Is your privacy protected when you do a DNA test?

You may think that the Privacy Policy of your favorite DNA testing company protects you, your identity, and your personally identifiable information. But, that is simply not the case. Even though most DNA testing companies de-personalize your data, the nature of genetic data itself stores personally-identifiable information. So, just because your name is not on the sample, there are still methods which can be used to identify your genetic code.

Further, genetic testing companies are not covered under the Health Insurance Portability and Accountability Act (HIPAA). This act typically enforces the rule that doctors and health insurance agencies cannot share your personal medical records with first removing all personally identifiable information. 

And, while the Genetic Information Nondiscrimination Act (GINA) does protect you from being excluded from Medicare based on your genetic information, this act does not apply to long-term care plans, life insurance, or disability insurance. These companies are essentially free to discriminate against you based on genetic variants you may carry. In essence, this could make you uninsurable. 

So, why it may seem that a genetic testing company’s Privacy Policy covers your interests, think again. This article focuses on aspects of genetic privacy which should give you good cause to stop and think before getting your genes tested. Check it out!

What kind of information your DNA contains?

Your DNA is absolutely unique to you. Unless you have an identical twin, no one else on Earth shares your unique genetic code. Even identical twins can have minor mutations which make their DNA unique, even if it is hard to measure. This genetic code spells out every aspect of your body. In fact, as we learn more and more about DNA, it will be easier and easier to detect many personally identifiable traits – such as eye color, height, hair color, and other traits. 

Further, genetic information alone is mostly useless to researchers. In order for it to be of any value, it must contain some personal information. For example, while the company may scrub your name from the data, it will still contain information on what diseases you have, where you were born, and other information about your life that researchers can use to better understand the genetic code. 

How hard is it to identify you according to your DNA?

Unfortunately, the answer to this question is: incredibly easy. For example, if an amateur genetics enthusiast got even a minor sample of your DNA, they could easily identify you or your family in a genetic database simply by getting the sample tested. Plus, several genetic ancestry databases are free to use, such as GEDmatch. 

This amateur enthusiast could simply process your genetic sample and find direct matches to a distant family member who has already submitted their DNA to the database. Then, using social media connections and a phone book, they could likely find you, your address, your phone number, your employer, and other information. While this would technically be against the rules genetic testing companies have, there is almost no way for them to enforce these rules. 

This alone is a good reason not to engage in genetic testing. However, random genetic enthusiasts are the least of your worry. 

Do DNA companies share your results with third parties?

Almost all genetic testing companies sell aggregated genetic data. DNA testing companies often share their databases with insurance companies, drug-development companies, and law enforcement agencies. These entities are not looking to help you in any way. At best, you get excluded from life insurance based on genetic variants you carry. At worst, you get implicated in a crime because law enforcement used the database to identify you or a family member. Neither is a desirable outcome.

Further, it has become clear that several companies allow law enforcement to access their database without a search warrant. FamilyTreeDNA was recently found giving the FBI access to their entire database. While this was intended to help find criminals, it is also highly fallible. If only a partial DNA profile was found on the scene of a crime, it could lead to you or a family member being falsely accused of a crime. 

For the moment, the sharing of this genetic information is completely legal. HIPAA and GINA do little to nothing to stop the transfer of genetic data. Law enforcement agencies are increasingly using these genetic databases as a tool for finding suspects. Likewise, any life insurance company wanting to maximize its profits would be totally within the bounds of the law if it were to exclude you from coverage based on your genetic profile.

Some companies, like 23andMe and Ancestry, refuse to work with law enforcement agencies without a search warrant. But this is hardly a deterrent for serious criminal investigations. Further, these companies have no qualms about selling your aggregated data to drug-development and insurance companies, and this actually makes a large revenue stream for these companies. 

Famous Lawsuits on DNA Privacy

One of the most relevant lawsuits on DNA privacy is found in the Supreme Court case Maryland v. King. In its decision, the Supreme Court upheld the practice of obtaining DNA from an arrested suspect and testing that DNA against a database. The Court found that this practice is not a violation of the Fourth Amendment. 

This more-or-less opened the door to law enforcement agencies using genetic databases to find and identify potential suspects. However, this doesn’t really answer the question of whether law enforcement can search databases without a warrant or a suspect. As the Golden State Killer trial is about to begin, the use of genetic databases against a criminal is sure to make its way to the higher courts. Although, this could take a decade or more to reach a conclusion. 

But, the super-rich are already battling with genetic information. With the lawsuit Peerenboom v. Perlmutter, we may find out more about what the law considers your property. Supposedly, Peerenboom stole the Perlmutter’s genetic data, without their consent. Traditionally, genetic information and DNA are not something that can be ‘owned’. This may change, however, if the court rules in favor of Perlmutter.

For the moment, there are no laws or court rulings which protect your genetic data and stop companies, law enforcement, or individuals from using it against you. 

What can you do to protect yourself?

If this article hasn’t completely dissuaded you from getting a genetic test altogether, there are still some things you can do to protect your genetic information. First, carefully analyze the Privacy Policy of the company you are going to be dealing with. Many of the largest companies operate in the same fashion, by selling genetic data as a side hustle.

Second, instead of trying to beat them, you could join them. Several smaller companies now let you control your genetic data, and sell it to who you want. Nebula Genomics, for instance, stores your DNA data on a blockchain platform. This allows you to keep ownership of the data while selling it to the same agencies that companies like 23andMe are selling your data to anyway. While this still allows companies to access your data, at least you get paid for it. 

Unfortunately, because over 10 million people are already in genetic databases, it is unlikely that this genetic data problem will ever go away. With that many people, almost every person in the United States can be identified, or at least a member of their extended family. In other words, the days of genetic privacy are over. Welcome to Gattaca.