The Cost of Curiosity:  23andMe Data Breach Explained. 

Written by: Louis Longeval

One of the largest commercial genetic testing companies, 23andMe, announced on December 5th that hackers had stolen data from 7 million of its customers. This data has already been sold online. Earlier in October, the company reported 14,000 customers were affected by a security incident, but now it appears that the scale is much greater. The compromised data included users’ ancestry information as well as, for some users, health-related information based on their genetic profiles.

 This blogpost dives deeper into the privacy risks that are related to voluntary sharing your genetic data with private companies such as 23andMe. Being curious about your genetic make-up and heritage is understandable, but are you also willing to pay the price when things don’t go as planned? 

What are Direct-to-Consumer genetic testing services?

Direct-to-consumer genetic testing (“DTC-GT”) is a commercial model of genetic testing in which consumers can take a test without any necessary involvement of a healthcare professional. Consumers can order a test online or buy one at a pharmacy, they then receive a saliva or swab kit, which together with the consumer’s saliva sample is sent to the for-profit genetic testing company. Rapid developments in genome technology (increasing affordability, efficiency and simplicity of genetic testing) and a growing interest in personalised health services have led to the popularisation of commercial genetic tests, which once belonged exclusively to the domain of science and healthcare experts. A recent study speculates that the global DTC-GT market will exceed €10 billion by 2032.

 DTC-GT services often claim to serve a different purpose than conventional genetic testing in the context of healthcare: as opposed to conventional (non-commercial) genetic testing which is meant to diagnose and treat patients’ diseases, commercial genetic tests aim to provide additional information with regards to biometric and life-related concerns, such as obesity, nutrition, skin, hair loss, ancestry and life cycle.  

Some of this information is quite harmless: test results that inform the consumer about earwax consistency or ability to smell asparagus in urine are unlikely to be used in medically relevant decisions, as they serve non-medical purposes. However, DTC-GT companies also offer tests for health-related purposes that reveal information about common complex diseases, such as type 2 diabetes, psoriasis, schizophrenia, age-related macular degeneration, osteoporosis and many types of cancer. Typically, there is no involvement of a healthcare professional to act as a guide for users when interpreting their results. 

Privacy risks inherent to genetic data and DTC-GT services 

No possibility to erase the data 

The majority of DTC-GT customers provide consent for their genetic data to be used for research purposes. E.g., 23andMe reports that an estimated 80% of its customers base, which roughly translates to 11,2 million individuals, have consented to participate in research. To get an idea about the amount of research studies a DTC-GT consumer who consents to research participation contributes to: 23andMe mentions on the research section of their website that “[on] average, a customer who chooses to opt into research contributes to over 230 studies on topics that range from Parkinson’s disease to lupus to asthma and more.”

 However, those who change their mind and wish to erase their genetic data after they have been processed for research purposes might be surprised that this simply is not possible. The GDPR provides for an exception to the right to erasure by stipulating that this right cannot be exercised when “[…] the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right [to erasure] is likely to render impossible or seriously impair the achievement of the objectives of that processing” (Art 17.3(d) GDPR).

The exception poses notable challenges with respect to genetic data, because research participants may encounter difficulties in exercising the right to erase their genetic data as doing so could impede critical research objectives. As a result, their personal data could persist in the multiple research databases for long periods of time, since genetic data of DTC-GT customers is often shared with a multitude of third-party researchers. Participants could however contact the DTC-GT service to exercise their right to erase their genetic data and revoke their consent for their future participation in genetic research, but this doesn’t have any retroactive impact on studies where their data is already being processed.   

 Unpredictability of future developments  

The unpredictability of future developments in the field of genetics poses a considerable challenge in the present when it comes to assessing the privacy risks. 23andMe informs customers about this uncertainty on the research information section of their website by mentioning that “[t]here may be additional [risks and/or benefits] to participation that are currently unforeseeable.” The rapid pace of advancements in genetic and genomic technology, coupled with the evolving landscape of data usage and sharing practices, makes it difficult to foresee all the potential privacy implications accurately. As genetic and genomic research progresses, the potential insights derived from genetic data grow substantially due to the increasing informational value of such data as time progresses, and data that seems innocuous today could become sensitive in the future.  

Potential impact on family relationships 

Test results from processing genetic data can redefine family relationships, for example by confirming or disproving paternity, locating previously unknown relatives, or identifying anonymous donors. On the one hand, some people are happy to find new relatives or to uncover their origins, while on the other hand, others may be distressed by the results or by unwanted contact. These data may be used without any legal restrictions, although the legal consequences could be significant, such as divorces and attempts to avoid child support. 

Impact on relatives 

Genetic data are distinguished from other types of personal data because they not only contain information about the provider, but also reveal information about the provider’s past, current and future relatives, thereby compromising their right to privacy. When evaluating the privacy risks associated with genetic data, it becomes clear that the conventional understanding of the right to privacy, which emphasizes individual choice and autonomy, needs to be challenged.  

 However, a broad interpretation of who is considered a data subject when it comes to genetic data was not adopted in the General Data Protection Regulation (“GDPR”), where genetic data are defined as “personal data relating to the inherited or acquired genetic characteristics of a natural person (…) which result, in particular, from an analysis of a biological sample from the natural person in question.” This individual-centric spirit of the GDPR translates into inadequate or insufficient protection of the privacy rights of individuals who are (directly or indirectly) involved in genetic research. Particularly, relatives find themselves in a vulnerable position when their common genetic data is processed because they cannot exercise any of the rights conveyed to data subjects by the GDPR (although the processing most definitely impacts them). 

Genetic discrimination  

Immutability is a unique characteristic of genetic data. In contrast to telephone numbers, passwords, and license plates, you cannot change your DNA at will – once it has been publicised, there’s no going back. This, in combination with genetic information’s longevity and predictive ability about future health, make it extremely valuable for certain actors. For example, think about employers that can use your genetic information in the context of genetic discrimination, which is defined as “the differential treatment of asymptomatic individuals or their relatives on the basis of their assumed genetic characteristics.” Experiencing genetic discrimination can lead to exclusion, thereby restricting individuals from accessing various social and professional opportunities. This exclusion, in turn, can be at the root of profound psychological, social, and economic implications for the affected individuals.  

Conclusion

Most people aren’t aware of the privacy risks related to genetic data because it is subject that is very hard to fully grasp. Due to the difficulty to foresee all future use-cases of genetic data, it is practically impossible to accurately describe the risks. However, the risks that we are identifying in the present are already quite considerable. Data breaches like the one 23andMe recently suffered might reveal a health condition that the consumer had preferred not to become public or cause them to suffer adverse consequences such as reputational damage or loss of employment or insurance. 

This ties back into the essence of data protection and privacy: giving everyone a choice about which information can be revealed to the public and what should remain personal. Knowing that your genetic data could potentially contain a lot of information that you wouldn’t want to release into the public domain, would you still risk taking a commercial genetic test?