Professor Margaret Hu serves as expert witness on National Security, Data Privacy, and AI before U.S. House committee
The June 10 hearing addressed concerns surrounding 23andMe’s bankruptcy proceedings.
Margaret Hu, the Davison M. Douglas Professor of Law and director of the Digital Democracy Lab at William & Mary Law School, testified before the full committee of the U.S. House Committee on Oversight and Government Reform on June 10.
The hearing was titled, “Securing American’s Genetic Information: Privacy and National Security concerns Surrounding 23andMe’s Bankruptcy Sale.”
23andMe is a commercial genetic testing company that holds the genetic and personal information of more than 15 million customers. In March 2025, 23andMe filed for Chapter 11 bankruptcy protection. Hu explained in her testimony that 23andMe’s “most valuable asset is its genetic database, now the subject of a bidding process.”
The Chairman of the House Oversight Committee, Rep. James Comer (R-Ky.), announced that he would be opening an investigation into the potential national security implications of the bankruptcy filing of 23andMe in March 2025. In Comer’s March press release, announcing the investigation by the U.S. House Committee on Oversight and Government Reform, he cited Hu’s quote in a CNBC article on the matter. “The intricacies of the bankruptcy process for 23andMe underscore risk for consumers. Ms. Margaret Hu, professor of law and director of the Digital Democracy Lab at William & Mary Law School cautioned, ‘[w]hen you’re in bankruptcy, data privacy values are not what you’re really thinking about. You’re thinking about selling your company to the highest bidder[.]’”
Chairman Comer opened the hearing with his concerns about whether or not the sale and transfer of the genetic database could, as a national security concern, fall into the hands of a foreign adversary as a result of the bankruptcy proceedings. He explained his position that, "It is imperative that 23andMe, and other companies like it, ensure there is absolutely no legal or illegal way for foreign adversaries or anyone else to access, manipulate, and abuse Americans' genetic data to advance their nefarious agendas." He shared that the committee had other concerns that fell outside of national security, including whether "[d]isclosure of individuals' genetic data could also be used for assessing higher insurance premiums, restrictions on credit extensions by financial institutions, and targeted advertising based on predisposition to specific medical conditions."
The hearing also included the opening statement of the Interim Ranking Member of the House Oversight Committee, Rep. Stephen Lynch (D-Mass.). Hu was invited as an expert witness by the Interim Ranking Member.
Lynch shared that, "While health care providers and insurance companies must follow federal laws like the Health Insurance Portability and Accountability Act, or HIPPA--which protect patients' sensitive data from unauthorized sharing--[in contrast,] direct-to-consumer companies like 23andMe operate with minimal oversight and regulation." He added, "The lengthy and opaque terms of service and privacy policies that customers are required to agree to typically allow for their data to be sold during a sale or bankruptcy, and that is precisely the situation that millions of the company's customers find themselves in today."
In addition to Professor Hu, the witnesses for this hearing also included Anne Wojcicki, 23andMe’s co-founder and the former CEO of the company, and Joe Selsavage, the interim CEO of 23andMe.
Wojcicki shared that the company was committed to protecting data privacy and, since the company’s founding, had strived to protect the genetic data privacy of its consumers. She explained during her testimony that 23andMe “maintained a strict policy during my tenure that we never provided individual-level customer information to any third party without the customer's explicit consent. Even then, we always removed personally identifiable information before sharing it."
Both Wojcicki and Selsavage emphasized that the company attempted to follow the best practices and protocols of the industry’s cybersecurity and data privacy principles. Selsavage testified that, during the bankruptcy proceedings, 23andMe was committed to identifying a buyer that “shares our commitment to customer data privacy." Specifically, he stated that “no bids would be accepted from entities based in or with controlling investments from countries of concern, such as China, Cuba, Iran, North Korea, Russia or Venezuela[.]” As an additional protection, Selsavage explained that 23andMe supported the appointment of a consumer privacy ombudsman to help serve in an advisory role to the U.S. Bankruptcy Court for the Eastern District of Missouri, which is the court that is now overseeing the bankruptcy proceedings.
Hu’s testimonial statement reaffirmed the importance of the appointment of the consumer privacy ombudsman by U.S. Bankruptcy Judge Brian Walsh, but also added that the role was “advisory, not determinative.” As Hu shared in her written testimony, "23andMe's original privacy policy represented to users that their data would not be shared without consent. However, it is now in the hands of bankruptcy law to assess whether these original promises can be reneged and whether the incoming buyer of 23andMe will override these original expectations." She added that, "[w]ithout a federal genetic privacy framework and an omnibus federal data privacy law, this data could be sold-even to entities with entirely different purposes."
"The federal government does not provide data privacy or data protection guidance for DNA kit companies like 23andMe," Hu explained in her testimony. "There is no specific minimum cybersecurity safeguards required under federal law either. Very general consumer protection laws, for example, are not adequate here, especially since we're talking about highly sensitive genetic information that is linked to highly sensitive consumer profile information, such as ethnicity and race, birth date, and other data."
Hu concluded her opening witness statement with the explanation that the matter of the hearing was particularly urgent because "[t]he topic of genetic data privacy, unfolding within the context of the bankruptcy proceedings of 23andMe, is simultaneously unfolding within the context of a larger crisis: inadequate federal data privacy and cybersecurity safeguards generally, and inadequate federal laws to address the challenges of the AI revolution."
Throughout the three and a half hours of the hearing, Hu emphasized that the 23andMe bankruptcy proceedings created a unique opportunity for bipartisanship to examine potential legislative initiatives that could strengthen national security through greater understanding of the future of AI warfare. Hu invited the members of Congress to assess how and why, from a military and intelligence standpoint, foreign adversaries were “fighting to get this data” for a new AI battlefield, and “for strategic advantage, sometimes referred to as military identity dominance, or biometric cybersurveillance or biometric cyberintelligence.”
"Data privacy is not only a consumer data privacy issue, but also a national security one," Hu added, and that the House Oversight Committee hearing presented a chance to see "[t]he 23andMe bankruptcy filing is a wakeup call that our current legal inadequacy amounts to instability in our national security."