Press "Enter" to skip to content

New Blow in DNA Privacy Fight

By Matthew Scott

First of two parts.

Debate over how DNA obtained by direct-to-consumer genetic-testing companies can be used likely will intensify after Blackstone, the New York private-equity firm, purchased Ancestry.com for $4.7 billion last month.

Privacy advocates told Digital Privacy News that, with the change of ownership, the 18 million people who willingly had given Ancestry.com their DNA could ultimately find that it had been used for purposes other than discovering family histories.

Those include being sold to law enforcement to help solve crimes, to pharmaceutical companies for DNA testing and to other companies for purposes that have not yet been realized.

Furthermore, the sale and resale of these companies raises concerns about who owns the rights to consumer DNA once it is submitted to a company for reasons unconnected to personal medical procedures.

“If you give your DNA to somebody else for some other reason, it’s not protected at all,” Ted Claypoole, a partner who advises companies on privacy and cybersecurity issues at the Womble Bond Dickenson law firm in Atlanta, told Digital Privacy News.

Claypoole said that Ancestry.com, 23andMe and similar companies were not legally bound to protect the DNA privacy of customers.

Any information, including DNA, that is given to doctors, insurance companies, hospitals or pharmacies for medical treatments, generally is well protected by federal law.

“We also seek to put our members’ privacy first.”

Ancestry.com’s 2020 Transparency Report.

But Claypoole cautioned that, although consumer DNA may have been collected under Ancestry’s privacy policy that claims DNA only would be used for certain purposes, when a company is sold, that agreement may not be honored.

Eyeing Future Growth

Blackstone and Ancestry have said that they will protect customer privacy — and the companies have done so in the past—but no laws bar them from changing that policy in the future.

“We believe Ancestry has significant runway for further growth as people of all ages and backgrounds become increasingly interested in learning more about their family histories and themselves,” David Kestnbaum, a Blackstone senior managing director, told Digital Privacy News.

Claypoole noted that Ancestry now would be managed by people who did not make the original agreement under which customers subscribed. 

“They are people with an entirely different set of priorities, and they purchase these companies to make money and maximize their profit and investment,” he said.

“If you give your DNA to somebody else for some other reason, it’s not protected at all.”

Ted Claypoole, Womble Bond Dickenson law firm, Atlanta.

“If you’re an investor — and you want to know why someone would buy this, essentially, money-losing company for $5 billion — the only thing they have worth it is the DNA database and the things that you can do with it, particularly in the pharmaceutical industry.” 

Ancestry reported about $1 billion in revenues last year, so Blackstone’s willingness to nearly double the $2.6 billion the company sold for just four years ago has heightened privacy concerns among advocates.

But Kestnbaum further told Digital Privacy News: “We look forward to investing behind further data, functionality and product development across Ancestry’s market-leading platform to continue to provide a differentiated service.”

Law Enforcement Issues

According to Claypoole, 23andMe and others have generated income by offering DNA searches to law enforcement and to pharmaceutical companies for research and testing.

He added that some of the genetic-testing companies were selling use of their DNA databases to tech companies for artificial intelligence research.

News reports last year revealed that Google partnered with the Ascension health care system, based in St. Louis, to collect data on millions of Americans to design an artificial intelligence-powered health care service.

“We believe Ancestry has significant runway for further growth.”

David Kestnbaum, Blackstone, N.Y.

But in its 2020 Transparency Report, Ancestry.com said: “We also seek to put our members’ privacy first, so we also will try to minimize the scope or even invalidate (a law enforcement) warrant before complying.”

The company reportedly denied a request from law enforcement for access to its DNA database in 2020.

Still, Claypoole argued that the Ancestry sale might accelerate the use of DNA data for other purposes.

“The problem is not that the DNA is used for these other purposes, but that no one is asking permission,” he told Digital Privacy News. “Certain people might object to having their DNA used this way, but they don’t know that it’s happening.

“People should only give their DNA to institutions where the law protects them from ending up on a police database.”

Friday: California’s aborted effort to protect consumers’ DNA privacy.

Matthew Scott is a New York writer.

Why More Protection Is Needed

Experts cite several instances in calling for more protections for consumer DNA privacy:

Data breaches: Data breaches can potentially expose consumer genetic information to unauthorized access. Last July, for example, a breach at GEDmatch exposed its 1.4 million customer profiles for two hours.    

Compromising relationships with law enforcement: Many of the genetic-testing companies receive payments from the forensic labs that assist law-enforcement investigations. As such, authorities could gain easier access to consumer genetic information if revenues wane for testing companies.

In addition, forensic lab Verogen Inc. purchased GEDmatch in December 2019, creating a situation that experts have warned was fraught with potential financial and ethical conflicts.

Safeguards against law enforcement and third-party access: Technically, once customers sign up to use genetic-testing services, they agree to the terms in the contracts they sign. Some companies offer an opt-out to prevent law-enforcement access to their profile.

But if a company does not have an opt-out or does not reject requests from insurance companies and others seeking access to customer profiles, the genetic information may become accessible.  

— Matthew Scott

Sources: