The fast-growing consumer genetic testing industry is expected to be worth $45 billion by 2024, but existing laws may not be up to the job of protecting the privacy of that information.
Currently, an uneven patchwork of laws exists to protect the privacy of genetic information. But that hasn’t dissuaded individuals from purchasing DNA testing kits from companies like 23andMe, Ancestry.com, and MyHeritage, often to learn more about their family trees.
Meanwhile, genetic testing companies have been marketing access to the aggregated pooled, de-identified genetic information, which is being mined by multiple users including biopharmaceutical companies seeking disease cures. For example, drugmaker GlaxoSmithKline Plc paid 23andMe $300 million for access to the anonymized patient data for research purposes.
“Employers and insurers are salivating to get their hands on this information,” Joel Winston of the Pittsburgh-based Winston Law Firm LLC told Bloomberg Law. “There are a lot of gray areas and companies are taking advantage of it.”
The genetic testing companies’ privacy policies generally provide they will only share personal genetic information with a consumer’s express written consent and the data are de-identified before they’re shared.
But the risks don’t go away even if genomic data are de-identified, Alexandra Cavazos with Loeb & Loeb LLP in Los Angeles told Bloomberg Law. Cavazos is an intellectual property litigator with a Ph.D. in molecular biology.
Data Easily Reidentified
Meta-data searching and improved machine learning have made it easier to re-identify the data, she said. And there’s a concern the data could be used for racial profiling, she added.
Loeb & Loeb attorney Jessica B. Lee told Bloomberg Law, “A genome is not your average piece of data—it is inherently identifiable, it is familial (revealing your genomic data can reveal sensitive information about your family members as well), and its value is long-lasting. These characteristics of genomic data present a unique privacy risk, and there is no broad, all-encompassing law that addresses these risks.” Lee is co-chair of the firm’s Privacy, Security and Data Innovations team in Los Angeles.
There are also state laws, including the California Consumer Privacy Act of 2018, which goes into effect in 2020 and may require more safeguards than even the European Union’s sweeping General Data Protection Regulation (GDPR) when it comes to genomic data.
“GDPR is a great start,” Winston said, “but it puts the onus on the individual to be the chief privacy officer of their life. It shifts the cost and responsibility to the individual.” GDPR is the EU’s data protection and privacy law that took effect in May 2018. It allows users to ask companies to delete their data at any time, or to export it for them in a usable format.
Winston is a former deputy attorney general for the State of New Jersey whose current legal practice is focused on consumer rights litigation, information privacy, and data protection law.
Burden on Individual
“What we’ve seen in all spaces is that law always lags behind the technology,” Loeb & Loeb’s Lee said. “The question we, as privacy professionals need to address is how do we put a legal framework in place to make sure technology progresses forward, while ensuring legal protections with privacy are put into place?”
The laws don’t protect the privacy of genetic information in all cases, either, according to Ifeoma Ajunwa, an assistant professor in the Law, Labor Relations, and History Department of Cornell University’s Industrial and Labor Relations School, and Associate Faculty Member at Cornell Law School.
“A big issue with GINA is that it has several loopholes and set-asides in it,” Ajunwa told Bloomberg Law. “For example, it doesn’t protect against genetic information being used as part of a long-term disability determination or for life insurance or for long-term care determinations, so that’s already a huge set-aside.”
Because genetic tests can determine if someone has a propensity to develop debilitating conditions like Alzheimer’s, that’s a problem, she said.
If you take a DNA test and results come back from that test indicating you have a condition, you have to disclose that on a life insurance application, Winston said.
No Blanket Protections
“There are no blanket privacy protections. Once it [the genetic information] leaves you, there’s no general absolute right to privacy,” he said.
“The FTC is completely overwhelmed and it would be impossible for them to regulate this stuff,” Winston said.
People use consumer DNA test kits for valid reasons, such as adoptees researching their birth family’s medical histories. But, for privacy reasons, it makes more sense to do such testing in a clinical setting, Ajunwa said. “That is where you’re more protected because HIPAA and other rules apply.”
DNA testing information can be protected by HIPAA, there’s a big loophole, Winston said. “You can consent to research or waive any legal protection.”
“We’re very bad at valuing what our privacy is worth, what our data is worth,” he said. “I would not advise anybody to do it [a genetic test kit],” he said.
An individual could make a decision regarding genomic data that could have implications for immediate family members and for generations to come, Lee said. Nothing in the law deals with the familial impact.
“You need to put guardrails around this,” she said. “There needs to be some guidance in place for companies to determine how to protect privacy information and obtain informed consent.”
Meanwhile, in view of massive breaches of consumer data at places like Facebook Inc., Alphabet Inc.'s Google, and Equifax, there are other potential concerns, too.
“I don’t think we’ve dealt with a breach of genetic information yet, but I think it’s coming,” Winston said.