actually transfer their data.
    Senator Durbin. I think what Professor Cohen is suggesting 
is that there is more that could be done to protect your 
consumers. Would you consider it?
    Mr. Selsavage. I can take that suggestion back to our team, 
Senator.
    Senator Durbin. I hope you will.
    Professor Gotberg, I guess my conclusion from your 
testimony was the bankruptcy code really didn't envision what 
we are talking about here.
    Professor Gotberg. So the bankruptcy code treats--it 
respects law that exists outside of bankruptcy just the same in 
bankruptcy proceedings as outside, so any legal prohibitions 
that apply outside bankruptcy also apply inside bankruptcy. So 
in a way, the bankruptcy code did anticipate that. It just 
doesn't introduce new substantive law when a company files for 
bankruptcy. There's not new prohibitions that exist.
    Senator Durbin. But what you say is, in your testimony, 
current bankruptcy law provides some oversight that can prevent 
the worst privacy policy abuses in a bankruptcy sale, but it 
does not prohibit the sale from taking place. Placing a 
prohibition on bankruptcy sales would simply push them outside 
bankruptcy proceedings where there are fewer protections. The 
best policy would make any restrictions on the sale of personal 
consumer data universally applicable. It is time for us to 
legislate, isn't it?
    Professor Gotberg. I would say if you want to protect 
consumers from having their personal consumer data bought and 
sold, you need to do that.
    Senator Durbin. Amen. Thank you, Mr. Chairman.
    Senator Cornyn. Senator Durbin, we have seen history made 
today because in your long and distinguished career in the U.S. 
Senate, I know you have been waiting to use the phrase rule 
against perpetuities in a question, so congratulations for 
that.
    [Laughter.]
    Senator Cornyn. Senator Blackburn.
    Senator Blackburn. Thank you, Mr. Chairman.
    Mr. Selsavage, I want to ask you--let me say this. We all 
know that China is hard at work trying to build a virtual you 
of each and every one of us, and this is why we need to have a 
Federally preemptive online privacy law, which we do not have. 
And whether it is 23andMe and genetic information or whether it 
is data security, this is something that we need. But you seem 
a bit naive to think that you haven't had any breaches or any 
attacks, cyber attacks. Our critical infrastructure in this 
country is hit many times a day.
    So what I want you to do--and you can submit this in 
writing--is to go into detail about how you anonymize and how 
you mask consumers and their information. And you can submit 
that during the QFR period. But I think it is important that 
you lay this out so that individuals know what level of 
protection that they are going to have. You all may sell, and 
then there may be an immediate buyer. You sold to 23andMe. You 
thought that would be a longer-term relationship. It is not. 
And then there may be three or four subsequent buyers, so some 
certainty and some awareness would be a good thing. And I want 
that in writing. Thank you.
    Mr. Selsavage. Senator, thank you for that. And I will take 
that back to our team as well.
    I do want to note that, you know, I'm clearly aware that, 
you know, basically there are many cybersecurity threats. And 
at 23andMe, security and our customers' privacy is top of mind. 
And, you know, basically, we, you know, at 23andMe, do have 
cybersecurity threats from our foreign adversaries and others. 
And I will take your concerns back.
    Senator Blackburn. Thank you. I thank you for that 
clarification because we deal with that issue repeatedly and 
the severe threats that exist each and every day.
    Okay. Mr. Klein, I want to come to you. Talking about a 
privacy standard, there are some States, including my State of 
Tennessee, who have stepped forward. And Tennessee, in 2023, 
enacted the Genetic Information Privacy Act. That requires 
companies to protect consumers' private information and to 
provide them with the ability to access their data, to delete 
their data and their account, and to destroy their biological 
sample. However, not all Americans enjoy this protection. So in 
that regard, is the Tennessee law a model for moving forward?
    Mr. Klein. Well, I haven't studied that law closely, 
Senator, but it certainly sounds appealing to me as a citizen, 
as a consumer. And I've been following the saga of the general 
Federal privacy law that everyone seems to want for many years 
now. And the Committee understands better than I do the 
challenges that have arisen in coming to an agreement on 
something that everybody seems to want.
    I think what the bill that Senator Cornyn and the other 
Members have introduced demonstrates is that even as--and the 
Tennessee bill is that even as we wait for a general law, there 
is possibility of making progress on sector-specific issues. 
And in my testimony, I highlighted some of the very good things 
that the Committee and other parts of the Congress has done on 
this specific threat from hostile foreign actors. And I do 
think, to Congress' credit, we've tightened that up 
considerably in the past few years.
    Senator Blackburn. Mr. Selsavage, the Tennessee attorney 
general issued a statement after you all filed for bankruptcy, 
issued a statement notifying Tennesseans of their right to 
request a deletion. So talk to me about how you were moving 
forward with these deletion requests.
    Mr. Selsavage. At 23andMe, any one of our customers at any 
time can delete their data. For our customers, it's a simple 
process. All they need to do is log into their account at 
23andMe, go to their settings, and request their account to be 
deleted. That process is automatic. We do ask for their date of 
birth just as an additional verification measure. And we've 
complied with those deletion requests and over--you know, 
through--you know, through the bankruptcy process and prior to 
that.
    Senator Blackburn. And when they delete their account, they 
are also deleting their biological sample. Is that correct?
    Mr. Selsavage. If a customer has consented to--for us to 
biobank their saliva sample, we will also delete and destroy 
that saliva sample----
    Senator Blackburn. Thank you.
    Mr. Selsavage [continuing]. Upon their request to delete 
their data.
    Senator Blackburn. I yield back.
    Senator Cornyn. Senator Klobuchar.
    Senator Klobuchar. Thank you. I think I will start by 
following up with Senator Blackburn's good questions. And by 
the way, thank you, Mr. Klein, for mentioning the need for a 
general privacy bill, which we badly need.
    So on this deletion issue, it is my understanding that 1.3 
million consumers asked 23andMe to delete their genetic data. 
Many faces technical issues. So how long is the backlog right 
now? And what are you doing to make sure all the requests are 
fulfilled?
    Mr. Selsavage. Senator, the good news is that today there 
is no backlog, that we are current on all of the deletion 
requests. What did occur, you know, is when we filed for 
bankruptcy and, you know, many State attorneys general 
requested--or suggested to consumers that they delete their 
data at 23andMe. We did receive a significant amount of 
deletion requests. We quickly added additional staff and, you 
know, basically were able to reduce that backlog.
    Senator Klobuchar. Thank you. And will you commit to 
ensuring that consumers will retain their right to have their 
genetic data deleted after the bankruptcy sale is completed by 
making deletion rights a condition of the sale?
    Mr. Selsavage. Both of the bidders and, you know, the 
bankruptcy sale of 23andMe, both Regeneron and TTAM Research 
Institute, have agreed to adopt the policies of 23andMe, the 
privacy policies----
    Senator Klobuchar. So the answer is yes?
    Mr. Selsavage. So, you know, the answer is yes.
    Senator Klobuchar. Okay. During the bankruptcy process, how 
is 23andMe ensured consumers could decide how information is 
used and for what purposes since that is what your website has 
promised consumers?
    Mr. Selsavage. Our consumers consent not only to a terms of 
service, a privacy policy, there are also separate consents for 
our customers to--if they so choose, to engage in research at 
23andMe and yet a--and then a separate consent to allow us to 
engage with research with third parties. And, you know, we make 
sure that customers have the right to actually opt in. We don't 
default those. Customers are actually clicking yes, they will 
want to conduct--or enable their data to be used for research 
purposes. Many customers understand these are important for 
understanding disease and genetic conditions and lifesaving 
medical treatments.
    Senator Klobuchar. Thank you. Professor Cohen, it is my 
belief that the privacy policies aren't meeting the privacy 
needs of consumers during bankruptcy. That is why I have worked 
with Senator Cornyn. I appreciate his leadership, and Grassley, 
to give consumers control over their genetic data with our 
bill, Don't Sell My DNA Act. Why is it so important that we 
require consent from the consumer before their genetic data is 
sold to another company with which they have no prior 
relationship?
    Professor Cohen. People are engaged in a trust 
relationship. You know, if my father gave me access to his 
medical records and says, son, I want you to look at this and 
be careful with this, and I went ahead and said, let me give it 
to somebody else without asking my dad, you'd look askance at 
what I was doing. The same thing is happening here. They're 
essentially transferring data and transferring a trust 
relationship to a new entity, and people have the right to know 
who they're dealing with and the right to consent to it.
    Senator Klobuchar. Do you believe that the right to control 
one's personal genetic information should take precedence over 
maximizing returns for creditors in a bankruptcy proceeding?
    Professor Cohen. Well, I think that it would be nice for 
the creditors to get paid, Senator. In this instance, I think 
this information is so sensitive and so important, it's really 
important to protect people's information.
    Senator Klobuchar. Okay. Thank you. And Professor Gotberg, 
do you believe that the current consumer privacy ombudsman 
system in bankruptcy proceedings is sufficient to protect 
consumers' most sensitive information?
    Professor Gotberg. So the consumer privacy ombudsman is 
appointed to help the court in weighing the costs and the 
benefits of any particular sale of assets. If you permit 
consumer--privacy--personal consumer data to be sold outside of 
bankruptcy, it's permissible inside of bankruptcy as well. And 
so the consumer privacy ombudsman is just trying to weigh what 
would be the negative effects of that sale.
    Without an understanding of the price of privacy, so to 
speak, that's a very hard balancing act to perform. To my 
knowledge, there's been no final litigation to determine what 
the damages would be for an individual to have their privacy 
violated in that way, so it makes it really hard for the 
consumer privacy ombudsman to have an effective role there.
    Senator Klobuchar. Okay. And sort of to end where I began 
with Mr. Klein's point, why is it so important that Congress 
enact a comprehensive privacy law? By the way, the same 
companies that were lobbying against one, because I am also on 
the Commerce Committee, say 10 years ago now want one because 
of the patchwork of laws that we now have in our States, which 
is very predictable, which I hope people will realize that we 
need some AI rules of the road in place and tech rules of the 
road in place. And it is just the worst, that people just think 
they can lobby against things, and then all of a sudden they 
are like, oh no. So tell me why we need a privacy law and how 
that would have helped here.
    Professor Gotberg. So a greater predictability for 
companies when they're entering into agreements with consumers 
would be--is always beneficial. So if companies know what the 
legal limitations are, then they can take that into account and 
creditors can take that into account whether an asset will be 
available before lending to the debtor. So it's important to 
have that law in place inside and outside bankruptcy.
    Chairman Grassley. Oh, I am sorry. I didn't mean to 
interrupt you. I thought you were done.
    Senator Klobuchar. Well, good. No, I am not going over my 
time. Done.
    Chairman Grassley. Senator Moody.
    Senator Moody. Thank you, Mr. Chair. And thank you for 
conducting this hearing and for all of our witnesses that have 
taken time to be here. These are complex issues and certainly 
we appreciate your expertise on the matter.
    I think any American sitting at home when they learned of 
this bankruptcy that had submitted information to 23andMe was 
probably, you know, terrified and had never thought about what 
would happen to their information. So it is not just 
policymakers that are worried about this. I think people all 
around the United States are now concerned of what happens to 
their very sensitive personal information.
    And I think this is going to affect everything from data 
privacy to national security to potential biotech threats. And 
we cannot overState the threat to this Nation and to people 
individually. I think it is both going to be from a national 
security concern, but also private companies getting access to 
some of this data.
    I appreciate the shoutout to Florida. Florida does lead in 
many of these policy areas. We are not afraid to diligently dig 
in and take action quickly to protect people and their rights, 
and thank you for acknowledging that. In fact, right now, as we 
sit here, it is not illegal for insurance companies, life, 
disability insurance to inquire about, get access to your 
genetic information in all 50 States except Florida, and so we 
appreciate that.
    And I think it is going to be imperative that this body, as 
we are presented with the sale of companies that have access to 
this information--and it is not just 23andMe. There are going 
to be other companies that get access to genetic information to 
be used in business models, to develop strategies to maximize 
profits, whether that is from their everyday course of business 
or whether that is selling of assets. We are going to have to 
deal with how the exchange of genetic information of Americans 
is protected and whether it can even be treated as an asset.
    And I want to start first, sir, we appreciate you being 
here, and I know you have the best of intentions, you have 
said, as it relates to the assets. And you consider the genetic 
information of Americans to be assets?
    Mr. Selsavage. The genetic information belongs to the 
consumers and--you know, basically, and it is a very valuable 
asset to those consumers, yes.
    Senator Moody. But to 23andMe, you considered that to be an 
asset?
    Mr. Selsavage. It is an asset to 23andMe, yes. I mean----
    Senator Moody. And in terms of valuing your business moving 
forward or valuing your particular parts of your assets in a 
bankruptcy, that is one core asset?
    Mr. Selsavage. Senator, we did not value that asset, you 
know, per se as part of the bankruptcy. However, the bidders 
are looking at that and placing a value on it.
    Senator Moody. A bidder wanting to buy your company is 
assessing whether or not they can buy that data as part of how 
much they are going to pay you?
    Mr. Selsavage. Yes.
    Senator Moody. And the more customers that delete their 
information, the less of that asset is available to transfer is 
what you are telling us today?
    Mr. Selsavage. Senator, you know, for us at 23andMe, we've 
let the buyer----
    Senator Moody. Yes or no. And you are deleting that data, 
and once you sell an asset off, will it be less of an asset to 
sell?
    Mr. Selsavage. There will be less customers with genetic 
information in our data base as people delete them, yes.
    Senator Moody. So the customers that don't get this notice 
across the United States, the warnings from the attorneys 
general that this is a problem, you need to delete your 
information, if they have moved and they don't get the notice 
and they don't delete it, they are part of the asset group that 
goes to the other country, right?
    Mr. Selsavage. Senator----
    Senator Moody. Or goes to the other--could be the other 
country, I am sorry, the other business.
    Mr. Selsavage. Senator, we have provided notice to all of 
our customers of the bankruptcy proceedings. And this week, we 
will be providing notice of the sale of the company to either 
Regeneron or TTAM Research Institute. And at all times, our 
customers have complete control over their data. They have the 
right----
    Senator Moody. Except for the ones that didn't get notice 
and don't know about the sale, right?
    Mr. Selsavage. Senator, with all due respect, we are doing 
everything we can to make sure all of our customers get that 
notice of the bankruptcy and of the sale. We are--we've emailed 
them----
    Senator Moody. I heard that you have the best intentions. 
So I am also hearing that we might need to modify Federal law 
to address these intentions because when you are talking about 
the sale, you list that you will not sell to any countries of 
concern on your website. But I guess all other foreign nations 
could presumably offer to buy, right, if they're not a country 
of concern in your mind?
    Mr. Selsavage. Senator, you know----
    Senator Moody. Yes or no? Your limiting the exclusion of 
those to countries of concern.
    Mr. Selsavage. We are limiting the sale of assets to any 
foreign adversary to the United States, any companies in those 
countries.
    Senator Moody. But another foreign adversary could buy this 
information--or excuse me, another foreign nation-state could 
buy this information and sell it to a foreign adversary. 
Nothing prevents that, right?
    Mr. Selsavage. Senator, with all due respect, we have only 
two bidders left here, and both are American enterprises. Both 
Regeneron is a public pharmaceutical company here based in the 
U.S. and TTAM Research Institute also is an American 
foundation, you know, founded by the former CEO and co-founder 
of 23andMe----
    Senator Moody. At the core of it, I understand you are 
saying right now there are only two bidders left, but under 
Federal law and under what your best intentions are permitting, 
it could have allowed for a foreign State to buy these assets, 
nothing would have prohibited that, and selling it to a foreign 
adversary, correct? Nothing in federal law would have prevented 
that.
    Mr. Selsavage. Senator----
    Senator Moody. Correct?
    Mr. Selsavage [continuing]. I am not a lawyer, but I do 
believe there are regulations, and there would have been 
different oversight if any of the assets were sold to anyone 
outside of the United States. And----
    Chairman Grassley.
    [Off mic.]
    Senator Moody. Thank you, Chairman Grassley.
    Chairman Grassley.
    [Off mic.]
    Senator Coons. Thank you, Chairman Grassley, and thank you 
to each of the panelists for coming here today and testifying 
on this important issue. It is particularly valuable that you 
are here to shed light on two issues important to our Nation, 
to our families, and frankly, also to my home State of 
Delaware, namely, bankruptcy and data privacy.
    As I am sure some of you know, Delaware is the most popular 
State in our Nation for corporate incorporation, which also 
makes it a prominent bankruptcy jurisdiction. Delaware also is 
one of a small handful of States that has enacted robust data 
privacy protection laws, making it a potential model for 
federal legislation on data privacy, particularly in the 
context of bankruptcy.
    I do think it is critical that we strike the right balance 
between safeguarding data and personal information and 
maintaining a bankruptcy system that makes creditors whole and 
gives debtors a fresh start.
    If I might, Professor Gotberg, is a prospective buyer in 
bankruptcy legally required to follow 23andMe's current privacy 
policy?
    Professor Gotberg. So the privacy policy is a contract----
    Senator Coons. Right.
    Professor Gotberg [continuing]. So contracts are 
enforceable as between the two parties. In law school we like 
to teach that a contract is a promise to perform or to pay 
damages. So a company that undertakes a contract, if they don't 
perform, would open itself up to a lawsuit for damages. That's 
true for 23andMe, and it would be true for any subsequent 
buyer. Whatever the buyer agreed to do would just be a 
contract. It wouldn't be--there would be no enforcement 
mechanism to force them to comply. They could just choose to 
breach.
    Senator Coons. Nothing other than damages enforces that 
contract. And is there anything in the bankruptcy code that 
specifically addresses the transfer and use of highly sensitive 
personal data?
    Professor Gotberg. In that situation, that is where the 
consumer privacy ombudsman could be appointed.
    Senator Coons. Could be.
    Professor Gotberg. Right, but in that situation, their role 
is primarily to advise the bankruptcy judge to weigh the costs 
and benefits of any potential breach of a privacy policy. So 
again, without being able to put a number on what that--those 
damages are, what the cost is for a violation of privacy, it 
actually becomes a pretty difficult weighing exercise.
    Senator Coons. Is there any relevant precedent?
    Professor Gotberg. I don't know that it's ever been 
litigated. I haven't seen anything.
    Senator Coons. Me neither. Professor Cohen, Delaware and a 
few other States have enacted strong data privacy laws designed 
to regulate entities that control sensitive data, give 
individual consumers the right to access, correct, or delete 
certain data. How can my colleagues and I do something similar 
at the federal level and specifically in the bankruptcy context 
to ensure sensitive data doesn't end up in the hands of the 
wrong people or the wrong country as a result of a bankruptcy 
proceeding? And what is your view on the Don't Sell My Data Act 
where I have joined Senators Grassley, Cornyn, and Klobuchar as 
a co-sponsor?
    Professor Cohen. So I think the Don't Sell My Data Act is 
exactly the right idea here. I will say that I think that the--
what's important is this idea of affirmative consent. That's 
what is central to the bill upon the transfer. And again, we 
still really haven't heard a good reason why we can't go back 
to all of these people and ask them, can you affirmatively 
consent to the transfer of your data to Regeneron or TTAM? So I 
would love to see Congress push that and push it beyond 
bankruptcy to other kinds of sales of information as well.
    Senator Coons. Let me ask you a question about affirmative 
consent. Part of the market value of 23andMe is a service that 
is individually genetically identifying that gives you 
information about, honestly, one of the most private things 
there could be, which is whether or not you are susceptible to 
certain diseases, what is your genetic ancestry, that sort of 
thing. Would it not stand to reason that although logistically 
challenging, going back to every individual who has given their 
personally identifying genetic information to 23andMe and 
affirming their consent would actually, in the end, build their 
market value by reinforcing that this kind of a service is 
something where people can count on it to protect their data 
privacy, regardless of whether there are damages available?
    Professor Cohen. I think if you build your company on a 
reputation of trust and a reputation of autonomy and empowering 
people, this is exactly the thing you want to sell to customers 
to say, we believe so much in what we say that we're even going 
to do this upon sale or bankruptcy.
    Senator Coons. And I understand how it might be complex or 
expensive, but in the end, I think it ultimately serves the 
entire segment of personally identifying genetic consult 
because it builds trust.
    Thank you, Mr. Chairman. Thanks for a chance to question.
    Chairman Grassley. I will take my turn now. I am going to 
start with Mr. Selsavage.
    In 23andMe's March 23 press release, the company indicated 
that data privacy would be ``an important consideration in any 
potential sale.'' But when there was a motion to appoint a 
consumer privacy ombudsman in the bankruptcy, 23andMe first 
opposed the appointment of an independent ombudsman to ensure 
that genetic data was protected in the sale. Why did the 
company oppose appointing a privacy ombudsman?
    Mr. Selsavage. Yes, Mr. Chairman, 23andMe was the first to 
suggest that the bankruptcy court appoint a customer data 
representative, which would look at the privacy issues in this 
particular bankruptcy case. 23andMe, at the time, did not 
believe that a consumer privacy ombudsman was needed. And the 
reason--the differentiation there is a consumer privacy 
ombudsman is required in bankruptcy when, you know, there's a 
change in the privacy policy from one company to the next.
    In this particular case, you know, we, as part of the 
bidding process for 23andMe, were requiring that any company 
that was considering acquiring 23andMe's assets, including its 
data base and our customers, would be required to retain the 
privacy policies and consent going forward.
    Chairman Grassley. I think that answers that question. So 
is 23andMe's priority to sell consumer genetic information to 
the highest bidder or to ensure that the genetic data it has 
collected will be protected according to existing privacy 
policies?
    Mr. Selsavage. Mr. Chairman, our customers' data and 
privacy is, you know, a top priority in this process, you know, 
at 23andMe and for the special committee overseeing this 
process. It is not just the highest bidder. We are--have 
required that, you know, basically any bidder, as I said, and 
the two remaining bidders have affirmatively said that they 
would actually continue those privacy policies and consent and 
put that in writing in their asset purchase agreements or 
contracts to buy the company.
    Chairman Grassley. Also to you, the point of bankruptcy is 
to ``marshal assets in a way that maximizes their value for the 
benefit primarily of creditors and then once creditors are paid 
for owners.'' And in your written testimony, you agree with the 
aim of maximizing the value of the business for stakeholders, 
but placing as little restrictions on the customer data as 
possible makes the data more valuable to the buyer. Would you 
characterize genomic data as a bankruptcy asset?
    Mr. Selsavage. Mr. Chairman, you know, I believe that the 
genomic data is an asset and, you know, we have--23andMe is 
treating it--and not only maximizing the value for our 
creditors and our shareholders, but also, you know, one of the 
most important pieces--parts of 23andMe is our customers and 
our customers' trust, and we are putting their privacy and 
their security as part of that process and it is top of mind 
for the company and special committee overseeing this process.
    Chairman Grassley. Okay. Based upon your ``yes'' answer, 
isn't your duty to protect consumer data in tension with your 
duty to maximize the value of the estate asset?
    Mr. Selsavage. I think we are looking at both of those 
duties combined, Mr. Chairman.
    Chairman Grassley. So I think you are saying that consumer 
data doesn't have a higher value than the estate. So aren't you 
a little bit in conflict with some other things you said here?
    Mr. Selsavage. You know, basically protecting our 
consumers' data and their privacy and their consents as part of 
this process is a large consideration and, as I mentioned, it 
is not just accepting the highest dollar amount for the assets.
    Chairman Grassley. My last question will be, Mr. Klein, in 
2019, the DOD advised members of the armed services not to use 
direct-to-consumer genetic testing devices. The guidance noted 
the risk of mass surveillance and the ability to attract 
individuals without authorization. How could foreign 
adversaries use either the personalized or the aggregated 
genetic information of U.S. servicemembers to harm U.S. 
interest in military operations?
    Mr. Klein. Thank you, Senator. Well, we know that 
intelligence services and police agencies like the FBI use 
genetic data to identify people of interest, and foreign 
adversaries certainly have a great interest in members of our 
military, where they go, what they do. So that would certainly 
be a concern for me, and we can be assured that they are 
looking at that and trying to use our servicemembers' genetic 
data.
    You also mentioned aggregate. Large datasets have great 
value today for training AI models. China is trying to build 
large datasets in every conceivable area, but they have some 
gaps. One of those gaps is that their population is not 
genetically diverse, and so they may have a large number of DNA 
profiles in their country, but they don't have the diversity 
that we have. And that genetic diversity is very helpful if you 
want to train a model that is predictive for things benign, 
like biomedical research, but also things malevolent, like 
bioweapons research. We don't want them to build out their data 
base of DNA profiles with the diverse and rich datasets that we 
have here in America.
    Chairman Grassley. Senator Schiff.
    Senator Schiff. Thank you, Mr. Chairman.
    Professor Gotberg, California has already passed 
legislation that went into effect in 2022 requiring direct-to-
consumer genetic testing companies like 23andMe to obtain 
Californians' express consent for the collection, use, or 
disclosure of their genetic data. Under this law, Californians 
are also able to delete their accounts and genetic data and to 
destroy the biological samples they provided to these 
companies.
    In the context of 23andMe's bankruptcy, can Californians 
still exercise these deletion rights, or does the bankruptcy 
process somehow interfere with, override, or otherwise affect 
our State's privacy protections?
    Ms. Gotberg. Thank you. Bankruptcy proceedings do not 
override any applicable law. So State law and Federal law are 
recognized in bankruptcy proceedings. Whatever rights your 
consumers have outside bankruptcy, they'll have inside 
bankruptcy in terms of their legal rights.
    Senator Schiff. And if the data base, 23andMe's data base, 
is sold as a bankruptcy asset, what obligations would the 
acquiring company have under Federal or California law to 
maintain those same security standards?
    Ms. Gotberg. So the same laws that would apply now to 
23andMe would presumably apply to any buyer.
    Senator Schiff. And so even if this is not a California 
company operating in some other State, they would still be 
bound post-bankruptcy to California's privacy standards?
    Ms. Gotberg. To the extent that California privacy 
standards apply, yes, they would.
    Senator Schiff. And is a commitment made by an acquiring 
company somehow enforceable, apart from California's law, vis-
a-vis residents of other States, is a promise made by an 
acquiring company somehow legally enforceable, or is it only as 
good as the person's intention to comply with that commitment?
    Ms. Gotberg. So contractual promises are enforceable up to 
the point that they can be enforced. That's not a great answer, 
but again, our statement is a contract is a promise to perform 
or to pay damages. It's possible for parties to breach that 
agreement, in which case the party that--on the other side of 
it would be entitled to damages for the harm that they've 
experienced. But without----
    Senator Schiff. You know, let's say I am acquiring 
23andMe's dataset. I commit to maintaining the deletion 
provisions, et cetera, complying with California law even if it 
is not required somehow. I acquire the dataset, I don't 
comply----
    Professor Gotberg. Right.
    Senator Schiff [continuing]. Has my offer to comply or my 
commitment pre-bankruptcy, has that somehow turned into a 
binding contract with the owners of the genetic data, the 
people who have the genetic data?
    Professor Gotberg. So it would depend on who you were in 
privity with, I guess, in terms of the contract, to use, I 
guess, a fancy legal term. A contract is between two parties, 
and so you have to have an agreement between those two parties. 
And I guess the question in those situations, if you were 
promising to abide by the commitment, who would be on the other 
side of that promise? Who would be able to enforce it?
    Senator Schiff. Right. Well, it would sound like the 
consumer would not be on the other side of that promise. It 
would be more one of the parties to the bankruptcy, which then 
we would be then relying on them to enforce that promise. Does 
that analysis make sense?
    Professor Gotberg. That makes sense to me.
    Senator Schiff. And what controls are in place, Mr. 
Selsavage--maybe I can ask you this question. What controls are 
in place to prevent any unauthorized access or misuse of 
information during the bankruptcy proceedings?
    Mr. Selsavage. 23andMe is--you know, basically places data 
security and data privacy as top of mind. You know, we 
basically have continued to maintain a strong system of 
security, making sure all of our data is encrypted. You know, 
the genetic data is stored separately from any consumer 
identifying information identifying who that genetic data 
belongs to. We have enhanced our security processes, especially 
around bankruptcy, understanding that there is additional 
threats. And, you know, basically from--on the consumer side, 
you know, we have since enacted two-factor authentication to 
access--so basically, there is a second level of either an SMS 
text message or an email verification when somebody is trying 
to access their account and then placed additional restrictions 
if sensitive----
    Senator Schiff. If I could just interrupt with one last 
question because my time is going to expire. How do we know 
that an acquiring company or entity or person would maintain 
the same security standards that you have over privacy and even 
those standards were subject to hack?
    Mr. Selsavage. Senator, the good news here is there is two 
potential buyers at this point for 23andMe. The first is 
Regeneron, an American $55 billion market cap pharmaceutical 
company who actually has data security over genomic data today. 
And TTAM Research Institute would be--which would be 
maintaining the same security standards as 23andMe.
    Senator Schiff. Thank you, Mr. Chairman.
    Chairman Grassley. Senator Britt.
    Senator Britt. Thank you, Mr. Chairman.
    To followup on the Senator's question, so would you commit 
today to the same privacy standards that you have demanding 
those of the company that purchases 23andMe? Do not sell unless 
they keep the same privacy standards that you have?
    Mr. Selsavage. Yes, that is a requirement, you know, 
basically of any--of the two buyers, and they have put that in 
their asset purchase agreement.
    Senator Britt. Excellent. And tell me, what all do you test 
for?
    Mr. Selsavage. You know, 23andMe tests for, you know, 
basically a significant level of, you know, genetic traits, 
ancestry, and health conditions. We actually, as part of our 
process, test over 600,000 variants through our testing 
process.
    Senator Britt. Okay. So you are able to tell somebody maybe 
it is predictability of potential disease and other things?
    Mr. Selsavage. And while we can't definitively say that 
that person will get the disease, we can highlight risk--and 
basically when people are at higher risk for certain diseases.
    Senator Britt. And so do you test for sex?
    Mr. Selsavage. You know, as part of our testing, we do 
identify if the DNA showed that the--if the individual is male 
or female.
    Senator Britt. And male is XY chromosome?
    Mr. Selsavage. That is correct.
    Senator Britt. And female XX?
    Mr. Selsavage. Correct.
    Senator Britt. On your data base though, you go into saying 
that if people self-identify of another gender, that you will 
attempt to give them a prognosis of the gender that they 
identify with versus the gender that they test for?
    Mr. Selsavage. Senator, I'm not aware of that----
    Senator Britt. Oh, yes, you do. So it says, ``We understand 
that sex is not always binary and the words male and female may 
not accurately reflect an individual's identity. We also 
recognize that being categorized by birth sex may be an 
uncomfortable or triggering experience to some, and we do not 
mean to delegitimize anyone's gender identity or expression. We 
use your self-reported sex to customize your health and trait 
reports. For example, genetic risk and what they may mean 
differ between men and women.'' So men and women are different, 
right? I mean, you say that here. We just talked about the 
genetic testing.
    But then you go on to say, ``If you tell us you are female, 
your reports will contain information that is relevant to 
genetic females XX. If you tell us you are male, your reports 
will contain information that is relevant to genetic males XY. 
Additionally, there are some sex-specific reports that are 
available on individual selected profile sex such as male hair 
loss or bald spot. That is because either we are not able to 
build out an acceptable model for both genders or because the 
trait is actually sex-specific.''
    And so I guess I am wondering, did you test--like if it is 
a genetic female that identified to you as a male, would you 
test them for male pattern baldness?
    Mr. Selsavage. Senator, you know, we--as you mentioned, we 
actually do--the customer does report to us, you know, what 
they believe their sex is, and we test against that, as well as 
what we found in the DNA as--testing as well.
    Senator Britt. I think probably the DNA is what is best for 
predicting actual future disease or harm or what may come, good 
or bad, for the individual.
    On that note, you have about 15 million customers. Is that 
right?
    Mr. Selsavage. That's correct.
    Senator Britt. Okay. Of that, how many are kids?
    Mr. Selsavage. How many are kids?
    Senator Britt. Yes.
    Mr. Selsavage. Senator, I don't know that number.
    Senator Britt. So you don't know. From what I read on your 
website, obviously, parents can agree to have their child's DNA 
tested. Is that correct?
    Mr. Selsavage. That is correct.
    Senator Britt. So you don't know? Of the 15 million people, 
you don't know how many of those profiles are under 18?
    Mr. Selsavage. I don't have that information with me today, 
but I'd be happy to take that back for----
    Senator Britt. Do you have a guess?
    Mr. Selsavage. I don't have a reasonable guess, Senator.
    Senator Britt. Sir, I think we have to be vigilant when it 
comes to children and their DNA. We have talked today about all 
of the potential risks that can occur from privacy to security 
risk, obviously, blackmail, amongst a number of things. Would 
you commit to me today that in the sell, you will sell no 
child's DNA under the age of 18, that you will delete that 
account?
    Mr. Selsavage. Congressman--or Senator, I will take that 
back and will review that.
    Senator Britt. I think you absolutely should. And on that 
note, when it comes to bankruptcy, Professor, tell me, you 
know, when you look at a privacy ombudsman in this space, when 
you are looking at minors, children, what type of protection is 
currently in place, and what do we need to be doing as 
Congress? And actually, I would like to open this up to 
everybody to ensure that children are protected in this space.
    Professor Gotberg. My understanding is that there are 
specific laws protecting children's information. I'm not an 
expert on those laws, but whatever laws exist outside of 
bankruptcy are enforced inside of bankruptcy as well.
    Senator Britt. Do you all have another--I would love your 
thoughts.
    Professor Cohen. You know, for human subjects research, we 
have special rules for the children population, and that might 
be a place to look for some comparisons.
    Senator Britt. Do you have anything, Mr. Klein?
    Mr. Klein. Well, as a father, I can say that I think we all 
struggle with how much of our children's data or how much of 
our children's lives to digitize, and so there's also a degree 
of parental responsibility. And when it comes to health, these 
are very tough choices sometimes for all of us.
    Senator Britt. Absolutely. Thank you, Mr. Chair.
    Senator Hawley [presiding]. Senator Padilla.
    Senator Padilla. Thank you.
    Now, colleagues, the witnesses today have explained that 
our bankruptcy process is primarily designed to maximize 
creditor payouts and ensure that a business, where possible, 
can continue to operate. It is not designed for other goals, 
but it is often called upon to fulfill other goals. Here, the 
bankruptcy process is not just required to protect consumer 
privacy, but also to protect our national security interests.
    Professor Klein, what protections are built into the 
bankruptcy process to prevent foreign adversaries from taking 
advantage of the process to access sensitive information? Other 
concerns are generally raised, but, you know, we are talking 
about a specific area of the law, bankruptcy law here, whether 
we are talking about personally identifiable information or 
national security sensitive information?
    Mr. Klein. Thank you for the question, Senator. And this is 
one area where there actually have been encouraging changes. We 
are not defenseless. In the FIRRMA law back in 2018, the 
Congress did give the Committee on Foreign Investment in the 
U.S. the ability to reach into the bankruptcy process and block 
sales and transactions, something that it previously hadn't had 
within its jurisdiction. As you all know, that body in the 
executive branch is one of our main protections against key 
intellectual property, sensitive data, and so forth, slipping 
out the back door to foreign adversaries.
    Senator Padilla. And how much of the sensitive information, 
if any, can potential buyers access before a sale becomes 
final? They are obviously doing due diligence in the process of 
making these decisions.
    Mr. Klein. That is a great question, Senator. I would refer 
that to the bankruptcy experts on the panel.
    Senator Padilla. Anybody?
    Professor Gotberg. So can you repeat your question?
    Senator Padilla. How much access to this very sensitive 
information, whether it is personal sensitive information or 
national security sensitive information can a potential buyer 
access before a sale becomes final? Or is this an area where--
--
    Professor Gotberg. So there----
    Senator Padilla [continuing]. Legislative action is needed?
    Professor Gotberg. Within a bankruptcy proceeding, there is 
an allowance for due diligence. I think the procedures for that 
will be determined by the bankruptcy court and may differ from 
case to case. To the extent that there is no protections 
outside bankruptcy law, I don't know that there's--you know, 
bankruptcy law does not produce additional protections that 
wouldn't otherwise exist.
    Senator Padilla. So a potential area for needed 
congressional action is what I am hearing. Since we have an 
expert before us, at what point in a bankruptcy process can 
CFIUS get involved? And do you have any recommendations about 
whether they should be involved earlier in the process?
    Professor Gotberg. So I'm afraid you will have to explain 
what CFIUS is to me.
    Senator Padilla. All right, Then we have an expert here. It 
is okay. It is okay. We will do a followup with you because my 
time is limited. I want to get to another topic, which is 
national security and biotechnology. I recently served as a 
member of the National Security Commission on Emerging 
Biotechnology, and our findings in a recent report found that 
the United States has historically not treated biological data 
as a strategic asset like our agricultural base, our oil 
reserves, despite its importance in advancing biotechnology and 
AI.
    Back to Professor Klein. What is your assessment of the 
CCP's effort to sweep up as much biological data that they can 
of Americans and of our allies and partners abroad to advance 
their own domestic biotechnology ambitions?
    Mr. Klein. Well, I think we've seen, Senator--and thank you 
for the question--their ambitions are comprehensive. They want 
to dominate in critical sectors. They want to use information 
like this to enhance their military prowess, and potentially, 
and very worryingly, given the tension between our countries, 
to conduct asymmetric, unconventional attacks, potentially 
including biologic attacks.
    I'm sure you all saw that just in the past 2 weeks, the 
Eastern District of Michigan U.S. Attorney's Office has 
indicted two separate sets of Chinese national defendants on 
smuggling biologic materials into the United States. We've also 
seen the report on the Reedley Biolab out of the House Select 
Committee where a person of Chinese nationality, citizenship, 
was in California running an unregistered biolab. We don't know 
exactly what was going on there.
    Some of these reports are very disturbing. We don't have a 
complete picture, but we know that the system, as the 9/11 
Commission put it, is blinking, if not red, at least dark 
orange, and we need to have the imagination--and I'm glad this 
Committee's doing it, to foresee how they might conduct 
unconventional attacks against our homeland in the event of an 
armed conflict.
    Senator Padilla. Do you have any recommended actions for 
this Committee or Congress as a whole to take to better protect 
our biological data while striking the important balance of 
promoting scientific research that depends on these datasets?
    Mr. Klein. Yes, thank you, Senator. And bankruptcy is one 
vector. We're all covering down on that today. Cyber security, 
cyber attacks is another major vector. We know that it is very 
hard for companies to defend against a nation-state level 
attack, but we can at least make it harder for them. We can at 
least force them to expend their very best, most exquisite 
exploits to try to get in and spread those techniques that they 
have as thin as possible.
    But I will also flag one other vector, insider threat. This 
is something that those of us who have led organizations in the 
Government dealing with classified material worry about every 
day, but it's also true in the private sector. Companies do not 
have the same comprehensive security clearance standards or 
personnel vetting standards that government organizations are 
supposed to.
    There are some private sector actors that are starting to 
help, for example, defense industrial-based companies do this, 
but if an insider who has authorized credentials inside a 
company wants to take out a bulk dataset, whether it's genomic 
data or weapons designs, what does that company have in place 
to prevent that exfiltration? That's another very problematic 
vector.
    Senator Padilla. Okay. Thank you so much.
    Thank you, Mr. Chair.
    Senator Hawley. Mr. Selsavage, if I could just start with 
you. So how many customers do you have approximately?
    Mr. Selsavage. Between 14 and 15 million customers.
    Senator Hawley. Between 14 and 15 million. I think you told 
Senator Britt just a minute ago that a goodly number of those 
are minors. Is that correct?
    Mr. Selsavage. What I said was I don't have the number of 
customers that are----
    Senator Hawley. You have the genetic data of a good many 
minors. Is that correct?
    Mr. Selsavage. We have genetic data for a particular number 
of minors, and I will be providing--happy to provide----
    Senator Hawley. People under the age of 18. Is that 
correct?
    Mr. Selsavage. That is how I am defining a minor.
    Senator Hawley. So your customers--I just want to make sure 
I understand your business model. Your customers give you their 
genetic information for you to run various tests on. Is that 
right?
    Mr. Selsavage. Yes, that is correct.
    Senator Hawley. And I mean, that is pretty sensitive stuff, 
isn't it, somebody's genetic information? Is there anything 
more personal than that?
    Mr. Selsavage. I would agree with you, Senator, that 
genetic data is sensitive information.
    Senator Hawley. And so now you are just going to sell all 
of it, 15 million people, bunches of kids, maybe millions. It 
is just going to be sold in the open market?
    Mr. Selsavage. Senator, you know, the good news, as I 
mentioned, is that the two bidders are buyers for the company. 
One is Regeneron, which is an American company.
    Senator Hawley. That is the big pharma company?
    Mr. Selsavage. Big--it is a----
    Senator Hawley. It doesn't make me feel any better.
    Mr. Selsavage. It is a large pharmaceutical company.
    Senator Hawley. All right. So you are going to take 15 
million Americans' genetic information, and you are going to 
sell it to somebody. And your message to us is today, trust us, 
it will be fine. Maybe it is a big pharma company. Maybe we 
will get lucky. Maybe they will treat it right. I thought your 
privacy code, your privacy commitment said that consumers had a 
right not to have their information shared with anybody else 
without their consent. I mean, I have got your privacy 
statement right here. It says that without their consent, you 
can't share their information. You are about to sell it.
    Mr. Selsavage. Senator, that consent is, you know, 
essentially for, you know----
    Senator Hawley. Not real?
    Mr. Selsavage [continuing]. Not shared for research 
purposes, and we are not selling it for research purposes.
    Senator Hawley. Ah, so when you tell the consumer, give us 
your personal information, and we will take money from you, and 
we won't give it to anybody without your consent, it is not 
real. It just means, you know, maybe kind of depends on the 
day.
    Mr. Selsavage. Senator, you know, I will say that our 
customers' data is their own. They have the right at all times 
to access that information. They can edit it----
    Senator Hawley. Well, sure they can, but you are about to 
sell it to who knows who. They can't control it. You said to 
Senator Moody that consumers have complete control of their 
data, complete. How can they have complete control if you are 
about to sell it without their consent?
    Mr. Selsavage. Senator, they can delete that data anytime 
up until the sale and after.
    Senator Hawley. Oh, Okay. Okay. They can delete the data. 
Have you fixed the ability of customers to go on your website 
and delete it? Because right after you announced your sale, 
your deletion page went down. I hold in my hand here an article 
from The Wall Street Journal. ``23andMe's site goes down as 
customers struggle to delete their data.'' Can they even get 
onto your site to delete their data?
    Mr. Selsavage. They can, Senator, and----
    Senator Hawley. You fixed this?
    Mr. Selsavage. That was an issue that--yes, we fixed 
immediately after----
    Senator Hawley. It is up and running now? Customers can go 
on?
    Mr. Selsavage. Customers can go on, and they can delete 
their data----
    Senator Hawley. What happens when they go onto your site to 
delete their data?
    Mr. Selsavage. When a customer logs into their account at 
23andMe, they go to their settings page, and they--there's a 
section there where just click ``delete my data.'' It confirms 
that they want to delete their data, and it's deleted 
automatically.
    Senator Hawley. Is that true? Let's take a look. Let's take 
a look.
    Mr. Selsavage. Okay.
    Senator Hawley. When they go onto your page, they get an 
opportunity. It says ``permanently delete the data.'' So they 
click the button that says ``permanently delete the data,'' and 
then they get a notification that says ``Your account is no 
longer accessible.'' If they can't access their account 
anymore, how do they know their data has been deleted?
    [Poster is displayed.]
    Mr. Selsavage. Because we send them a notification that 
their information has been deleted.
    Senator Hawley. You send it once. And how long does that 
take?
    Mr. Selsavage. You know, our policies State that, you know, 
we will delete their data within 30 days, and in most cases, 
we--it is automatic and happens much more quickly.
    Senator Hawley. And when you deleted it, it is deleted, 
deleted. It is gone forever?
    Mr. Selsavage. All the genetic data is deleted forever, 
and--yes.
    Senator Hawley. Really? Because that is not what your 
privacy statement says in the fine print. Let's read it. What 
your statement says is ``We retain personal information for as 
long as necessary to provide the services and fulfill the 
transactions you have requested to comply with our legal 
obligations, resolve disputes, enforce agreements,'' et cetera, 
et cetera. And then it goes on, ``23andMe and/or our contracted 
genotyping laboratory will retain your genetic information even 
if you choose to delete your account.''
    Mr. Selsavage. Senator, you know, 23andMe, it does not 
retain any genetic information regarding the consumer once they 
delete their account. We do----
    Senator Hawley. It says right here that you will retain 
genetic information, including date of birth and sex, even if 
you choose to delete your account. This is your privacy policy. 
I am just quoting from it.
    Mr. Selsavage. I'm--Senator, you know, to the best of my 
knowledge, we do not maintain any genetic information.
    Senator Hawley. It says, ``Even if you choose to delete 
your account, we will retain.'' ``We will retain your genetic 
information, date of birth and sex, even if you choose to 
delete your account.''
    Mr. Selsavage. There is some information that we do 
retain----
    Senator Hawley. Aha.
    Mr. Selsavage [continuing]. But not related to the genetic 
information.
    Senator Hawley. Right.
    Mr. Selsavage. But that--you know, such as name, email 
address----
    Senator Hawley. Oh.
    Mr. Selsavage [continuing]. And other----
    Senator Hawley. Ah. So even if--ah. Even if you delete the 
account, you retain their name, you retain their email address, 
you retain their date of birth, you retain their sex, and you 
retain their genetic information even if they choose to delete 
your account. So in other words--don't talk to your suit behind 
you, talk to me. He is not testifying, you are.
    You do not allow consumers actually to delete permanently 
their data. And when you said a minute ago to Senator Moody, at 
all times consumers have complete control of their data, that 
is just not true, is it? By the terms of your own agreement, 
that just is not true.
    Mr. Selsavage. Senator, with all due respect, all of the 
genetic data is deleted. We are only maintaining----
    Senator Hawley. With all due respect, what you are telling 
me is in direct contravention to what your own policy states. 
``Even if you choose to delete your account.'' In fact, what 
you do is you allow your consumers to delete their account 
settings, but their data isn't deleted. You still have it. The 
laboratory still has it. You have their name, you have their 
date of birth, you have their sex, and now you are going to 
sell it.
    Here is my point. It is a pattern. Your consumers actually 
aren't in control of anything. You are. You control their data. 
You control their genetic information. Now you are about to 
sell it. You promise them we won't ever sell it without your 
consent, but you are doing it. You promise them we will allow 
you to delete it, but you don't. In fact, you have lied to 
them, have you not?
    Mr. Selsavage. Senator, we have not. We--I assure you that 
we are deleting all of our customers who have requested----
    Senator Hawley. No, you are not. You are not because your 
policies say they are not, and you are not deleting it because 
if you were, your company wouldn't be worth $300 million.
    No, don't read from what your guy behind you is shoveling 
talking points to you now. I don't want your talking points. I 
have read your policies. I have seen what they are, and I tell 
you what, it is amazing to me you are not getting your socks 
sued off by your customers. I hope they will. I hope they will 
rush to the courthouse, even as we are here today, to sue you 
into oblivion for lying to them and taking their most personal, 
identifiable information and selling it for a profit and lying 
to them and to the American public.
    Quite frankly, Mr. Selsavage, what you are doing here has 
all kinds of implications, national security implications, all 
of it, but nothing is worse than taking the personal, 
identifiable information of American consumers and keeping it 
and lying to them about it while you make a huge profit off of 
it. It is unbelievable to me. It is absolutely unbelievable.
    This concludes our hearing. I want to thank each of the 
witnesses for taking the time to share your experience, your 
expertise, and your perspectives.
    Written questions can be submitted for the record until 
Wednesday, June 18, at 5 p.m. I will ask the witnesses to 
answer and return questions to the Committee within 2 weeks.
    The hearing is adjourned.
    [Whereupon, at 11:58 a.m., the hearing was adjourned.]
    [Additional material submitted for the record follows.]
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    

                            A P P E N D I X

The following submissions are available at:

  https://www.govinfo.gov/content/pkg/CHRG-119shrg61889/pdf/CHRG-
    119shrg
    61889-add1.pdf


Submitted by Chairman Grassley:

 Professors, testimony............................................     2

Submitted by Ranking Member Durbin:

 Center for AI and Digital Policy (CAIDP), letter.................    10

 Professors, testimony............................................     2

                                 [all]