Key Considerations in the Acquisition Process of a Bankrupt Business

On March 23, 2025, 23AndMe Holding Co. (“23AndMe”), a U.S. genetic testing company, announced that it was filing for protection under the United States Bankruptcy Code to facilitate the sale of its business while carrying on its operations.This announcement prompted reactions from many privacy authorities due to the sensitive nature of personal information held by this company (DNA, health issues and health risk factors, etc.).

The bankruptcy of 23AndMe clearly illustrates certain obligations under privacy laws.

Application of Privacy Laws

The Office of the Privacy Commissioner of Canada (“OPC”), in collaboration with its British counterpart, drafted a joint letter reminding 23AndMe of its obligations under the privacy laws of both jurisdictions during its business sale process, despite its U.S. incorporation and ongoing bankruptcy proceedings.[1]

Indeed, the OPC letter confirms the application of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) to organizations filing for bankruptcy.

Impact of a Business Transaction

PIPEDA authorizes the use and disclosure of personal information between organizations that are parties to a prospective business transaction, without the consent of the individuals concerned, under two conditions:

1. The parties have entered into an agreement regarding the protection of personal information, including security safeguards and destruction procedures; and
2. The information is necessary to decide whether to proceed with the transaction.[2]

Moreover, if both parties decide to proceed with a transaction, the purchaser may receive personal information without the consent of the individuals concerned under certain conditions:

1. An agreement is entered into between the parties regarding personal information;
2. The information is necessary for carrying on the business or its activities; and
3. A notice is provided to the individuals concerned informing them of the transaction and the disclosure of their personal information to the purchaser.[3]

Exercise of the Rights of the Individuals Concerned

Following the 23AndMe announcement, several privacy authorities, including the OPC, strongly suggested that 23AndMe users exercise their rights regarding their personal information and use the data and user account deletion function on the company’s platform.

The PIPEDA, along with other privacy laws, grants certain rights to the individuals concerned. Therefore, it is important for any organization to have a procedure in place for responding to these requests, as the required effort may be significant depending on the nature of the request. Some laws even provide for a timeframe to respond to such requests, such as a 30-day timeframe for access requests.[4]

Are you considering a business transaction?

Our Privacy and Cybersecurity team can assist you with:

• Understanding privacy laws applicable to your organization.
• Conducting due diligence on an organization with regard to the protection of personal information.
• Drafting a confidentiality agreement during transaction negotiations.
• Developing procedures for responding to requests of individuals concerned.