DNA testing firms say they’ll protect privacy
Ancestry, 23andMe and other popular companies that offer genetic testing pledged Tuesday to be upfront when they share users’ DNA data with researchers, hand it over to police or transfer it to other companies, a move aimed at addressing consumers’ mounting privacy concerns.
Under the new guidelines, the companies said they would obtain consumers’ “separate express consent” before turning over their individual genetic information to businesses and other third parties, including insurers. They also said they would disclose the number of law-enforcement requests they receive each year.
The new commitments come roughly three months after local investigators used a DNA-comparison service to track down a man police believed to be the Golden State Killer, who allegedly raped and killed dozens of women in California in the 1970s and 1980s. Investigators identified the suspect using a decades-old DNA sample obtained from the crime scene, which they uploaded to GEDmatch, a crowdsourced database of roughly a million distinct DNA sets shared by volunteers.
Investigators said they did not need a court order before using GEDmatch, sparking fresh fears that users’ biological data might be too easy to access — and could end up in the wrong hands — without additional regulation on the fast-growing, already popular industry.
Yet adherence to the rules is voluntary. While the policy offers users of participating sites added new protections at a time of great “uncer- A recent criminal case in California raised privacy concerns over how DNA testing firms handle personal data. tainty,” it doesn’t have the force of law, said Justin Brookman, the director of consumer privacy and technology policy at Consumers Union.
“In general, I think there should be stronger transparency requirements and legally binding rules for everyone around the transfer and use of super sensitive data like this,” he said.
Jules Polonetsky, the leader of the Future of Privacy Forum, a Washington, D.C.-based nonprofit that helped companies draft the new privacy guidelines, said that his organization’s work began months before the Golden State Killer incident. But he said hopes the blueprint can serve as a “first effort at showing the sector what the right way to handle some of these challenges is.”
“I don’t think the average consumer has wrapped their head around the range of issues they should think about when they make a decision to share (DNA) data,” Polonetsky added.
Consumer DNA testing services have surged in popularity in recent years: One report from research firm Kalorama Information estimates that the market could triple in value from $99 million to $310 million by 2022.
The growth has been spurred on by the federal government, which recently opened t he door f or 23andMe to sell consumers genetic tests that could be used to inform them of their likely risk for contracting certain diseases. And the industry has been supercharged with fresh investment amid heightened interest from academics and drugmakers who hope to tap DNA databases in search of new health insights and cures.
Last week, 23andMe announced it had struck a research deal with GlaxoSmithKline, which would see the pharmaceutical giant invest $300 million in the genomics company. As part of that pact, GlaxoSmithKline can access “de-identified” genetic data about 23andMe users — provided they’ve previously given their consent — so that the firm can “gather insights and discover novel drug targets driving disease progression,” the company said.
Under the “best practices” adopted by 23andMe and its peers, such sharing is permitted. GlaxoSmithKline is “not getting any direct access or receiving any sort of individual customer information,” said Kate Black, the global privacy officer for 23andMe, just insights about broad chunks of users and their medical traits.