by Mónika Mercz
Save a life - give DNA samples?
Following my latest post regarding the data protection issues that arise when we give away our DNA samples to DNA testing companies, I felt it necessary to further explore what problems come up when such a huge pool of sensitive personal data becomes available to a private company.
DNA testing companies often contain a certain provision in their privacy policy, stating that they may give away personal data to law enforcement in specific cases. Ancestry, for example, has a clause with the pledge: “We do not voluntarily share your information with law enforcement.”[1] This is further expanded upon by Ancestry Guide for Law Enforcement,[2] which is the company’s guiding statement to authorities not just in the United States, but around the world, including our region, Central Europe. As for authorities in the US, the company repeats the pledge stated in the privacy statement, as follows: “Ancestry does not voluntarily cooperate with law enforcement. To provide our Users with the greatest protection under the law, we require all government agencies seeking access to Ancestry customers’ data to follow valid legal process and do not allow law enforcement to use Ancestry’s services to investigate crimes or to identify human remains.” This is further explained in case of countries outside of the US, as a Mutual Legal Assistance Treaty request or letter rogatory may be required to compel the disclosure of records. If Ancestry has information that may prevent death or serious injury to a person, international law enforcement authorities could request emergency disclosure. This is all in compliance with data protection regulations.
23andMe, another popular DNA testing company however states in their Guide for Law Enforcement[3] that “In certain circumstances, however, 23andMe may be required by law to comply with a valid court order, subpoena, or search warrant for genetic or personal information”. The company deals with the relevant US regulations in this Guide, which leaves other countries vulnerable. On the other hand, the guidelines about keeping the information available only for an appropriate amount of time are much clearer: “If we do receive a valid preservation request, we will preserve a temporary snapshot of the relevant records for 90 days, after which we will automatically remove the information from our servers unless we receive a renewed valid preservation request for an additional 90-day period.”
MyHeritage is the DNA testing company with the least details about how they cooperate with law enforcement, stating that “we will not provide information to law enforcement unless we are required by a valid court order or subpoena for genetic information.”[4]
These are all seemingly on the right track, stressing how keeping DNA information safe from law enforcement is important. The reason for this is that uncontrollable access to anyone’s personal data could not only lead to your genetic background and level of health becoming public knowledge, easily weaponized against users by insurance companies[5]or pharmaceutical companies,[6] but it could also create societal problems.[7] In addition, analytics algorithms and artificial intelligence applications built on big data can generate problems. In order to reduce the risk of improper handling of personal data on such a large scale, a trusted third-party intermediary who collects the data on its server platform is required.[8] This shows up in privacy statements as well.
At Family Tree DNA, users are automatically opted-in to having their DNA samples compared against samples uploaded by criminal investigators. The company has even started its own Investigative Genetic Genealogy unit.[9]Permission to use the Service for law enforcement purposes is only granted if it is necessary to identify the remains of a deceased individual or to identify a perpetrator of homicide, sexual assault, or abduction.[10] This means that this particular company has a policy of fighting crime over data protection. Of course this is an understandable point of view if we think about how many recent cases have been solved by using DNA testing.
An example of this is the 1988 abduction, rape, and murder of 8-year-old April Tinsley. Law enforcement had been trying to chase down the perpetrator for decades, until in 2015, a sophisticated computer program used by a Virginia laboratory produced a new composite sketch of what April Tinsley’s killer might look like based on DNA evidence found at the crime scene. In 2018, a new law went into effect, stating that those arrested for a felony crime in the Hoosier state had to begin submitting DNA samples via cheek swabs. This is how they ended up finding the murderer of April Tinsley, uploading the DNA taken to a database, which allowed them to locate the person responsible and bring him to justice.[11]
Another cold case that was solved by using DNA testing data bases is the case of the Golden State Killer, who killed 12 people and raped 45 women across California between 1976 and 1986. Despite the horrible number of crimes committed, the perpetrator was not identified until tracking him down through his family tree led to his identification.[12]Police said they checked the crime scene DNA against GEDmatch, a database that acts as a collector for DNA test results. It was the first database to be used successfully by law enforcement. Currently the GEDmatch website states that two types of DNA data are permitted to be uploaded: “DNA obtained and authorized by law enforcement to identify a perpetrator of a violent crime against another individual, where ‘violent crime’ is defined as murder, nonnegligent manslaughter, aggravated rape, robbery, or aggravated assault” and “DNA obtained and authorized by law enforcement to identify remains of a deceased individual.”[13]
A sophisticated DNA test known as "familial searching", which helped in this case, links the DNA of the crime scene to the perpetrator's family members. While we can rejoice in the knowledge that crimes like this can be solved even after decades using this technology, as has been proven by several other cases too,[14] the balance between public good and personal information must be preserved.
If we continue down on this path, there will need to be clear guidelines about what DNA testing companies can and cannot do. Not allowing access to police to any pool of data might seem like the most clear-cut solution, however, the results shown indicate that this approach would mean leaving families to suffer. While I do not have all the answers to this problem, my hope is that we can start a conversation about potentially setting laws specifically regarding the issues of data protection when it comes to DNA testing companies. These laws should be applicable not just in the US, but also in Europe and preferably around the world. Continuing down this path will require clear guidelines about what DNA testing companies can and cannot do. A more realistic approach might just be starting a discourse for now, which I am honoured to be a part of. I invite other scholars and data protection specialists, as well as law enforcement officers to share their opinion about possible solutions to this phenomenon.
[1] https://www.ancestry.com/c/legal/privacystatement#ccpa
[2] https://www.ancestry.com/c/legal/lawenforcement
[3] https://www.23andme.com/law-enforcement-guide/
[4] https://www.myheritage.com/privacy-policy?lang=HU
[5] A federal law in the US called the Genetic Information Nondiscrimination Act (GINA) was passed in 2008, making it it illegal for health insurance providers in the United States to use genetic information in decisions about a person's health insurance eligibility or coverage. All DNA testing companies have this provision in their privacy statement. However, there is always the risk of your data getting out despite the regulations. (https://medlineplus.gov/genetics/understanding/dtcgenetictesting/dtcinsurancerisk/)
[6] GSK and 23andMe made an exclusive four-year collaboration in 2018, that focused on research and development of innovative new medicines and potential cures, using 23andMe’s DNA database. This was possible because many users did not opt out of this possibility. (https://www.gsk.com/en-gb/media/press-releases/gsk-and-23andme-sign-agreement-to-leverage-genetic-insights-for-the-development-of-novel-medicines/)
[7] People who have taken a genetic ancestry test are more likely to report multiple races when self-identifying on surveys, shifting results of research when it comes to identifying how demographics shift over time. (https://news.stanford.edu/2021/05/17/ancestry-tests-affect-race-self-identification/)
[8] Bertin Martens-Alexandre de Streel-Inge Graef-Thomas Tombal-Néstor Duch-Brown: Business-to-Business data sharing: An economic and legal analysis, JRC Digital Economy Working Paper 2020-05, European Commission, 2020 . p. 29.
[9] https://www.prnewswire.com/news-releases/dr-barbara-rae-venter-and-gene-by-gene-join-forces-to-shape-the-future-of-investigative-genetic-genealogy-300926689.html
[10] https://www.familytreedna.com/legal/law-enforcement-guide
[11] https://www.wpta21.com/2021/11/04/cold-case-breakthrough-john-d-miller-sentenced-80-years-april-tinsley-case/
[12] https://www.washingtonpost.com/news/true-crime/wp/2018/04/27/golden-state-killer-dna-website-gedmatch-was-used-to-identify-joseph-deangelo-as-suspect-police-say/
[13] https://www.gedmatch.com/terms-of-service-privacy-policy/
[14]https://www.abc.net.au/news/2020-06-15/forensic-test-catching-killers-and-rapists-through-familys-dna/12349898