COVID Fears Thwart Calif. Move to Protect DNA Information

By Matthew Scott

Last of two parts.

An effort to give consumers more protection over the use of their DNA was aborted last year when California’s Genetic Information Privacy Act (GIPA) was vetoed in September by Democratic Gov. Gavin Newsom.

In a letter to the State Senate, Newsom argued that GIPA was too broadly written and risked “unintended consequences” that could “interfere with laboratories’ mandatory requirement to report COVID-19 test outcomes to local public-health departments, who report that information to the California Department of Public Health.”

California Senate Bill 980 proposed the most comprehensive DNA privacy protections of any legislation in the country, regulating how direct-to-consumer DNA testing companies could use, sell and share genetic information.

For the time being, Newsom apparently has decided that access to information that can safeguard the public health is more urgent than safeguarding individual’s privacy from law enforcement, insurers and marketers.

However, since the governor acknowledged, “I agree with the primary goal of this bill,” advocates told Digital Privacy News that it was expected to be reincarnated in some form that would allow COVID testing compliance to continue.

The law was too broadly written and risked “unintended consequences” that could “interfere with laboratories’ mandatory requirement to report COVID-19 test outcomes to local public health departments.”

California Democratic Gov. Gavin Newsom.

“The governor’s veto … will shape the conversation (around DNA privacy) to consider public-health interests,” said James Czerniawski, policy analyst for the Libertas Institute, which helped formulate DNA privacy legislation in Utah.

“However, we do not see that bill influencing the conversation we are having in Utah on DNA privacy, which is based in civil-liberty concerns stemming from government use of genealogical databases.”

Golden State Killer Case

In California, GIPA was backed by privacy advocates worried about growing efforts by law enforcement to expand the use of genealogical material to solve more crimes.

After the Golden State Killer was apprehended in 2018 with the help of DNA matches obtained from GEDmatch, searches of genetic-testing company data bases were seen as new crime-fighting tools.

Forensics companies forged relationships with direct-to-consumer genetic-testing companies, paying fees of $1,500 to $3,500 to use databases for research or to conduct searches for law enforcement.

Hundreds of cold-case murders and rapes have been solved with the help of searches of DNA databases.

However, Czerniawski warned: “Just because a DNA search has noble purposes doesn’t mean that it can’t have potentially seriously damaging results.”

The Libertas Institute, a Utah-based think tank, has helped craft pending legislation in the state that would restrict law-enforcement searches of genealogical databases.

“We are trying to limit the scope of what can be requested,” Czerniawski told Digital Privacy News. “We want law enforcement to have a particularized warrant for a specific individual’s DNA that matches the DNA sample that they are trying to search for.”

‘Fishing Expeditions’

Privacy advocates said they could accept authorities identifying perpetrators using a warrant that requires a direct match to DNA recovered from a crime scene.

However, they oppose unrestricted use of a familial match, which identifies the relatives of a person tied to a DNA sample found at a crime scene.

Czerniawski and others voiced concerns over potential privacy abuses involving familial searches of direct-to-consumer genealogical databases, complaining that they can lead to “fishing expeditions.”

Since relatives caught up in a familial search likely did not knowingly submit to the police investigation that prompted the search, privacy advocates argued that the action could violate Fourth Amendment protections against unreasonable searches and seizures.

“The main point to drive home here is that you could be innocent — and then because of this process, be placed in the crosshairs of law enforcement for doing nothing at all,” Czerniawski told Digital Privacy News.

“That puts all kinds of stressors on your life.”

No Federal Guidelines

The U.S. Justice Department has an interim policy that allows familial matches to be used when murder, rape and other violent crimes have been committed.

Under the policy, authorities should first search criminal DNA databases before approaching commercial genealogical databases — and they only should use commercial databases of companies that inform customers that police can access their databases.

But since no uniform laws govern DNA searches, and because most companies have pledged to abide by all lawful court orders, law enforcement has been able to obtain permission to conduct searches of genealogical databases for identity theft, fraud and other non-violent offenses in various states.

Warrants Not Always Needed

Christopher Slobogin, director of the criminal justice program at the Vanderbilt University Law School in Nashville, Tenn., said that in most cases, if law enforcement could show probable cause to believe that a DNA sample they had obtained was from the perpetrator of a serious crime, then the court should order the relevant company to determine if there was a match.

However, since each state has different rules, not even a warrant is always required to authorize a familial search.   

“The governor’s veto … will shape the conversation (around DNA privacy) to consider public-health interests.”

James Czerniawski, Libertas Institute.

“In some states, a warrant is required,” Slobogin told Digital Privacy News. “In other states, a subpoena, which is much easier to get than a warrant, is sufficient.

“It’s also conceivable that in some states, all that’s needed is a letter from law enforcement saying that, ‘We’d like to see if there’s a match,’” he said.

State Efforts Underway

The lack of a national standard for DNA searches has many states working to enact legislation to resolve disagreements on what should be permitted when authorities seek access to the DNA of private citizens who have not committed crimes.

Besides California’s now-vetoed legislation, efforts are continuing in Utah, New York, Maryland and Washington state.

“Typically, people would say this should probably get done through the court system,” said Czerniawski of the Libertas Institute, “but the courts sometimes take years to settle some of this stuff — and the rulings may not necessarily be consistent across the board from state to state.

“The legislature is in a better position to try and put some guardrails in place.”

Even the direct-to-consumer genetic testing companies realize something needs to be done to regulate law-enforcement access, experts said. Some companies are pushing back against such efforts to conduct broad searches., 23&Me and other companies recently have successfully battled in court against broad law-enforcement court orders, arguing that they feared consumers will stop using their services if they believe authorities have unlimited access to their DNA profiles.

“We believe that the nature of our members’ DNA data is particularly sensitive, so we insist on a court order or search warrant as the minimum level of due process before we will review our ability to comply with the request,” said in its Transparency Report last year.

“We also seek to put our members’ privacy first, so we also will try to minimize the scope or even invalidate the warrant before complying,” the report said.

Two Data-Access Requests

Ancestry received two requests to access its DNA database from law enforcement between January and July of last year, according to the document.

Both requests were challenged, with one being withdrawn and the other remaining unresolved.

Authorities made three “valid” requests related to criminal investigations involving credit-card misuse, fraud and identity theft, according to the report, and Ancestry responded to only one of them.

Ted Claypoole, a partner who advises companies on privacy and cybersecurity issues at the Womble Bond Dickenson law firm in Atlanta, has some basic advice for consumers who are concerned about how their DNA might be used.

“If you give your DNA information to your doctor or hospital to find out certain things about you, that’s all protected by laws like HIPPA,” he said, referring to the federal law, but cautioned, “With the (direct-to-consumer) DNA industry, you have no legal rights.

“Only give your DNA to institutions where the law protects it from ending up on a police database.”

Matthew Scott is a New York writer.

Other States Active, Too

Many states have debated DNA privacy issues, leading several laws seeking to protect the more than 26 million consumers that have used commercial DNA testing kits as of the end of 2019, according to a Massachusetts Institute of Technology report.

Illinois is the only state that directly addresses the privacy of biometric information.

In Florida, a genetic privacy law was enacted last summer, providing protections against data use by life insurance and long-term care insurance companies.

Oklahoma and Texas were among other states that provided protection from compelled disclosure of genetic information through court orders, including subpoenas.

Alaska, Massachusetts and six other states allow consumers to recover damages if their genetic data is disclosed improperly.

Utah is among several other states with genetic privacy legislation in the works.

— Matthew Scott