Original article seen on JAMA
In 2018, the pursuit of the “Golden State killer” exposed how DTC genetic testing data can be used to identify and implicate individuals, their family members, or both, in the criminal justice system. Police authorities tracked down Joseph James DeAngelo as a prime suspect in a series of rape, murder, and robbery crimes that occurred over 2 decades (1974-1986) in California. Police investigators matched DNA from the crime scene with stored genetic data from DeAngelo’s relatives within GEDmatch, a public genealogy database. They identified DeAngelo as a potential suspect within the family tree and obtained DNA from DeAngelo to confirm him as the suspect. Extensive media coverage about law enforcement’s investigative approach to arrest the Golden State killer caused GEDmatch to alter its privacy policy to make it more explicit that genetic data from GEDmatch could be freely used by law enforcement.
Since the Golden State killer news broke, the media further illuminated similar events to show increasing law enforcement interest in and use of DTC genetic testing data. For example, the DTC genetic testing company FamilyTreeDNA reached an agreement with the Federal Bureau of Investigation (FBI) to grant the agency access to FamilyTreeDNA’s database of more than 1 million genetic records. At present, DTC genetic testing companies 23andMe and Ancestry still require court orders or valid search warrants for unsolicited third-party or law enforcement access to their genetic data records.
DTC genetic testing companies must adhere to consumer privacy protection laws that are enforced by the Federal Trade Commission.2 DTC genetic testing companies also provide consumer privacy disclosures for their services that describe consumer protections and data sharing. However, the protection of DTC genetic data privacy seems to largely depend on (1) the depth and breadth of the companies’ privacy policies and terms of use agreements; (2) consumer access to the privacy policies (Table); and (3) the actions of consumers in protecting their own genetic data from third-party exposure and use, such as not sharing their genetic data with public genealogy databases.
Public perspectives about law enforcement access to and use of public DTC genetic testing data are variable. Results from a survey of 1046 users of public genealogy databases showed that consumers felt that it was very (74%) or somewhat (15%) important that law enforcement procurement of DTC genetic testing genetic data be illegal.3 Another survey of 1587 adults showed that respondents were supportive of police searches of genetic data on public websites to identify perpetrators of violent crimes (80%), crimes against children (78%), or missing persons (77%).4 However, support for police searches on public genetic data websites to identify perpetrators of nonviolent crimes was lower (39%) than for other crimes.4
Results from a qualitative study revealed insights about consumer expectations of DTC genetic testing data privacy in general. Through interviews with 13 DTC genetic testing consumers, Haeusermann et al found that perceptions of privacy risks were dependent on whether individuals felt they belonged to vulnerable social groups that are more exposed to discrimination.5 This study also found that lack of concern about privacy was a perceived privilege among interviewees living in countries where discrimination based on genomic information is legally prohibited.5 This finding suggests that public policy has an important role in matters of privacy and nondiscrimination. It is uncertain whether these views are more broadly true in the United States, given the limited sample size.
In the United States, discrimination based on genetic information is prohibited under the Genetic Information Nondiscrimination Act (GINA), but GINA does not apply to law enforcement use of DTC genetic testing data. Also, DTC genetic testing companies are generally not bound by Health Insurance Portability and Accountability Act (HIPAA) privacy laws. Gaps in legal protections expose the reality that the protection of genetic data privacy often depends on (1) the means, intent, and purpose for generating or using genetic information; (2) who or what entity is generating, sharing, or using genetic information; (3) the balance of societal harms to benefits in using the genetic information; and (4) the intended outcomes or consequences following use of the genetic information (eg, arrest or the development of new therapeutics). Broad understanding of these gaps is a needed step toward identifying potential policy solutions. Furthermore, understanding and awareness of policy gaps can equip DTC genetic testing consumers, DTC genetic testing data users, and some members of vulnerable populations with knowledge to safeguard themselves and their families from unanticipated DTC genetic testing data use by law enforcement.
Recognizing gaps in GINA and HIPAA protections and understanding the Fourth Amendment and its commitment to protecting privacy and granting all persons freedom from government surveillance and warrantless government searches is important.6 Ram et al acknowledged the Supreme Court’s broad rule that voluntary data sharing negates expectations of privacy.6 This rule would seemingly negate Fourth Amendment protections under circumstances in which DTC genetic testing data are openly shared. Policy makers should delineate the circumstances under which DTC genetic testing data searches are lawfully conducted under the Fourth Amendment.6
A new computational method allows local, state, and national law enforcement to find criminals by cross-referencing genetic records from the Combined DNA Index System (CODIS) database, a genetic database of several million profiles from both convicted and suspected criminals, to genetic records in genealogy databases.7This method could reduce racial/ethnic skewness in law enforcement arrests because the CODIS database contains genetic data from largely racial/ethnic minority populations, whereas public genealogy databases contain genetic data from largely white populations.7 Whether use of DTC genetic testing data by law enforcement modifies trends in law enforcement arrests remains to be determined. Importantly, society should consider and have dialogues about decreasing privacy for many to address racial disparities in law enforcement databases, and how this decreasing privacy can affect trust in genomic medicine.
Developments outside the criminal law setting that involve DTC genetic testing also have the potential to erode public trust. For example, in July 2018, 23andMe announced its plan to share data of more than 5 million 23andMe consumers with GlaxoSmithKline to translate genetic and phenotypic data into targeted pharmaceutical treatments.8 23andMe customers have the option to voluntarily participate in this 4-year collaboration. GlaxoSmithKline and 23andMe will identify and invite patients with a particular disease or who are in specific genetic subgroups to participate in drug development studies. Society should also consider and have dialogues about how such collaborations could affect privacy in the form of unanticipated downstream target marketing by pharmaceutical companies or discrimination. The public may view the activities of companies such as 23andMe differently than the use of DTC genetic testing data by law enforcement.
Ethically sound and enforceable laws, regulations, and policies are needed to safeguard and protect the privacy rights of DTC genetic testing consumers and assuage concerns about genetic information discrimination among both socially vulnerable and non–socially vulnerable populations in the United States. These measures could help ensure that the overall benefits of DTC genetic testing (eg, advancements in medicine, criminal justice applications) outweigh the societal harms (eg, privacy erosion, genetic information discrimination and misuse).
Corresponding Author: Rachele Hendricks-Sturrup, DHSc, MSc, MA, Harvard Pilgrim Health Care Institute, Department of Population Medicine, Landmark Center 401 Park Dr, Ste 401 E, Boston, MA 02115 (rachele_hendricks-sturrup@harvardpilgrim.org).
Published Online: April 18, 2019. doi:10.1001/jama.2019.3384
Conflict of Interest Disclosures: Dr Hendricks-Sturrup is supported by a Thomas O. Pyle fellowship award at Harvard Pilgrim Health Care Institute and Harvard Medical School. Dr Lu is supported in part by an Ebert Career Development Award, Harvard Pilgrim Health Care Institute & Harvard Medical School, and reports contract with the Center for Genomic Medicine, Massachusetts General Hospital outside the submitted work. No other disclosures were reported.
