The DNA trap: DNA testing companies and the potential misuse of sensitive personal data

The ability of any firm to demonstrate that there are robust ethical frameworks within it, intertwined with essential governance and corporate social responsibility is critical. Over the last decade and a half, a new form of firms known as DNA testing and genealogical companies has arrived on the radar of those who want to understand who they are, where they are from, as well as what links they have to others, known and yet unknown. They offer brand new and unique services such as single-ancestry checks or combined ancestral and health analysis. There are numerous advertisements and sales pitches on the television, as one scrolls through the internet and through the pages of the newspaper. Prices of services range between £59 to £149 depending on the choice of firm. There are also claims of nutrigenetics, which is being developed to fit diets and fitness to genetics, detailing how and what a person eats can be specifically tailored to their genes. Sometimes special seasonal/celebratory prices are available as well as promotions done by celebrities to generate sales.

In order to offer such a service, besides the payments, the firms request for members of the public to contact them for testing kits where the seemingly painless job of sending their saliva, swabbing their cheeks or pricking their fingers to harvest samples, which could potentially help the participants make discoveries that may transform their lives. These firms include, among others, AncestryDNA, 23andMe, MyHeritage DNA, LivingDNA, Vitagene and DNAFit. There is also the open-source genetic database known as GEDMatch. They are all involved in the business of acquiring DNA samples from their users which once analysed lead to DNA results which are used to generate DNA reports.

As the world metamorphosizes and firms continue to leverage technology to generate profits and increase their access to customers, some of whom are vulnerable, ethical considerations, corporate governance and social responsibility do not seem commensurate with the intensified pace of change. Technologies such as artificial intelligence (AI) are projected to affect billions of lives over the next decade and these trends represent both threats and opportunities. For instance, recent research from the ICSA – the governance institute shows that only half of respondents (51%) believe that their board fully understands, when asked whether their boards fully understands the challenges and opportunities that data and technology present to their organisations.

Despite this, the rate at which services like DNA and genealogical testing firms are developing and acquiring DNA datasets and targeting customers through their behaviour on the web, mobile apps, software and products through tracking technologies is calling for questions to be raised, thereby increasingly finding themselves being put under the spotlight with regards to their ethical conducts. Furthermore, the consumers of today have higher expectations of data privacy particularly in light of recent scandals as examined by Dr Costantino Grasso in the article entitled that focused on the Cambridge Analytica scandal and Facebook data breach. As a result, a series of questions arise as to whether offering such DNA testing services and gathering the related extremely sensitive and personal data represent business activities performed in an ethical way. This is a debate that requires further explorations.

This article will highlight the potentially irresponsible behaviour of these firms in the handling, protection and transfer of data harnessed from the millions of people responding to their call to test their DNA. In particular, it will be argued that there is a compelling need for corporate social responsibility measures where legal and regulatory frameworks or industry standards have been met but concerns still exist regarding ethical aspects of the involved business operations. Conversations coated with concerns in this realm have been regenerated in light of recent reports of law enforcement agencies using the services of genealogy websites to solve age-old crimes. The realisation of the possibility of relatives that were victims of crime or have committed crimes could be identified when a third cousin gives their own DNA sample to any of the DNA testing firms, have concentrated minds about data privacy and what consent actually means. Whether those signing up in the first instance know all the possible uses of their DNA is an urgent corporate social responsibility question that requires more concerted efforts on the part of the companies so as not to be seen as shirking their corporate social responsibility to society at large, which is unaccountable by definition.

From a survey done online, it emerged that, under the policies of the DNA testing and genealogical companies, individuals seeking their DNA analysis and information are promised their privacy is important to the firms, that their DNA samples, test results and all other personal data provided for the service are stored in accordance to industry standard security practices by encryption of both data-at-rest and data-in-flight phases. Furthermore, there are assurances that customers’ DNA test results and DNA samples are stored carefully without any names or any other common identifying information through de-identification and pseudonymization. That data garnered at registration are stripped from sensitive data. The sensitive data are then further randomised such that no individual is able to be “reasonably” identified. The customers are also convinced their DNA data are owned by them; that these and the DNA test results can be deleted at any time and their physical DNA saliva sample could be destroyed as soon as the customers require this to happen. Finally, these customers are told that their name or any common identifying information linked to their genetic data will not be shared except with their explicit consent or when they are legally required to do so.

Notwithstanding such formal reassurances, the processing of these collected data as well as the possible consequences of intended further processing for DNA subjects highlights potential irresponsible behaviour by the DNA testing companies. These companies cannot be run just like other consumer service companies, rather, they should have strict guidelines as they deal with a category of the most sensitive data that a human being has. As the European Union General Data Protection Regulation (GDPR), which is the most important data privacy regulation adopted in the last 20 years, expressly recognises DNA data are considered as an individual’s most personal and sensitive ones. As a matter of fact, the GDPR under Article 9, sections 1-4 spells out exactly how sensitive data are covered separately from general data. It clarifies that very sensitive data such as one’s DNA, that is, genetic and phenotypic data, are to be prohibited from processing except when data subjects give their explicit consent.

Does this consent once given, cover all multitudes of usages over the entire period of it being held? And how does the industry manage relatives that could be identified alongside the one who gave consent, when such relative may not even be aware of such ongoings and has specifically not given consent to be identified. Also, the current lack of clarity during advertisements on what the privacy implications are or immediate knowledge of the privacy policies of the DNA testing companies even on visits to their online privacy pages indicate a state of affairs that must be immediately worked on and corrected. Some policies use acronyms and words that mean little or nothing to the average user, other documents present several layers of superabundant information before getting to full privacy statements, other statements include clauses characterised by significant ambiguity and differences in relation to what exactly happens to the data. Finally, as regards the age to be able to use the service, it is concerning that some firms affirm that one needs just to be over the age of 13.

Also, when mergers and acquisitions are being done which will profit pharmaceutical companies or when 31 details of individuals are handed over to law enforcement agencies out of 34 requests made, are these necessary for reasons of substantial public interest as advocated by GDPR. Therefore, the question of ethics, data privacy and governance issues are further raised, for which are yet to be full clarifications from DNA testing and genealogical companies. These companies though, have become multi-million dollar firms with the largest player AncestryDNA with over 10 million customers, making over a billion dollars in 2017 alone. So, for customers to have reassurances about how their data is used, stored and passed on at the DNA testing and genealogical companies, there needs to be greater transparency and accountability by their board of directors and management. They need to adopt better practices promoting long-term value instead of the short-termism of the acquisition of data and profits.

Firstly, a consistent approach to dealing with privacy issues is urgently required. This includes putting privacy at the front of the advertisements and online platforms and promotions. Also, the age of adulthood for the users of these platforms should be globally adopted to be 18, which is a more universally recognised period of coming of age that an individual will be potentially better informed of the consequences of use and handing over of their data than at 13. The case of companies getting royalty-free, worldwide licences from their customers for their DNA samples, results and reports should be discouraged but data protection regulations in various jurisdictions be strictly adhered to. Technology is for good and though its changing nature both in advancements and pace is dynamic, CEOs and leaders of DNA testing and genealogy companies, together with their boards should adopt ethical practices especially in the burning issue of data privacy using some of the quick wins espoused herein. These will help ensure that they remain alive to their corporate social responsibility obligations and the outcomes for data privacy do not have worryingly different results like some of their DNA testing results.

8 thoughts on “The DNA trap: DNA testing companies and the potential misuse of sensitive personal data

  1. Thank you for this interesting article who demonstrate how much some companies can abuse people trust or if I can say imprudence. It is true that nowadays people give easily to big or famous companies such as Facebook their confidential informations because they think that it is safe and that nobody will have access to those informations without their consent. They also are curious to know their roots or just make as other people do and follow a trend; for example, American genealogy TV shows. However, people do not realize that those companies are not interested in their customers or user’s safety but by their benefits.
    In one hand It is clearly unethical and intentional and those companies which have theses confidential and personal data must provide the highest level of transparency. But on the other hand, people are also responsible when they give their data. This kind of information should not be given easily, and people should think about before. Nobody read entirely policies and just click on “I have read, and I agree with” and this is a pure act of imprudence.
    By giving their consent they protect those companies which now have the legal right to the process of personal data. In my opinion, some measure must be taken to aware people of the consequences of their consent. Because of the expansion of the internet and technologies the government should raise awareness of the danger of providing personal data. Moreover, sanctions should be created to punish unethical companies’ actions. Unfortunately, technology development and the internet are faster than Law.
    Last December, the CNBC has published a good article which warns people about the danger of “sharing DNA”, this is the kind of article that people should read before giving their consent and that companies should prevent from.

  2. Thank you for your comments Celia. You have articulated very well some of the concerns highlighted in the paper. Lack of access to information, lack of education, poverty, being imprudent, just not being well-informed or also just being altruistic may account for the various reasons why consumers hand over their genetic data to corporations who may or may not pass them to third parties. These are concerns that we continue to see and more research will be needed in this area. A burning issue was the concern as seen in this paper for the age of consent, where some require just being 13 years old to sign up. You also correctly identified whether more governmental action is required in the regulatory space as pertains to privacy. The US has the Genetic Information Nondiscrimination Act of 2008 (GINA) whilst Europe has the GDPR of 2018. You may already sense that GINA needs a lot of work to catch up with the emergence and rapid expansion of the DNA testing and genealogical companies. These companies however need to adopt ethical practices and remain alive to their corporate social responsibility obligations for a better future for citizens, society and the corporations themselves as argued in the paper.

  3. I agree that these DNA testing companies need to be more transparent towards their customers. Like you said in the post, they all declare that they treat the given data with the highest care, but there have been numerous examples of companies who do the contrary. Like for example 23andMe who had signed a deal with GlaxoSmithKline for 300 million dollars. They sold their data to GSK for all kind of clinical research. I can imagine people feeling betrayed when they discover that their data is being transferred to a drug giant.

    But luckily, me as a European citizen, I have the protection of the GDPR. I really believe that the GDPR has the right tools to protect people from these kind of data transfer violations. The only problem is that the authorities haven’t got the right amount of resources yet to check every single company that processes sensitive personal data. Once this problem is solved and the competent authorities can punish these companies, I think the misuse of sensitive personal data of these DNA testing companies will gradually drop.

    But also, seeing it from the perspective of the people, they have to be more informed as to what level of protection the GDPR provides for them. When providing personal data to a company, that company needs to be very clear as to which data is going to be stored where and who can access that data. People can check if this is correct by demanding a list of all the data the company has stored from that particular person. And if you want your data to be erased or you want to file in a complaint against a company, you have that right too. But then again, companies can always withhold some information.

    As for the age of consent, in my opinion, the age of 13 to give consent is indeed too low. I don’t think that children of 13 know the consequences of giving their personal data to a company. But then again, if a member state decides that the age of consent can be 13, like they can do according to article 8 section 1 of the GDPR, the government needs a plan to get these children informed about the dangers of transferring personal data.

    1. Your comment is appreciated Robin. Your engagement with topical issues such as this helps to further the debate. You are completely right in your contributions. Transparency is key and though the GDPR protects Europe, these companies are usually global in nature, hence the need for concerted efforts in overall ethics, good corporate governance and well-established social responsibility mechanisms. I am an advocate of FEAT in data privacy as well as artificial intelligence tools or applications. FEAT means fairness, education, accountability and transparency and hopefully when these are adopted by the DNA and genealogical companies as well as any others that deal with data across various industries, then it could be said that the path to the responsible use of data would have begun.

  4. Hello Lola,

    I think this is a very insightful post, which indicates corporate misuse in the scope of personal data! As you mentioned in the paper, consumer DNA testing kids are becoming increasingly popular and recently I was reading breaking news of how dangerous it could be to send our DNA to a health-screening company. It is stated that participants are taking these DNA tests in order to find out about their genetic make-up, family history and health risk. On the other hand, companies are monetising from participants because their valuation here is to collect and sell personal data.

    You can find the news in the following link:

    DNA samples are some of the most sensitive forms of personal data and therefore it is really important, to make sure that this data is protected by the companies. However, this is not always the case they collect and sell these data to third parties and one issue is many consumers do not realize that their sensitive information can be given to unknown third party companies. In my view, these companies are trying to legitimize their actions under the cover of helping overall research. In addition to that, the other issue is we cannot see effective rule of law in order to prevent that kind of corporate misconduct and therefore the idea of our DNA being private will no longer exist if we do not take precautions.

    As you pointed out, the age of consent is also one of the burning issues in this context because we cannot expect from 13 years old participants to really know what they are going to consent. Even if we adopted the age of consent limit to 18, I think it is still not enough because we cannot see the explicit consent. This issue reminds me of the Cambridge Analytica scandal because they exactly did the same thing, which is collecting and selling personal data without consumer’s consent and this attitude clearly illustrates the corporate’s misbehaviour.

  5. I find this a very interesting article as the topic concerns, once again, all of us. I believe most people have heard from at least one relative, friend or colleague who has sent some saliva in order to get information about their ancestry or health. And just as we recklessly click on those boxes to accept cookies and terms and conditions on websites, without giving it a second of thought, we are agreeing to privacy policies of these corporations. Nonetheless it’s not the consumers recklessness, but that of these million or even multi-billion-dollar corporations that are a reason for concern.

    While some people blindly put their trust into corporations, others look at it more skeptically. Multiple questions have risen, which are reasons for legitime concern. As discussed in the article low pricing, advertisement and simply the convenience of the process make consumers fall prey to the DNA trap. I was personally shocked when reading that some companies put the age requirement at 13 years old. When looking into this further, it appears that the largest companies have their required minimum age at 18 years, which is somehow reassuring. But this does not alter the fact that with the consent of the parents also DNA from underaged children can be send. And, as mentioned, how can we speak of ‘consent’ from relatives when they are left in the dark?

    Legislation lacks behind on innovation, once again. A legal framework specifying how one’s most sensitive data, being a personal genetic code, should be dealt with, is an absolute necessity. Without this, it is just guessing for answers. The angle from this article however was not only to point out the danger it poses to one’s privacy but the lack of a consistent approach in privacy policies and the need for ethical practices and adherence to corporate social responsibility obligations besides the compliance with the law. Regarding the latter, I personally found it interesting to look at genetic privacy from an ethical and even philosophical point of view. The following article: “The rise of big data and genetic privacy” published by D. Koepsell and V. Gonzalez Covarrubias in Ethics, Medicine and Public Health (2016) I found very interesting and comprehensive. Therefore, I recommend anyone to read this when interested in the topic. The article talks about the concept of privacy as such, applied to the medical field and the benefits as well as the risks and most importantly the privacy challenges that arise with big data regarding genetic information.

    The difference in the protection in the EU and the USA also unveils what governments prioritise. This makes me question the following: “When a government (referring to the USA for example) doesn’t prioritize privacy, why should companies?” The DNA database called GEDmatch has come up. The police in the USA used it to solve more than fifty rape and homicide cold cases and caught a notorious serial murderer, called ‘the Golden State Killer’, after decades. However, GEDmatch changed its policy making it possible for the consumer of making their DNA data inaccessible for law enforcement. Ironically, the database has been recently bought by a company that helps law-enforcement agencies with forensic DNA work. This case illustrates the balance between public safety and privacy on one hand and the challenges we are facing.

    The use of technological innovation for the greater good, the consumers right on privacy regarding their personal genomes/ DNA and the danger of this data getting misused are all intertwined. For me one of the main questions is if this balance should be decided by corporations? It doesn’t inspire confidence that only 51% of boards seem to fully understand the implications (challenges and opportunities) of data and technology as regard to their own organisation. (research from the ICSA, mentioned in article) It’s certain this is not the last we’ll hear about this!

  6. Great article. Our privacy, our last realm of security, has been overtaken. After taking online courses on data analytics and seeing how well profiled we get after visiting a website, our DNA must be our last frontier.
    Data mining has become the main source of income of big corporates such as Facebook, Google, etc. that use all kind of information about ourselves (age, gender, location amongst others) but never the name. Since these big companies are not making a profit with our name because it is considered and invasion of privacy, why are not we doing the same thing with our DNA?
    We can delete the cookies (tracking information on websites), we can legally change our name, address… but there is nothing that we can do about our DNA. It is truly our last frontier of self-identity, of who we are and why we are the way we are. There is no better mirror to find who we are than our own genetics.
    As mentioned in the article, stronger regulations need to be enforced. Not only on the data collection (must be 18 for getting involved with these companies), but also those who decide to participate need to have a guarantee that their information would be ethically handled, because our genetics will always be ours, and we have to be aware what is happening with that information that we facilitated.

  7. This article is very insightful because it highlights an impending crisis that the United States and other countries will face. In the United States, high school seniors every year. For many, this marks the end of their formal science education. While many go on to learn more about a wide variety of fields, very few keep learning about the biological realities that compose them. This should alarm every single person. Dr. Alexander Titus, former assistant director for biotechnology at the Defense Department, offers fantastic insights in his article “The 2020s Will Be the Decade of the Bioeconomy.” This is only further accelerated by the COVID-19 pandemic where we see technological advancements, developed in response to the crisis, developing at never before seen speeds. We also see regulatory institutions like the FDA making dramatic changes in policy to accommodate the rapid pace of innovation. Will these current changes to barriers in market entry return at the end of the pandemic? I do not think so. The world is on the precipice of a revolution in biotechnology which will dramatically shift the way we understand and interact with the world around us. We must take steps now to educate the general public so that they can understand this revolution and not only participate fully in welcoming this new reality, but also protect themselves and their most valuable information.

Leave a Reply