May 1, 2019 8:00 AM

The US Urgently Needs New Genetic Privacy Laws

The laws governing DNA data in the US are patchy and incomplete. Yet people keep putting their DNA on the internet, compromising everyone's genetic anonymity.

Twenty years ago, you had about a 1 in 6 billion chance of knowing someone who’d had their DNA sequenced. Today, almost every American can name someone who’s had some form of genetic testing.

The rise of DNA data has legal experts increasingly concerned that the United States is not effectively protecting consumers from the many privacy risks that now loom before them. “What in heaven’s name is the law in genomics? That is not that easy to answer,” Susan M. Wolf told an audience gathered last Thursday at the University of Minnesota, where Wolf is a professor of law and health policy. “We’ve got 50 states. We’ve got multiple federal agencies involved.” The patchwork of laws means that in practice genetic anonymity is almost never guaranteed. But the legal landscape is so fractured that to fix this situation, the first issue is to resolve what rules apply to what data.

So Wolf and dozens of other lawyers, doctors, and others in the DNA testing world have spent the past three years assembling a searchable public database of every federal and state law, regulation, official guidance, and professional standard that currently regulates the field of genomics. The project, called LawSeq, is also assessing the field’s biggest legal challenges and seeking a consensus about how policymakers should think about a DNA-rich future. The project, funded by $2 million from the National Institutes of Health, tackles other aspects of genetic data law, but it was the discussion of privacy that dominated the group’s third and final conference in Minneapolis last week, which coincided with the one-year anniversary of the Golden State Killer arrest, using DNA evidence.

“In the US we have taken to protecting genetic information separately rather than using more general privacy laws, and most of the people who’ve looked at it have concluded that’s a really bad idea,” said Mark Rothstein, a law professor at Brandeis and the director of the University of Louisville’s Institute for Bioethics, Health Policy and Law. By contrast, the European Union has designated DNA as personal data and made collecting it presumptively illegal under its recent consumer protections overhaul. In the United States, different laws regulate genetic data depending on where it is and what it’s being used for. “It’s basically a shortcut, because legislators here don’t want to enact broad legislation,” Rothstein said.

The problem with this system comes down to the fact that genetic data can have multiple uses beyond its original one. Say you participate in a research study or clinical trial that generates DNA data. A federal law protecting human subjects, called the US Common Rule, mandates that you be informed of how your data might be shared prior to signing a consent document. In 2016, Congress passed the 21st Century Cures Act, which also provides any federal research subjects with a certificate of confidentiality. This restricts the researchers collecting your genetic data from releasing it to law enforcement or other government agencies. And if that information were to somehow be illegally obtained, through a hack or some other breach, it would be inadmissible in court.

But say you want to add that genetic information to your electronic health record, so it’s available to your doctor. Now it becomes a piece of personal health data, governed by the Health Insurance Portability and Accountability Act. Under HIPAA, your genetic data can’t be given to your school or employer, but law enforcement agencies are entitled to access it without a warrant if you’re the victim or suspect of a criminal investigation.

Now that your DNA data is in your health records, your insurance provider can also access it. That’s why, in 2008, Congress passed the Genetic Nondiscrimination Act, or GINA, which prevents health insurers from denying coverage or jacking up prices based on someone’s genetic predisposition to various health conditions. (They can still do that if your genes make you actively sick—GINA becomes basically useless once you show symptoms.) GINA also doesn’t apply to long-term-care insurance, life insurance, or disability insurance, though it does ban employers from using it to decide who gets hired, fired, promoted, or given a raise. Rothstein says the best genetic nondiscrimination law ever enacted in the US was the Affordable Care Act, President Obama’s signature health care reform law. The controversial legislation, which is facing new legal challenges by the Trump administration, specifically guarantees that insurance companies can’t use preexisting conditions to deny coverage.

But neither the Common Rule nor the ACA nor GINA provides protections against lots of other potential uses of DNA data. Say you’re looking to buy a condo in a retirement community. If the condo association wants you to submit DNA test results showing you don’t have a genetic predisposition to Alzheimer’s as part of your application, that would be legal in every state except California. Schools, too, could require DNA tests for admissions or to keep out kids with certain genetic predispositions.

It’s not happening yet, but as researchers get better at predicting things like educational success and earning potential from people’s genes, the hypothetical scenarios that would fail to be protected under current laws keep edging closer to reality. Add to that the fact that millions of Americans are sending their DNA to companies like 23andMe, Ancestry, and other direct-to-consumer testing firms, which aren’t covered by HIPAA, and you can start to see the scope of the problem. “There comes a time when we may need a special-purpose genetic privacy law,” said Barbara Evans, director of the Center for Biotechnology and Law and the University of Houston. “As DNA moves outside the HIPAA-protected realm, we’re close to that time where Congress may need to step up again.”

One thing Evans and others in the LawSeq project think Congress should consider is the trouble with de-identified data. In the US, as long as someone’s genomic record is stripped of personal information such as name, address, birthdate, telephone number, and 14 other identifiers, it can be shared between researchers, posted to public databases, and bought and sold by various firms. Many say that this feature of genetic laws in the US has been vital for transforming strings of genetic code into useful products like new drugs, tests, and other targeted therapies. The promise of precision medicine, after all, relies on gathering staggering amounts of data.

But scientists have shown over and over that with enough data it’s possible to reattach someone’s name to a string of their genetic code. Besides biomedical research, DNA has been a huge boon to genealogy hobbyists who have uploaded their genetic profiles to public genealogy websites like GEDmatch. Using these open databases to generate maps of distant cousins, it’s now possible to identify just about every white person in America from their DNA alone. Law enforcement agencies have seized on this treasure trove of potential new leads for cracking cold cases—such databases have aided in the arrest of more than 50 suspects in the past 12 months.

To close this loophole, US policymakers could reclassify DNA as a piece of personally identifying information in its own right. But Ellen Wright Clayton, cofounder of the Center for Biomedical Ethics and Society at Vanderbilt and one of the leaders of LawSeq, was quick to point out that it won’t stop people from putting their personal genetic records on the internet. “It’s the greatest threat to privacy there is right now,” she said. It’s not enough to opt out of genetic testing yourself, because of the way DNA ties families together across geographies and generations. “The law has nothing to say about whether I can prevent my sisters or cousins or my kids from putting their genomic sequence out there.”

Given all the inadequacies of the American legal system, the question now might be whether genetic privacy is already dead. Depending on whom you ask, the answers range from outright nihilism (Facebook doesn’t take care of your data and people still use Facebook, why would DNA be any different?) to cautious hope that the uses of genetic data could still be curbed without interfering too much with research or public health. Such legislation might, for example, be modeled on something like the Fair Credit Reporting Act, with genetic information made off-limits for certain activities.

Brad Malin, a biostatistician at Vanderbilt who among many other titles serves as director of its Health Information Privacy Laboratory, summed up the situation in this way: “Sometimes it feels as if we have no privacy, and sometimes it feels as if we have no need for privacy, and then something shifts, the law, technology, adoption, and the pendulum swings the other way,” he said. “Right now we’re somewhere in between, where some people are giving up privacy and other people want it. The ones giving up their genomic data have the potential to infringe upon the privacy of others, but it’s kind of a grand experiment.”

If we get it wrong now, he said, what’s the worst that will happen? We lose privacy for a generation. And then half a generation after that. And half a generation after that. The geneticists in the room laughed. The lawyers, not so much.