Genetic Data Protections in the US and EU

Written by Everett Pustell; Edited by Elad Raymond

Published on July 19th, 2021

Introduction

Consumer data has been collected since the inception of commerce, as simply as merchants adapting to customer preferences. Yet, this type of consumer data collection pales in comparison to the widespread, complex, and dynamic consumer data collection of today. By the early 1990’s, a growing online consumer base was creating all sorts of new data with every click. Since then, targeted online advertising, suggested products, and cookies have become commonplace on most commercial websites, all of which are based on an individual's search habits. In the last several years, the big data and analytics industry (led by superpowers such as Google and Amazon) has been surging, with a predicted 2022 net worth of $274 billion, almost double its value just 5 years prior in 2017. There is no sign of this recent growth slowing down, and the development of a new technology could see that growth realized even sooner. 

Direct to consumer (DTC) genetic testing is a new and quickly growing business within the broader data industry. Companies such as 23andMe and AncestryDNA are leading the charge of publicly available testing kits that provide consumers with detailed analysis of their genetic makeup without involving a physician. As of 2021, more than 35 million people have been tested by DTC kits in the United States. Given that each person has more than 600,000 data points taken per test, there is a statistical ocean of information out there for analysis. So what is being done to protect this personal data from the prying eyes of hackers or other malicious actors, like those that stole the data of 145 million users from Equifax in 2017 and almost 3 billion users data from Yahoo in 2013? As it so happens, not very much. 

By examining the unique nature of genetic data, the current legislation surrounding the DTC industry in the United States (US)., and comparing it to  European legislation, it is clear that there are serious gaps and issues with the regulation of personal genetic consumer data in the United States. Swift action is required to avoid the replication of security and ethics issues that already exist with standard consumer data, especially considering the heightened sensitivity of genetic data.

A Brief History of Genetics

Before looking at the policies (or lack thereof) that surround DTC genetic testing companies, it is prudent to first understand the unique importance of genetic data. While the study of genetics began with Gregor Mendel’s theories of inheritance, it was the discovery of the double helical shape of DNA in 1953 by James Watson, Francis Crick, and Rosalind Franklin that began the modern era of genetics. Directly following this discovery, biologists began to piece together the ins and outs of the different individual parts of DNA and a new challenge arose. In 1990, the Human Genome Project was launched with the goal of sequencing and mapping the entire human genome; in 2003 this goal was realized, completely reshaping the possibilities of genetic information analysis. Just a few years later, genetic testing companies started to improve on the technology from the Human Genome Project, and developed the technologies for rapid sequencing and analysis to a point where what took the Human Genome Project $2.7 billion now costs consumers just $59. Once a company has a consumer sample, they will focus on nucleotide regions where there is a high frequency of mutation (i.e. A→T), known as single nucleotide polymorphism (SNP) sites. These sites can offer insight towards many traits that we have, including predispositions to diseases and ancestry.

Decades of research and innovation have made mass sequencing and analysis of consumers' genomes commercially viable. But now that genetic data is attainable how should it be used? How does genetic data differ from the rest of consumer data? 

What makes genetic data unique

The main difference between consumer and genetic data is one of biology. While Social Security and I.D. numbers are associated with their owner through designation, DNA is something that is inherently connected to each person. While raw genetic data (nucleotides and sequences) do not tell you much on their own, SNP analysis can reveal many things about the individual it came from. These insights can range from predisposition for genetic diseases (Alzheimer's, Oncogenes, etc.) to ancestry and information about ethnic or racial histories. This kind of sensitive information is often reserved for patient-physician settings and is protected by the Health Insurance Portability and Accountability Act (HIPAA); however the FDA has authorized some DTC genetic testing kits to diagnose genetic conditions such as predisposition to Alzheimers, allowing consumers to forgo a physician or genetic counselor while receiving sensitive health information. This is concerning for two reasons: Firstly, false positives are not uncommon in these tests and the results are anything but definite (Just because someone may be genetically predisposed to Alzheimer’s does not mean they will ever develop the disease). Without direct consultation with a genetic counselor, it is easy for uninformed consumers to overreact or misinterpret the results that are being presented to them, and to make decisions based on false or incomplete information that are potentially harmful. Secondly, patient data ordinarily protected under HIPAA is not under such restrictions when at a DTC company such as 23andMe. Therefore, if this data is stolen, there is a fair amount of ambiguity as to what the response would be. Shockingly, the only actual laws regulating the consumer’s genetic data are the privacy policy of the business and any additional agreements that are part of the transaction itself. Without regulation consumers may be signing away more of their data than they are aware of or want to. Furthermore, there may be little recourse in the event of a data breach, and no telling how that data could be used if taken from the control of the company. 

 The Tech Boom Example

Over the past twenty years, technology has been advancing at an exponential rate, and not just in the field of genetics. Advances in technology have revolutionized the way we think about transportation, investing, and as the COVID-19 Pandemic has shown us, even office work. With so many changes in such a short period of time, a lag phase in legislation is to be expected. But when the industry outpaces its regulations entirely, there is a serious and potentially dangerous imbalance between the drive of for-profit companies and the rights and protections of their consumers.

In the past few years the American public has begun to feel as though they are trapped into having their personal data farmed, with 6 in 10 people feeling as though they cannot get through daily life without having their data collected by companies and the government. Additionally, 8 in 10 people do not feel as though they have control over the information companies take and how they use it. One of the complicating factors to this problem is the necessity of these services in modern day life. For a person who is involved at all with some online resources, it becomes very difficult not to use universal services such as Google, Microsoft Office, or other office products that their companies may use.

The result of the problem described above is that consumers feel as though they have no choice but to agree to whatever terms and conditions large corporations present them with. This in concordance with federal regulations not adequately addressing the scope of data collection and usage is likely the cause of the public's distrust of how their data is being collected and used. With the birth of the DTC-Genetic Testing industry becoming more and more mainstream, it should be a goal of federal legislators to prevent the mistrust we see in standard consumer data from spreading to their genetic data. As explained in above sections, genetic data is particularly sensitive for it’s subjects, and it’s very conceivable that if there were any breach of privacy on the scale of the Equifax hack, people would be very concerned for the safety of their sensitive information.

Current Policy and Action in the U.S.

So what is the current approach to regulating this new industry in the US? Many states have some provisions prohibiting the sale of genetic data to insurance companies, but the most comprehensive state legislation is the California Consumer Privacy Act (CCPA). The CCPA classifies genetic data as “sensitive personal information,” alongside data such as race and ethnicity, social security numbers, and phone numbers or addresses’. Under the CCPA, consumers have the right to opt out of companies selling or sharing sensitive personal information. Allowing this greater freedom to consumers is a good step forward for consumers in California, but the issue with the CCPA along with all state legislation is that discrepancies between states leave gaps in coverage that ultimately can only be solved by legislation at the federal level.

At the federal level, there is no policy that controls the data produced from DTC genetic testing. While the FDA does oversee the approval of any diagnostic testing, they do not monitor data storage and use after approving the product, meaning that products can make it to market without having the data storage techniques monitored if they are not a part of the clinical aspect of the product. This is normally the domain of HIPAA. However HIPAA does not cover DTC genetic data because it avoids contact with a physician. This leaves a huge hole in legislation where all of the conventional methods of regulating healthcare data do not apply.

As mentioned above, the only direct regulation of genetic data is the agreement made between the consumer and the company during purchase of the product. This is problematic because it is the sole responsibility of the company to decide the precautions taken to safeguard consumer data. Since the FDA and HIPAA do not apply to this industry, the government has used the Federal Trade Commission (FTC) to oversee the protection of data, but the FTC has done little regulation and has instead endorsed the NIST Privacy Framework as well as the Fair Information Practice Principles (66), both of which are unofficial guidelines by which companies can self regulate their safety and privacy practices. While these guidelines do outline decent standards for data storage and safety, companies pay them little mind because they cannot be enforced. The results of a 2018 survey reveal how ineffective these guidelines were, with over 40% of companies lacking a document that outlined how they kept genetic data (61). Additionally, only about 20% of the surveyed companies provided information about testing labs and how the sample was handled after testing. This indicates that the negligence of DTC genetic testing companies in safeguarding their data is at this point largely unknown by consumers, many of whom are mostly unaware of what they are consenting their data to be used for when purchasing their testing kit. While minor state legislation does help somewhat, comprehensive federal legislation would not only raise the bar for security, but also raise the awareness of the public towards the questions they should be asking when ordering a testing kit.

On January 22nd 2021, Congresswoman Amy Klobuchar (D-MN) introduced S. 24: Protecting Personal Health Data Act, the first piece of legislation of its kind. One of the goals of S. 24 is covering the holes in the DTC genetic testing industry. Specifically, the bill would attempt to create a set of standards that all companies would have to comply with regarding security and handling of consumer data. Additionally, the proposed legislation would create a national taskforce that would take a deep look into the long term effects of de-identification of personal data and evaluate the current condition of cybersecurity threats. This bill is not nearly as comprehensive as regulations in other countries, particularly those in Europe, but it would be a start to federal legislation that covers entities operating in genetic data.

Current Policy and Action in Europe

The European Union (EU) has been far more proactive on this matter than their North American counterparts, with the recent passing of the General Data Protection Regulation (GDPR) in 2018, which looks to address some of the current issues in consumer genetic data. The GDPR focuses on several principles by which companies should lead their data processing: lawfulness and transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality. The GDPR affects all companies processing data (including genetic) in the EU, or any companies processing data of EU citizens. Importantly, the GDPR creates the first classification of “genetic data” in European legislation, allowing for specific policies to cover the unique aspects that have gone untouched so far. While the GDPR does make some important headway in defining genetic data and how it should be handled and used, the scope of the regulation is broad, focusing mainly on non-genetic consumer data, meaning the DTC genetic testing industry has yet to experience much regulation. The general concerns of data re-identification and sharing still remain, as the GDPR does not do much more than classify genetic data as biometric data that requires an elevated level of protection. 

Considering that current DTC genetic testing companies are not protecting consumers data at an acceptable level, the GDPR is a positive step towards ensuring the protection of consumers internationally. That being said, any future interpretation of the GDPR laws must not encourage a drop in safe data sharing between companies and clinician/research settings. Advances in genetic research are allowing a new look at how to treat many ailments that have gone untouched, and restricting safe data sharing could be detrimental to progress in the field. However, a potential genetic data leak could be extremely devastating to potential stakeholders, and so the proper precautions must be taken. Hopefully, S. 24 can follow in the GDPR’s tracks and appropriately address the issues that face U.S. based consumers. By defining genetic data in any context as requiring a higher standard of protection and de-identification, positive steps are being taken to ensure the safety of those attached to it.

While the GDPR sets a solid foundation for the approach to DTC genetic testing regulation, it is still too soon to truly quantify the impact that it has had on the industry. The GDPR was a wide reaching piece of legislation that largely focused on more traditional forms of consumer data, such as cookies and targeted advertising, in addition to genetic information. This means that there has not been much enforcement of the regulations specific to the DTC-Genetic Testing industry, and because of this it would be premature to try and come to any conclusion about the efficacy of these new regulations. 

Considering that we are still in the early days of the GDPR, what can we take away from the E.U.’s example and apply to the U.S.? Firstly, similar to the CCPA, the GDPR makes the distinction of defining genetic data as sensitive personal data that requires protection and discretion when being used or stored by companies. Additionally, the GDPR sets a precedent for protecting citizens at a multinational level, which could potentially pave the way for the U.S. to pass S. 24 or other legislation at the federal level. Finally, the GDPR shows that this is an issue that must be taken seriously and cannot be ignored as we move forward in an ever evolving technological society.

Conclusion

The DTC genetic testing industry is growing rapidly and accumulating millions of individuals’ genetic data. At this moment, companies are not regulated at the federal level when it comes to the storage, security, and usage of their consumers' data. While there are regulations at the state level in the US, these are often inconsistent with one another and do not protect the data while with the company. The clearest solution to this is comprehensive legislation at the federal level, and the S. 24 bill that was recently proposed by Congresswoman Amy Klobuchar (D-MN) looks to not only cover some gaps in security that currently exist but also investigate other potential gaps and how to cover those as well. The current gold standard of widespread data security and privacy rests in the GDPR, which makes strides in not only more traditional forms of consumer data but also defines genetic data and creates certain standards of care that must accompany it. As discussed however, we are still too early in the GDPR’s implementation and enforcement to see direct results on the DTC industry and to draw conclusions for similar future legislation.

While the GDPR’s effects cannot yet be fully understood, it should not be cause for a delay in new legislation in the U.S.. In learning from the errors of the tech and dotcom boom of the early 2000’s which have created widespread public distrust, swift action must be taken  to ensure that consumers’ genetic data not be mishandled and left vulnerable to hackers or sold to irresponsible third parties. A person's genetic information is quite literally who they are, and as such should be treated as very private and sensitive information. If left unchecked like traditional consumer data has been, it could lead to grave consequences.