23andMe Bankruptcy
Quite a bankruptcy week. First there was Forever21's gone forever 22, and now we have 23andMe. Kudos to the Slips' own Melissa Jacoby and her co-authors Sara Gerke and Glenn Cohen for having the most timely publication ever regarding the 23andMe bankruptcy filing. But there are some weird things about this case, namely the debtor acquiescing in a massive stay violation and the St. Louis, Missouri, venue.
Summary of the situation
As Gerke, Jacoby, and Cohen note, bankruptcy is not particularly protective of personally identifiable customer information. Section 363(b) allows the sale of assets outside of the ordinary course of business, and all that genetic data is 23andMe's biggest asset. Section 363(b)(1), however, provides that if the debtor has a privacy policy, then the sale of personally identifiable information must either (a) be consistent with the privacy policy or (b) not violate any "applicable nonbankruptcy law".
The problem is that while 23andMe has a privacy policy, that policy expressly allows for a sale of the data in bankruptcy, so a sale would probably be consistent with the privacy policy (unless some other terms is at issue). Nor does it appear that any applicable nonbankruptcy law that would be violated because HIPAA, the main healthcare privacy statute, does not apply here.
To be sure, the bankruptcy court can (and probably will) appoint aconsumer privacy ombudsman, who will at least be a neutral, estate-funded source of expertise and advocacy. Even though the ombudsman is just a voice in the room, nothing more, the ombudsman can use its position as a bully pulpit to get sale terms that are at least better for consumer privacy. As it happens, however, 23andMe has proposed bidding procedures that "require any person or entity who wishes to participate in the Auction to comply, in all respects, with the Debtors’ existing consumer privacy practices" and "require an affirmative statement as part of any bid acknowledgment of such compliance." In other words, whatever privacy you had going into the bankruptcy, you should have it coming out. But that's all by the debtor's good graces, rather than because of any legal protection.
Is the Debtor Soliciting Stay Violations?
So what's a concerned 23andMe user to do? Well, as Geoff Fowler's Washington Post column states "Delete Your Data Right Now." Astonishingly, that is still possible to do. 23andMe saysthat they are allowing data to be deleted by customers, even post-petition.
I'm frankly surprised. 23andMe's most valuable asset is its customer data. Deletion of data sure seems like an automatic stay violation, as it is "any act to ... exercise control over property of the estate". I cannot understand why 23andMe would acquiesce and encourage such a stay violation that is destroying valuable estate property. The stay isn't the DIP's to waive unilaterally without court authorization. Maybe I'm missing something here, but as far as I can tell, this action might open up the DIP's board to a derivative suit and a motion for appointment of a trustee or examiner. It might also open up the DIP's proposed bankruptcy counsel, Paul Weiss (!), to a challenge to its retention application and even conceivably a malpractice suit by the estate or derivatively on its behalf.
Let me be clear: allowing customers to delete their personal data is the decent thing to do. But a bankruptcy estate is not a charitable enterprise. It's fraudulent transfer law 101 that a debtor cannot just give away its assets. Moreover, 23andMe already seems to be trying to ensure compliance with its privacy policy as part of the bidding procedures. Nor can it credibly be claimed that allowing deletion of accounts is just "use, sale, or lease" of estate property in the ordinary course of business. The estate is not using the property when it is deleted. It is being denied the use of the property. At best, allowing deletion of actions is about maintenance of a customer program, something for which 23andMe filed a first day motion, but that motion does not mention account deletion. Trying to be good people on data privacy is not a legal defense to wasting estate assets any more than "it was for charity" is a defense to having donated estate property post-petition without court authorization. I have trouble understanding why the DIP did not pause all deletions until the court orders otherwise; this isn't the sort of thing for which you should seek ratification nunc pro tunc. As it is, someone might reasonable want to know how many accounts were deleted post-petition. The DIP will be in a very awkward place to refuse such a request. Once it becomes know how many accounts were deleted post-petition, it's going to become clear how much value was destroyed by allowing post-petition data deletion, and if it's more than de minimis, then the litigation specter arises.
What's with the Venue?
On top of all of this, there's a venue question. Why did 23andMe file in St. Louis, which is hardly a go-to filing destination? 23andMe is incorporated in Delaware and has a California headquarters, so it had plenty of good alternative venue options. Plus anyone who bothers to get a PO box at a UPS store 24 hours before a petition can generate venue in Texas these days. So there's always a Texas option it seems. 23andMe does have a legitimate Missouri-based subsidiary, so I'm not making any claim about illegitimate venue, but one has to wonder what drove the Missouri filing?
One cannot credibly claim that the filing decision was based on the "predictability" or "experience" of the EDMO bankruptcy bench with big chapter 11s. Paul Weiss had some reason for wanting the St. Louis venue. Maybe there was an issue with the assumption of IP licenses—both the 3rd Circuit and 9th Circuit are "hypothetical" test jurisdictions for 365(c), meaning that the debtor cannot assume IP licenses that it cannot hypothetically assign without the consent of the licensor. There's no 8th Circuit ruling on the issue, but if that was really the driver, why not file in Texas, which is in an "actual" test circuit? I'd love to know more on what was driving the venue choice here. Comments are open.
Pamela
Foohey
Anna
Gelpern
Mitu
Gulati
Melissa Jacoby
Dalié
Jiménez
Jason
Kilborn
Bob Lawless (blog admin)
Adam
Levitin
Stephen Lubben
Nathalie Martin
John
Pottow
Mark Weidemaier
Jay
Westbrook
Alan
White
Yes, a most timely article from Melissa Jacoby and my colleague, Sara Gerke, as well as Glenn Cohen. A better URL might be here: https://www.nejm.org/doi/full/10.1056/NEJMp2415835, although behind a paywall.
The automatic stay point is interesting. The debtor, however, has the data subject to the ability of the customer to delete it. It would be an odd result if the bankruptcy filing increased the debtor's state-law property rights. The debtor may have the right to change the ability to delete, but it until it has done so, the estate does not have more rights than it acquired at the moment of bankruptcy filing. I am also less convinced that the cancellations are not a § 363 ordinary-course use of property. But, yes, I agree that the wisest course of action is court approval.
My only answer for the St. Louis venue is the obvious one -- so the lawyers can go to the Cardinals game after the hearing.
Posted by: Bob Lawless | March 24, 2025 at 09:29 PM
URL fixed...
I would mock the Cardinals prospects this year, except I'm a White Sox fan, which means I can't make fun of any team playing above AA-level ball. Anything less than 121 losses is a good season at this point. This is why MLB needs a relegation process.
I see your Butner-esque argument, but I don't think that works here. How is saying that the debtor has the data, subject to the customer's ability to request a deletion different from saying that the debtor has the car, subject to the creditor's ability to activate a kill switch? The automatic stay isn't creating a property right for the debtor. It's just locking in the present state of property rights to enable an orderly, value-maximizing process.
As far as ordinary course use, I think the starting question is who actually deletes the data? Is it the customer or the debtor? If it is the customer, then the debtor isn't using anything, so 363 doesn't apply. I assume, however, that the debtor has to take some action in response to a customer request. If so, is it "use" to delete? Merriam-Websters doesn't indicate so. The relevant meanings of "use" are:
1: to put into action or service : avail oneself of : EMPLOY
2: to expend or consume by putting to use
Deleting doesn't fit in either of these senses. Consumption implies some sort of benefit for the debtor. There is none here. And even if deleting is "using," is it really ordinary course? Certainly it happens from time to time normally, but is doing it on a large scale still ordinary course? (I feel like there's some sort of deepening insolvency issue lurking here...)
Posted by: Adam Levitin | March 24, 2025 at 10:09 PM
While St. Louis doesn't have an NBA or NFL team any more, they do have the Blues and an MLS team, so there is year round major league sports there. N
o WNBA or NWSL teams. But since Paul Weiss caved to MAGA, I guess their new disdain for DEI extends to sports as well?
What is the remedy? Is the creditors committee going to sue thousands of individuals for damages? Federal Rules do allow for a defendant class, but I tried to sue a class of all the Sheriffs in Alabama because I thought the eviction procedures under state law, which are implemented by the local sheriff, were unconstitutional, and got absolutely nowhere. That class action would have been manageable, as opposed to any class action against customers who have deleted their data.
What is the value of one individual's data? Ok, its priceless. But in a court of law in the USA, you have to put a number on it. When I did a google search I found this article, which quoted someone who had looked at the black market value of stolen medical data. https://www.yahoo.com/news/medical-record-worth-more-hackers-credit-card-182251915--finance.html The going price seems to be around $10, which is more than stolen credit card numbers, but not worth suing for on a case by case basis. Could the creditors committee get an order requiring someone to resubmit their DNA?
Posted by: David Yen | March 25, 2025 at 04:37 PM
This is a great post. I have been puzzling over these issues too. To Bob's point, maybe they figured the data was not that valuable given that at the end of the day they expect that they will have to let customers delete it anyway. So why pick a fight about the automatic stay?
Separately, maybe they are being a little sneaky? If you delete your data then you also delete your account (I tested it out and that is the way it goes). So now, by your action they have no obligations to you. And if you want to get your family tree or health information back you will have to sign up and pay a new fee.
Maybe that is farfetched. Just spitballing.
No idea on EDMO, but your explanation makes sense.
Posted by: Tony Casey | March 25, 2025 at 07:22 PM
David--I don't think you go after customers for stay violations. You go after the debtor's O/D policy and after debtor's counsel's malpractice policy because the stay violations require the connivance of the debtor.
Tony—Good point that the data could be deleted post sale.
Also the deleted account vs. deleted data distinction is interesting; a family member was inquiring about the opposite--does deleting the account delete the data? If not, how can you delete the data once you no longer have an account?
Posted by: Adam Levitin | March 25, 2025 at 07:26 PM
The one thing we can all agree on is that, given the Cardinals lack of any offseason moves to address any of their glaring deficiencies, it is not clear St. Louis has major league baseball any more either. Adam, the White Sox and the Cardinals can battle it out for the AA championship.
Fair point about the kill switch on the car. My only (weak) response is the car is different than the rights in the data because the latter are wholly created and defined by the agreement between the customer and the debtor. A car by any other name is still a car. That principle does not hold for intangible "property" like this.
I like David's point about the remedy. Even if you're right, Adam--btw, nice non-ironic use of a dictionary given your last post--here is my defense to your malpractice claim. An even worse course of action would have been to announce a freeze on data deletion. That would have sent the business value plummeting even more because it would have undermined whatever trust 23andme has left. You can disagree, but it is a reasonable business judgment to make the call the other way.
Posted by: Bob Lawless | March 25, 2025 at 08:08 PM