Privacy experts are concerned about the risk of “genetic discrimination” after 23andMe, which offered a direct-to-consumer genetic testing service, filed for bankruptcy this week.
23andMe stores and analyzes its customers’ genetic material from saliva samples to provide insight into ancestral heritage and potential health risks.
More than fifteen million 23andMe customers have spat into a vial and sent their material for genetic analysis since it was founded in 2006.
23andMe said the bankruptcy process will not affect how it stores, manages or protects customer data.
But privacy experts say this is precisely the problem — 23andMe’s privacy policy allows data to be disclosed to third parties, regardless of whether the consent is signed.
“If we are involved in a bankruptcy… your Personal Information may be accessed, sold or transferred as part of that transaction,” according to 23andMe’s privacy statement.
What genetic information does 23andMe have?
The genetic data 23andMe stored and analyzed from its customers contains essential features about people’s biological makeup and family relationships
Genetic data contains detailed information about each of the thousands of genes in the human . 99.9% of our genetic material is the same, but each person typically carries around 9,000 .
We inherit most of these mutations and accumulate some during our own development. It’s these maps of mutations that allow 23andMe — and companies like them — to tell their customers where their ancestors were from.
A risk to human privacy, and security
In October 2023, a hacker called “Golem” stole the data of seven million people from 23AndMe. Golem targeted Ashkenazi Jews and users of Chinese descent, offering to sell “tailored ethnic groupings, individualized data sets … [and] links to hundreds of potential relatives.”
No raw genetic data was leaked, but people’s personal details, genetic ancestry results, and geographical locations became available to bidders on a hacking forum.
Erman Ayday, an expert in genomic data privacy at Case Western Reserve University, US, told DW these data leaks show how the genetic data from 23andMe’s customers could be used in nefarious cases.
He said it’s feasible that people’s genetic data could be used in forensic investigations or crime scenes without their knowledge.
“From the leaked digital genomes, they can generate biological samples and plant such samples into crime scenes to falsely accuse someone of a crime,” said Ayday.
Blackmailing is also a concern, according to Ayday, as “there may be unknown paternity cases because the genome can be used to identify family connections.”
Genetic discrimination
Most of the 9,000 gene mutations we carry are benign and have little to no effect on our health. But some can severely disrupt protein function and cause diseases such as cancer, or heart conditions.
Mutations in the BRCA1 and BRCA2 genes, for example, can .
23andMe offered a separate service that analyzed these mutations to predict the risk of developing specific diseases.
Ayday said it’s feasible that employers could use this information to deny employment, or schools may deny athletic scholarships if they acquired genetic data without people’s consent.
In 2012, US-based physician Noralane Lindor analyzed the DNA of a patient and identified a gene mutation that has a high risk of causing cancer. Lindor also sequenced the patient’s grandchildren, one of whom later applied to the US Army to become a helicopter pilot. As soon as she revealed she went through the genetic test, she was rejected for the position.
Ayday said this was a rare case but highlights how genetic data can be used to make discriminatory decisions (though, the US military is exempt from laws prohibiting such actions).
Hypothetically, it’s also possible insurance providers could use genetic data to determine access to healthcare, financial aid, or mortgage applications. Health insurance companies, for example, could use people’s genetic data to discriminate against applicants for life, long-term care and disability insurance.
“Insurance providers may deny life insurance due to the genomic makeup [because of] the existence of known mutations that may lead to high predisposition to several diseases,” said Ayday.
Gaps in genetic data privacy protections
There are laws that restrict access to medical information by health insurers and employers. But the protective strengths of those laws vary between countries.
EU law, for example, dictates that genetic data cannot be shared with health insurers or employers.
Roisin Costello, an expert in EU law at the University of Dublin in Ireland, said it is “impermissible as a matter of EU law” that insurance companies or employers could use genetic data to discriminate against people.
But since 23andMe is not a medical provider it does not have to abide by standard privacy policies that must be followed at a doctor’s office. Such services are “not regulated well,” said Ayday.
Costello said there are gaps in genetic . Data privacy laws mostly operate based on individual consent, but because we share so much of our genomic data with our relatives, a DNA sample .
“For example, my father may choose to do a DNA test, and thus consent to the processing of his data. However, in doing so he also consents to the processing of my genetic data […] and to portions of the genetic information he shares with other family members,” Costello told DW.
“This is problematic as it presumes that one person can consent to the reduction of the genetic privacy of a whole biological group.”
Ayday said direct-to-consumer DNA testing services like 23andMe have increased the likelihood that genome data is available in less regulated environments. It is unclear what will now happen to its customers’ genetic data now that the company has gone bankrupt.
Edited by: Matthew Ward Agius
The post What does 23andMe bankruptcy mean for genetic data privacy? appeared first on Deutsche Welle.
