Genetic Data Privacy: Consumers Beware
Sales of DNA testing kits have skyrocketed, as increasing numbers of consumers become interested in exploring their ancestry.
According to a recent MIT Technology Review, more than 26 million consumers have shared their DNA with one of the four leading ancestry and health databases. Stats reveal that consumers purchased the same number of at-home DNA tests in 2018 as in all previous years since 2012 combined.
If the trend continues, the companies concerned could be holding the genetic information of more than 100 million people within the next two years.
The MIT Technology Review revealed:
“For consumers, the tests — which cost as little as $59 — offer entertainment, clues to ancestry, and a chance of discovering family secrets, such as siblings you didn’t know about, ...But the consequences for privacy go well beyond that. As these databases grow, they have made it possible to trace the relationships between nearly all Americans, including those who never purchased a test.
Unsurprisingly, serious privacy concerns are being raised as researchers continue to extrapolate data from increasing numbers of individuals around the world.
But most people who take the home-based DNA tests to explore their family tree are blissfully unaware that their personal genetic data could be shared for other purposes. Consumer DNA testing companies share users' data with law enforcement, drug makers, and even app developers.
The privacy implications of genetic data came under the spotlight when police used DNA results from an ancestry company database to identify a suspect, in the long-running case of the Golden State Killer, who committed at least 13 murders, more than 50 rapes, and over 100 burglaries in California from 1974 to 1986.
The FBI was granted access to a database of some 2 million genetic profiles held by FamilyTreeDNA, an early pioneer of the rapidly expanding consumer genetic testing market.
Not everyone has the same standards
AncestryDNA and 23andMe are currently the two biggest players in the genetic and ancestry testing business. Ancestry has collected 14 million DNA samples as of January 1, with 23andMe collecting 9 million samples. Other companies reported a combined total of 3.5 million samples collected.
President and CEO of Ancestry, Margo Georgiadis, said her company does not cooperate with law enforcement unless compelled by a court order. She added that in 2018 Ancestry received 10 requests from law enforcement. However, those inquiries were related to credit card fraud, not genetics.
While at Fortune's Brainstorm Tech conference in Aspen, Colorado, Georgiadis said:
There’s no question that in the industry as a whole, other actors have chosen to go down a different path and not meet the highest standards, …Consumers need to understand they do have a choice, and that there are real differences between companies.
Ancestry has partnered with 23andMe and Helix to form an advocacy group called The Coalition for Genetic Data Protection, in a bid to defend their efforts to safeguard customers’ information and promote the industry, as lawmakers increase their scrutiny of their data privacy practices.
“We created a set of privacy standards that we all agreed to abide by,” Georgiadis said. “We tried to set them at the highest bar so that consumers can have the confidence that the companies in their industry have stated what they stand for.”
The group’s Best Practices for All Participating Companies says:
Current and future companies who make up the Coalition will promote and must adhere to the principles encapsulated in the “Privacy Best Practices for Consumer Genetic Testing Services,” a whitepaper published in July 2018 by the Future of Privacy Forum in partnership with leading consumer genetic and personal genomic testing companies that establishes standards for consumer-generated genetic data by requiring (page numbers reflect where each of the below points can be read about in greater detail in the white paper):
Detailed transparency on how genetic data is collected, used, shared and retained, including a summary of key privacy protections posted publicly and made easily accessible to consumers;
Separate express consent for transfer of genetic data to third parties and for incompatible secondary uses;
Educational resources about the basics, risks, benefits and limitations of genetic testing;
Access, correction, and deletion rights;
Valid legal process for the disclosure of genetic data to law enforcement and transparency reporting;
A ban on sharing genetic data with third parties (such as employers, insurance companies, educational institutions and government agencies) without consent or as required by law;
Restrictions on marketing based on genetic data; and
Strong data security protections and privacy by design (Page 9), among others.
No police access without a warrant
According to the MIT report, the four main ancestry players previously promised they would not allow law enforcement agencies to search their databases unless a warrant was issued. However, Family Tree DNA recently changed its policy and allowed the FBI to upload DNA samples from crime scenes.
“The unilateral change in policy — which users weren’t alerted to — is troubling because it means that our DNA, just like our posts on social media or our location data, is at the mercy of user agreements none of us have any control over or even bother to read,” the MIT publication said.
Urgent need for new genetic privacy laws
Earlier this year, Wired reported on the urgent need for new genetic privacy laws.
The rise of DNA data has legal experts increasingly concerned that the United States is not effectively protecting consumers from the many privacy risks that now loom before them. “What in heaven’s name is the law in genomics? That is not that easy to answer,” Susan M. Wolf told an audience gathered at the University of Minnesota, where Wolf is a professor of law and health policy. “We’ve got 50 states. We’ve got multiple federal agencies involved.”
The patchwork of laws means that in practice genetic anonymity is almost never guaranteed. But the legal landscape is so fractured that to fix this situation, the first issue is to resolve what rules apply to what data.
Mark Rothstein is a law professor at Brandeis and the director of the University of Louisville’s Institute for Bioethics, Health Policy and Law. He said:
In the US we have taken to protecting genetic information separately rather than using more general privacy laws, and most of the people who’ve looked at it have concluded that’s a really bad idea,
By contrast, the European Union has designated DNA as personal data and made collecting it presumptively illegal under it is recent consumer protections overhaul. In the United States, different laws regulate genetic data depending on where it is and what it’s being used for. “It’s basically a shortcut, because legislators here don’t want to enact broad legislation,” Rothstein said.
Brad Malin, a biostatistician at Vanderbilt who among many other titles serves as director of its Health Information Privacy Laboratory, summed up the situation in this way: “Sometimes it feels as if we have no privacy, and sometimes it feels as if we have no need for privacy, and then something shifts, the law, technology, adoption, and the pendulum swings the other way,” he said. “Right now we’re somewhere in between, where some people are giving up privacy and other people want it. The ones giving up their genomic data have the potential to infringe upon the privacy of others, but it’s kind of a grand experiment.”
If we get it wrong now, what’s the worst that will happen? We lose privacy for a generation. And then half a generation after that. And half a generation after that. The geneticists in the room laughed. The lawyers, not so much.
Ancestry’s Georgiadis concluded:
One of the challenges with every technology innovation is that it creates a whole new set of issues that we all need to think about, … As leaders, we need to take responsibility for thinking and anticipating those issues and setting high standards for the way in which we do business.”