Some of the top genomic-testing companies have agreed to abide by a new set of guidelines when sharing consumers’ DNA information with law enforcement and other third parties.
Companies 23andMe, Ancestry, Habit, Helix, and MyHeritage released on Tuesday a guide, “Privacy Best Practices for Consumer Genetic Testing Services,” which the companies plan to follow moving forward. Under the new voluntary protocols, these companies will obtain separate consent from users before sharing “individual-level information,” including personal information and genetic data, with other businesses. The new guide also says that the companies will provide an annual report that shows how many requests they received from police, similar to those issued by companies like Facebook and Google.
In April, California officials revealed investigators had used information from genealogy websites to figured out the possible identity of the Golden State Killer after he had eluded authorities for 44 years. But those investigators did not acquire a court order to retrieve the data since they used GEDmatch, which uses publicly shared raw genetic data. The incident stoked concern about how businesses handled users’ DNA data.
The Future of Privacy Forum worked with the businesses to create the new rules. “I don’t think the average consumer has wrapped their head around the range of issues they should think about when they make a decision to share [DNA] data,” Jules Polonetsky, the non-profit’s CEO, told the Washington Post.
Polonetsky told the Post the Future of Privacy Forum had been working on the new guidelines for months before the Gold State Killer news.
Genetic-testing companies will likely only become more prevalent and popular over the next few years. Last week, 23andMe announced it is partnering with the pharmaceutical behemoth GlaxoSmithKline, giving the company access to 23andMe users’ genetic data, which 23andMe says will be stripped of identifying information and only used when consumers have previously given consent. GlaxoSmithKline will use the data to aid the development of new drugs.
Global privacy officer for 23andMe Kate Black told the Washington Post that the company estimates about 80 percent of users consent to having their information used in research. Black told Gizmodo that since the company was created in 2006, it has “built incredibly strong privacy practices” and it is “happy to now work with the industry to codify our privacy practices and standards across the industry, and help ensure that everyone who participates in a genetic testing service has their information protected, no matter which service or product they use.”
Ancestry’s chief privacy officer, Eric Heath, told Gizmodo in a statement, “Protecting our customers’ privacy is Ancestry’s highest priority.”
“We understand the sensitive nature of the information our industry handles and our responsibility as stewards,” Heath continued. “Ancestry looks forward to seeing these Best Practices broadly adopted across the industry.”
As the Post points out, under these new rules, the companies still aren’t required to tell users when their anonymized genetic data is used in research along with other people’s data. And customers may be left in the dark when their information is obtained by law enforcement, when gag orders are used.
Ancestry and 23andMe already provide transparency reports, including law enforcement request numbers. 23andMe said that it has not shared information with police for any of the five requests sent to the company this year. Ancestry’s report shows that police sent the company “34 valid law enforcement requests” in 2017, and Ancestry provided information in all but three of those cases.