Yes, it is complex. I agree that providing personal data to trustworthy research programs is beneficial to the public. Do you agree that providing detailed health data to untrustworthy corporations can easily become problematic? Because so far, you've made it sound like you don't see a reason for an individual to not provide their data to 23andme.
It is problematic but has no perfect solution, as there is no such thing as perfect security. Create data security and governance requirements contractually. Require the partner carry insurance as well as attest to and provide evidence of their controls and processes. If they fail to protect the data provided, require penalties outlined in the data processing agreement.
Alternatively, 23andme could offer compute to pharma companies that can run against their genetic data lake, with DLP and data security controls between them and the pharma customer. This would minimize leakage potential while still allowing compute against the data.
