WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, and Sen. Todd Young (R-IN), a member of the Senate Select Committee on Intelligence, wrote to leadership at the Department of Justice (DOJ) and Federal Trade Commission (FTC) expressing the need for the agencies to exercise all available authorities to protect the sensitive genomic information of Americans, including in the bankruptcy proceedings of 23andMe, a personal genomics and biotechnology company that holds the DNA and sensitive information of millions of individuals.

The senators highlighted the attempts by the People’s Republic of China (PRC) and other foreign adversaries to collect this type of genomic data from Americans and the various ways in which the PRC has used sensitive biometric data for surveillance efforts.

“As the Chinese government has realized, genomic data is incredibly valuable. Biological data is critical to biomedical discovery, particularly when, as here, it contains substantial amounts of personal genomic data. It can be used to create, design, and optimize everything from biopharmaceuticals and medical devices to optimizing AI models for medical applications,” the senators wrote. “The PRC also has demonstrated a sustained effort to leverage genomic and other biometric data for extensive surveillance; accessing this data - either directly or indirectly - could further enable PRC transnational surveillance, including posing counter-intelligence threats to the United States. In addition, genomic data can be used to create dual-use technologies that, on the one hand, could help create vaccines for diseases, but on the other hand, can be weaponized by our adversaries to for malign intent.”

While applauding the recent actions by the Justice Department in current proceedings, the senators underscored the need to take more steps to ensure that bad actors are prevented from acquiring, legally or illegally, Americans’ genomic information. 

The senators continued, “In addition to the Department's recent filing, and any anticipated CFIUS review, the Department, in conjunction with the Commission and other U.S. agencies as appropriate, must closely monitor the sale or transfer of, or access to, 23andMe's genomic databank, regardless of whether that activity is in the ordinary course of business, for compliance with all applicable statutes related to national security and consumer protection.”

This is the latest effort by Sen. Warner to safeguard Americans’ data and sensitive information from adversaries. As Vice Chairman of the Senate Select Committee on Intelligence, Sen. Warner has worked to ensure the U.S. is prepared to counter threats posed by foreign adversaries including the PRC across various sectors. Sen. Warner spearheaded the push to force CCP-based Bytedance to divest from TikTok in order to allow the app to continue operations in the United States. Last year, Sen. Warner introduced the Countering CCP Drones and Supporting Drones for Law Enforcement Act, legislation to cut off dangerous CCP drone companies from the U.S. telecommunication infrastructure. Sen. Warner also introduced bipartisan and bicameral legislation to improve information sharing between private companies and the Intelligence Community in order to mitigate the threat that foreign adversaries including the CCP pose to United States companies in foreign jurisdictions on projects relating to energy generation and storage, including in the critical minerals industry, and earlier this year, Sen. Warner introduced legislation aimed at shoring up America’s response to financial threats stemming from the PRC.

A copy of letter is available here and text is below.

Dear Attorney General Bondi and Chairman Ferguson:

We write to urge the Department of Justice ("Department") and the Federal Trade Commission ("Commission") to exercise the full scope of their legal and statutory authorities in 23andMe Holding Co. ("23andMe")'s bankruptcy proceeding. We commend the Department on its April 22, 2025 filing in the 23andMe bankruptcy proceeding, recognizing that the Committee on Foreign Investment in the United States (CFIUS) should review this transaction in light of the substantial national security concerns involved. However, additional action from agencies are necessary in order to prevent adversaries, including the People's Republic of China (PRC), from acquiring millions of Americans' genomic data.

Chinese authorities have already collected genomic data on millions of their own citizens, and continue to actively target foreign companies, including in the U.S., for acquisition or investment, as well for theft, in order to obtain foreign individuals' genomic data, creating serious implications for national security, public health, economic security, and Americans' privacy. As the Chinese government has realized, genomic data is incredibly valuable. Biological data is critical to biomedical discovery, particularly when, as here, it contains substantial amounts of personal genomic data. It can be used to create, design, and optimize everything from biopharmaceuticals and medical devices to optimizing AI models for medical applications. The PRC also has demonstrated a sustained effort to leverage genomic and other biometric data for extensive surveillance; accessing this data - either directly or indirectly - could further enable PRC transnational surveillance, including posing counter-intelligence threats to the United States. In addition, genomic data can be used to create dual-use technologies that, on the one hand, could help create vaccines for diseases, but on the other hand, can be weaponized by our adversaries to for malign intent.

In order to prevent China from weaponizing this data, or outcompeting the U.S. economically, the U.S. must urgently prioritize the protection of biological and genomic data, particularly of Americans, starting with that held by 23andMe.

As the Department notes in its recent filing, its Data Security Program must be better utilized to ensure the protection, and prevent the acquisition, of Americans' sensitive genomic data. In addition to the Department's recent filing, and any anticipated CFIUS review, the Department, in conjunction with the Commission and other U.S. agencies as appropriate, must closely monitor the sale or transfer of, or access to, 23andMe's genomic databank, regardless of whether that activity is in the ordinary course of business, for compliance with all applicable statutes related to national security and consumer protection. Chairman Ferguson's letter to the Office of the U.S. Trustee lays out a clear rationale for robust oversight by the Justice Department over the legal obligations and protections that 23andMe owes its customers ("users"). 23andMe's users also should have the ability to remove their genetic data from acquisition by a foreign government or entities under the control or influence of a foreign government, including data associated with other personally-identifiable information and any other data generated by 23andMe that uses genetic data in the aggregate.

23andMe's users provided their sensitive, personal genetic data to a privately-owned U.S. company, potentially without fully understanding the implications of this data falling into the hands of adversaries, including cybercriminals and foreign nation-states. Further, the genetic information held in 23andMe's databank has implications for relatives of 23andMe users who share common genetic markers, creating additional privacy concerns for such individuals who had no opportunity to consent to how 23andMe's data could be used in ways that affect them.

Outside of this proceeding, we urge the Department, the Commission, and other relevant federal entities to closely monitor future transactions, and use all levers as appropriate, where foreign entities, particularly those under the control or influence of foreign nations of concern, are attempting to purchase - through bankruptcy proceedings or otherwise-Americans' sensitive biologic and genomic data. To this end, we encourage the DOJ to evaluate any appropriate updates to its recently-released Final Rule,6 implementing Executive Order 14117 on "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern", to address any novel risks posed by potential acquisition (and resale) of 23andMe data by covered vendors.

In addition, the Department and the Commission must work with lead agencies to support the cybersecurity of genomic data. In March 2022, 23andMe suffered a security breach that compromised the genetic information of millions of users, underscoring concerns around genomic data privacy and misuse.

In short, it is paramount to our national and economic security that there is a whole-of­ government approach to protecting Americans' sensitive genomic data, including by preventing malign entities from gaining access to such data through commercial acquisition, cyberattacks, or other illicit means. We remain committed to working with the Department, the Commission, and the Administration broadly on this issue.

###