Privacy guidelines for DNA testing fall short
The direct-to-consumer genetic testing industry is booming, and over 12 million people are estimated to have completed testing. Even established companies like weight-loss service Jenny Craig are now offering DNA tests. Last week, amid growing privacy concerns, a group of the largest DNA testing companies, including 23andMe, Ancestry.com, and MyHeritage, jointly released a set of industry best practices regarding user privacy. As DNA testing becomes more mainstream, the question remains: Is your genetic data safe?
The new guidelines arrive on the heels of a string of privacy controversies. Just last week, 23andMe announced a major deal with pharmaceutical giant GlaxoSmithKline, raising concerns about the use of 23andMe users’ genetic data in for-profit research. Earlier this month, 23andMe publicly offered DNA testing services to detained refugees, which sparked outcry from privacy advocates. In May, the NIH launched a new initiative seeking the DNA of 1 million Americans. Earlier this year, police used public DNA databases such as GEDmatch to catch criminals including the Golden State Killer.
Industry best practices are a positive step in the right direction, and the new guidelines contain several good recommendations. For example, they suggest that users be permitted to request that their DNA samples be destroyed, and informed consent should be obtained before genetic data is used for research. However, these non-binding, self-imposed guidelines may be insufficient to protect consumer privacy. Consider, for example, the recent Facebook controversies. For years, Facebook promised it would fix the company’s privacy problems. Nevertheless, a series of highprofile scandals involving the social media giant have emerged. By comparison, the privacy harms for the genetic testing industry could be far worse. Genetic information is the most intimate personal data that a person can reveal, and the full extent of the privacy risks remain unknown. Moreover, unlike social media, genetic testing has an air of “medicalness” that engenders a false sense of security in consumers.
Current U.S. health privacy laws provide inadequate protection. For instance, the Health Information Portability and Accountability Act (HIPAA) protects patient medical information; If doctors or hospitals share health data inappropriately, they can face hefty fines imposed by the Department of Health and Human Services. However, HIPAA does not apply to direct-toconsumer genealogy and genetic testing companies like 23andMe and My Heritage, which occupy a legal grey area. These companies could share users’ genetic data with third parties without violating federal law. With only these companies’ privacy policies and the new industry guidelines to protect them, consumers of genetic testing services are placing their health data at risk.
If users’ genetic information is shared, sold, or stolen, few if any laws protect them from harm. The Genetic Information Nondiscrimination Act (GINA) prohibits employers and health insurance companies from requesting genetic test results or discriminating against people based on that data. But it has significant limitations. For instance, though it applies to employers and health insurance companies, it does not apply to other entities with an interest in your genetic information such as life insurance companies, lenders, and advertisers. According to Ellen Wright Clayton, a genetics expert and professor of law and medicine at Vanderbilt University, “GINA actually provides very little protection.”
Some US lawmakers have taken an interest in the privacy policies of consumer genetic testing companies. If these companies want to continue operating without federal regulation, they need to be more proactive: In addition to agreeing to broad principles like those found in the newly released guidelines, companies should pledge to comply with HIPAA guidelines for the storage and protection of medical information even though they are not required to do so. They should vow to protect not only the raw genetic data that they collect from consumers but also any inferences that can be drawn from that data. They should also consider making all services exclusively opt-in, including participation in research, even if only aggregate data is used. Finally, companies could promise to act as fiduciaries of user information, which would establish duties owed to consumers on par with those characteristic of the trusted relationships between doctors and patients or lawyers and their clients.
Professor Jack Balkin of Yale Law School suggests treating companies that handle large volumes of consumer data as “information fiduciaries” to reduce the risk of consumer exploitation. The concept is gaining traction; it was raised during Mark Zuckerberg’s Congressional hearing in April and made its way into India’s proposed personal data protection law.
By creating new industry standards specifically aimed at protecting consumer privacy rights, genetic testing companies are asking consumers to trust them. But trust must be earned. Though the guidelines are a good opening statement in an ongoing conversation with consumers, actions speak louder than words. If companies wish to mollify the fears of consumers and regulators, they must do more to protect genetic privacy. Poorly handling user privacy cost Facebook billions this week. If genetic testing companies don’t set a better example, their profits could be next to fall.
Li is a visiting fellow at Yale Law School’s Information Society Project where she directs the Wikimedia Initiative on Intermediaries and Information. Marks is a joint research fellow at NYU Law School and Cornell Tech and a visiting fellow at Yale Law School’s Information Society Project.