Home DNA testing can be fun. I’ve done it for myself and for my dog. One of us unexpectedly turned out to be 3.1% Italian. The other is mostly Saint Bernard.
The less-fun side of the DNA-testing industry is the brave new world of genetic privacy.
What are these companies doing with our genetic data?
What happens if they find a DNA marker for cancer, diabetes or any other potential illness that insurers and employers would be very interested in knowing about?
How much genetic privacy is a consumer entitled to?
Congress is now pondering federal privacy rules that probably will address such questions, so some of the top DNA-testing firms have come together to make sure lawmakers keep the industry’s interests front and center.
The so-called Coalition for Genetic Data Protection is backed by Ancestry, 23andMe and Helix, with an open invitation for other companies to join the club.
The group’s website says it seeks “reasonable and uniform privacy regulation that will ensure the responsible and ethical handling of every person’s genetic data.”
That sounds high-minded and well-intended.
In fact, the coalition is run by a prominent Washington, D.C., lobbying firm — Mehlman Castagnetti Rosen & Thomas — and its goal is to shape privacy rules for an industry that now largely operates on the honor system.
“We are great stewards of customers’ privacy,” declared Steve Haro, a principal at Mehlman Castagnetti who is serving as executive director of the coalition. “These companies welcome a data privacy law.”
Within reason, that is.
Haro told me he wants to make sure there are no carve-outs in a federal privacy law for genetic information. In other words, no provisions that place more stringent rules on DNA testing companies than on, say, Facebook or Google.
Rather, the coalition wants any privacy protections to be one-size-fits-all.
Experts say that would be a big mistake.
“Genetics is totally different,” said David Agus, a professor of medicine at USC and co-founder of Navigenics, a pioneering DNA-testing company. “We need totally different rules.”
He cited the case of the Golden State Killer, in which a 73-year-old suspect was charged last year with 26 counts of murder and kidnapping based on a DNA match not for himself but for a relative, which allowed investigators to home in on the alleged perpetrator.
“That’s the thing about genetic information,” Agus said. “It says something about you as well as all your family members.”
Therefore, he said, such information needs to be treated differently, even for something as relatively benign as consenting to your DNA being used for research purposes.
“Should you also have to get the consent of all your brothers and cousins?” Agus asked. “Why wouldn’t you, seeing as it could affect them.”
Mildred Cho, associate director of the Stanford Center for Biomedical Ethics, said genetic information should have the same privacy safeguards as other medical data, which typically are stricter than for other forms of personal information.
She said that in light of the complexity of DNA and its potential uses, “it becomes more difficult to justify a caveat-emptor approach.”
This is new territory for lawmakers. In 2008, Congress passed the Genetic Information Nondiscrimination Act, which prohibits discrimination by employers or insurers based on genetic data. But lawmakers have had little guidance as to how DNA fits into the broader context of digital privacy.
The Coalition for Genetic Data Protection, as first reported by the Hill, wants Congress to base any official policy on an industry study issued last year that defines privacy “best practices” for DNA-testing firms.
Even though the study says it “recognizes that genetic data is sensitive information that warrants a high standard of privacy protection,” a close reading reveals the industry prefers that customers trust it to do the right thing.
For example, it says that “companies should clearly specify the uses of the genetic data, who will have access to test results and how that data will be shared.”
Should, not must.
The study also says that “genetic data, by definition linked to an identifiable person, should not be disclosed or made accessible to third parties, in particular, employers, insurance companies, educational institutions or government agencies, except as required by law or with the separate express consent of the person concerned.”
Again, should, not must.
I asked Haro, the coalition’s executive director and chief lobbyist, what sort of teeth the industry desires for regulatory oversight. That is, how would it like to see any privacy law enforced?
He offered no specifics.
“We plan to engage constructively with policymakers on the best enforcement regime,” Haro said, reiterating that the coalition wants “a uniform national data privacy law” that treats all companies the same.
I have a suggestion. The DNA-testing industry’s disdain for special treatment notwithstanding, lawmakers should do just that and impose, at least on an interim basis, the same privacy standards applied to other medical data.
The federal Health Insurance Portability and Accountability Act, a.k.a. HIPAA, includes penalties ranging from $100 to $50,000 per violation — that is, per hacked record. Violations also can carry criminal charges resulting in jail time.
To really make their point that genetic information is a serious business, lawmakers also could consider mirroring penalties in Europe’s recently enacted privacy law, the General Data Protection Regulation. It can result in fines of up to 20 million euros ($23 million) or 4% of a company’s annual revenue, whichever is greater.
“American law already embraces health exceptionalism in the protection of privacy surrounding medical information,” said Judith Daar, dean of Northern Kentucky University’s Chase College of Law. “To continue or expand that protection in the genetic realm makes sense given the highly personal nature of the information. Most of us would likely assert a high expectation of privacy in the makeup of our genome.”
DNA-testing firms say you have nothing to worry about — they take people’s privacy really seriously.
You know who also says that? Facebook.
And you trust them, right?