This holiday season, one of the most popular gifts given to family members was a DNA testing kit. Whether it be from 23AndMe or AncestryDNA, people across the world are sending their saliva to be analyzed and their genomes to be added to a database. The fun of it comes from finding out your ancestry, the origin of your last name, if you’re more likely to be lactose intolerant, or the names of new relatives that you’ve never even heard of. But underneath the seemingly innocent activity that may catch our attention for a day or two is a plethora of privacy concerns and uncertainty when it comes to who has your DNA information and what can be done with it.
Before understanding the state of your genome’s privacy, we need to understand how DNA testing kits work. Once you swab your mouth and send it to the testing facility, the genetic information in your sample is added to a database and compared to everyone else’s samples to analyze what it’s different nucleotide variations mean. If you have similar variations, or SNPs, to someone else’s, you may be genetically related to that person. They also determine the likeliness of developing certain health conditions, like Parkinson’s or Alzheimer’s, in this same way. However, because your DNA’s analysis is dependent on how many other people have already submitted their information, accuracy can vary widely from company to company and can only improve with time.
But, once our DNA is added to the database and we get our results back, what happens to that incredibly sensitive information? While these genetic testing companies maintain in their privacy policies that your data is de-identified, so that it isn’t associated with your identity, many argue that it can be easily re-identified. Because of advancements in technology, like improved machine learning and hidden metadata searching, and the unique nature of your genome, samples can be easily re-identified.
According to attorney Jessica B. Lee, “A genome is not your average piece of data—it is inherently identifiable, it is familial, and its value is long-lasting.” Privacy policies also state that these companies will not give your information out unless they have your written consent, but laws that guarantee this to protect your information aren’t up to snuff quite yet for many law professionals. The most promising law that has been put into place to protect your personal genetic data is the EU’s General Data Protection Regulation (GDPR), however this law puts the burden on the individual to actively protect their information, rather than on the companies to maintain their user’s privacy.
While these DNA testing companies say they need your written consent, this can be overwritten when the company is forced under court order to provide your genetic information to law enforcement. Genomic data has been used in several criminal cases, like the arrest of the Golden State Killer in California, by cross-referencing crime scene DNA with information from one company’s genetic database. While it may seem beneficial for this information to help solve crimes, not everyone is comfortable with having their most sensitive information available without their consent or knowledge, fostering worry that this information may get into the wrong hands easily.
by Jessica Grioua