Getting under your skin  - Why DNA tests provide insufficient protection to our data

Getting under your skin - Why DNA tests provide insufficient protection to our data

by Mónika Mercz 

When it comes to humanity, it has long been stated that we are social creatures, thus we all wish to have a sense of belonging. We have a deep-seated desire to know where we come from, what kind of ethnic background we have, and oftentimes we wish to discover what secrets our DNA holds. With today’s technological developments we can easily answer these questions as well as predict the probability of certain diseases. We can even connect with family members who we have never met before. This is all available to us through the technology of DNA testing companies. For a small price, they can take a sample and send us the results to questions we have always been dying to know. But what are the risks of handing out our DNA to foreign companies? Is our data safe in their hands?

These are questions I have been trying to find the answer to for several years now. I started researching this topic in 2019. Although the COVID-19 pandemic has made the rapid growth of DNA testing’s popularity slow down considerably,[1] many believe that this industry will be worth $45 billion by 2024.[2] This is why researching the potential dangers of it is incredibly important. The Hungarian National Authority for Data Protection and Freedom of Information has issued a statement about how they view DNA testing and the companies providing this kind of service. They warn about the possible negative consequences of handing out our DNA sample as they find the protection provided by the companies to be lacking. They maintain that the services are not acceptable because of the lack of adequate information in relation to the handling of samples and the lack of appropriate information on the processing conditions. They also wish for the duration of the processing and the rights of data subjects to be included in more detail in privacy statements.[3]

I agree with their assessment, as the purpose of data protection is to make the individual opaque and the state transparent.[4] As a result, information systems to be kept separate cannot be controlled by any branch of power.[5]Article VI of our Fundamental Law contains paragraphs on the protection of personal data and access to data of public interest.[6] Pursuant to the Fundamental Law, Act CXII of 2011 was adopted. This Act provides for the protection, use and storage of data, and elaborates the detailed rules. It is heavily tied to EU law, which is the most important source of data protection. Of course, the law that governs these issues on the level of the EU is Regulation 2016/679 of the European Parliament and of the Council (hereinafter: GDPR).

It is essential to define what „personal data” means when examining the issue of DNA testing and data protection. A fundamental principle is that within the legal framework, personal data may only be collected for a legitimate purpose, and the controller must respect the purpose of the data and ensure data security.[7] These aspects become of paramount importance when handling sensitive data, which is a special type of personal data.[8] As these data have a deeper impact on the personality of the individual concerned, they will be given greater legal protection. Its main groups are data regarding race, genetic data and health, which companies use to work on DNA testing.

The first DNA testing company I have looked at is called Ancestry. Its website is available in English, and it is said that Ancestry is one of the world’s most prominent companies in the field of DNA testing. Its privacy statement has changed considerably throughout the years. Specifically, the most recent changes include: the addition of language to comply with the California Privacy Rights Act of 2020 (“CPRA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Virginia Consumer Data Protection Act (“VCDPA”), and the Australian Privacy Act 1988. There is no mention of the GDPR.[9] There used to be several references to AncestryHealth in 2019 and 2020, which has been removed after the company discontinued this project.[10] These two aspects were tied together in 2019, and people who wished to see what their health status was could easily access it via their DNA profile.

23andMe is a company in a similar league with millions of people handing their DNA sample to them. Previously, the company’s privacy statement was hard to understand, but now they have updated it for easier understanding.[11]Through this change, the public is able to better understand why certain decisions have been made and the information is more readily accessible.[12] This was especially needed after an arrangement sparked public outrage. 23andMe made an arrangement with GSK, a famous pharmaceutical company, which agreed to invest 300 million dollars into the company during their four-year collaboration that focuses on research and development of innovative new medicines and potential cures, using human genetics as the basis for discovery.[13] When asked, 23andMe stated that 80 percent of their clients permit this to take place as they have not banned the option of handing out their anonymous data to third parties. Therefore, a great pressure is put upon the users, as they need to possess a certain level of skill using computers for their data to be safe. Consequently, there is a great deal of pressure placed on the users, since they must possess a certain level of proficiency when it comes to using computers in order to ensure the security of their data.

The third company I have researched is MyHeritage, which is a smaller company. Even though the website is available in several languages, including my mother tongue, Hungarian, I believe it is important to talk about their privacy statement since it is only available in English. This means that anyone using the services of this company needs to speak English at a higher level to understand what he or she is consenting to. Many people cannot speak foreign languages, or they only understand a bit of English, and as a company trying to provide services worldwide, it should be the responsibility of MyHeritage to make the privacy statement available in every language the website can be found in. However, the privacy statement has improved considerably since 2019, now containing information about the GDPR.[14]

Each of the three DNA testing companies state that they may use the personal information of their clients to produce anonymous statistics. They collect data on the devices used to access their websites as well. MyHeritage collects data through Facebook and our Google account, if we give them access to them. Deleting our account also may not have an effect, as MyHeritage and Ancestry will keep a copy, and with 23andMe, it may take 30 days to delete your data.

In each privacy statement the controller of the data states that the legal basis for processing data is the direct consent of the person giving out their data. This person is the owner of the information about themselves. Ancestry and 23andMe also give information about where the client can turn if they feel  their privacy has been violated.

The companies in question may send the received information to third parties. MyHeritage names three cases when this may take place. If they have a legal obligation, if our DNA matches another user’s DNA and we are related, or if the owner of the company changes. 23andMe expands this list by stating that they are also handing the data out to service providers and for research purposes. Ancestry may establish an agreement for financial benefit or may work with infrastructure providers.

We also need to take a look at how the protection of children is implemented at the different companies. While Ancestry and 23andMe provide services to clients only above the age of 18, except for the case when a legal guardian consents to the child’s DNA being tested, MyHeritage has a completely different approach. This company is a bit more lenient, as here it is possible for anyone above the age of 13 to use their services. The issue with this phenomenon is that oftentimes, children around this age cannot fully comprehend what they are consenting to, as their maturity is still developing.

In conclusion, the standard that these companies have to conform to is very low at the moment. There are valid concerns about whether our entire DNA profile could be used and sold. There have been cases solved with DNA testing, which is a wonderful development - however, there is growing concern about for example, how authorities obtain the DNA samples of perpetrators’ family members.

It is important to keep in mind that the data controllers in this case reside outside of the European Union, therefore their standards of privacy differ from ours. Our goal should be to close the gap and find common ground that is acceptable to all parties. One of the most pressing issues that needs to be addressed is this difference. All companies have clients worldwide, and the highest standards of data protection law should be applied in all cases for maximum security.





For further information see: Agnar Helgason - Kári Stefánsson: The past, present, and future of direct-to-consumer genetic tests, Dialogues Clin Neurosci. 2010 Mar; 12(1): 61–68. doi: 10.31887/DCNS.2010.12.1/ahelgason



[4] Sári János – Somody Bernadette: Alapjogok. Alkotmánytan II., Osiris Kiadó, Budapest, 2008. 210-214.

[5] Szabó Máté Dániel: Az információs hatalom alkotmányos korlátai című doktori értekezésének tézisei, Eötvös Loránd Tudományegyetem Állam- és Jogtudományi Doktori Iskola, Budapest, 2011. 10.

[6] (3) Everyone shall have the right to the protection of his or her personal data, as well as to access and disseminate data of public interest.

(4) The application of the right to the protection of personal data and to access data of public interest shall be supervised by an independent authority established by a cardinal Act.

[7] GDPR Article 5. For further details see: Majtényi László: Az információs jogok. In: Halmai Gábor – Tóth Gábor Attila (szerk.): Emberi jogok. Osiris, 2003. 592.

[8] GDPR (51)