Is Your DNA Secure? Federal Legislation on Genetic and Data Privacy
Ancestry.com isn’t just in the business of storing records, it’s also in the business of linking information. On the surface you have your family tree and all the records you linked to it. But Ancestry does more than that. Ancestry remembers that you linked both a 1900 census entry and a 1910 marriage record to one person’s profile in your family tree. Afterwards — even if your tree is private — when another user finds that 1900 census entry and links it to a profile in their family tree, Ancestry will helpfully tell them that they might also be interested in the 1910 marriage record.
On the DNA side of things, consumer genetic testing companies also produce linked information. On the surface, you have your DNA matches and you try to find if they have a person on their family tree that you recognize from your family tree. These are the most apparent links.
Another important link on the DNA side is the one between your DNA and the various health reports and health survey forms that you’ve filled out. They provide a list of health issues that are associated with a person possessing particular DNA. Even anonymized, i.e., without having your name attached to the DNA results, this link of DNA to health surveys is a highly sellable commodity. A linked database of 12 million 23andme DNA test results and health surveys brought a $300 million investment in 23andme in 2017. Then in 2022, it brought a $50 million payout to 23andme from GlaxoSmithKline. When we took the DNA test, we consented to having our DNA used for scientific research. But did we realize that the said research would mean transferring our DNA to another company?
Blackstone’s acquisition of Ancestry in December 2020 for $4.7 billion made everyone open their eyes. At the time, Ancestry claimed over 18 million DNA tests in their database. (It is now at 20 million DNA results and $1 billion in annual revenue from subscriptions and DNA testing.) The U.S. National Counterintelligence and Security Center ranked bio information with artificial intelligence and quantum computing as areas where foreign powers were seeking technology.
Journalists were specific about those threats. “Chinese firms are collecting genetic data from around the world, part of an effort by the Chinese government and companies to develop the world’s largest bio-database, American intelligence officials reported on Friday.” A full year earlier, another analysis was “With over 80 million health profiles, China has the largest DNA database in the world, and growing. In an interview with Fox News, [Gordon] Chang warned that China plans to use this information to create bioweapons designed to target specific ethnic groups.” No other news media have forecast bioweapons, but the profits to be made in new medications are huge.
We see several bills that were introduced in the current U.S. Congress to address this issue of genetic privacy. (See Table 1.) The issue can be approached from two sides. Is the DNA data itself protected? Is the personal information protected enough so that no one can identify the individual whose DNA it is? In addition, those bills aimed at the protection of personal data can also apply to companies like Facebook or Google that use personal data to focus advertising.
Table 1: Federal Bills Regarding DNA and/or Privacy
H.R.5154 submitted by Tim Burchett (R-TN)
American Genetic Privacy Act “A commercial DNA testing service may not disclose the genetic information of any individual, or any aggregate of such information, to the People’s Republic of China, or to any entity under the influence, control, or ownership of the People’s Republic of China.” After introduction, this bill was referred to the House Committee on Energy and Commerce, which moved it to the subcommittee on Consumer Protection and Commerce. No action since 6 September 2021.
H.R.5807 submitted by Filemon Vela (D-TX)
Digital Accountability and Transparency to Advance Privacy Act or the DATA Privacy Act “This bill establishes information security requirements for businesses that collect, process, store, or disclose information relating to at least 50,000 people in a 12-month period. The bill applies to information that may be linked to a specific individual or a device associated with a specific individual.” The bill was referred to the committee on Science, Space, and Technology, which referred it to a subcommittee on Research and Technology. The bill was simultaneously referred to the committee on Energy and Commerce. No actions since 1 November 2021.
S.3065 submitted by Catherine Cortez Masto (D-NV)
Digital Accountability and Transparency to Advance Privacy Act or the DATA Privacy Act “This bill establishes information security requirements for businesses that collect, process, store, or disclose information relating to at least 50,000 people in a 12-month period. The bill applies to information that may be linked to a specific individual or a device associated with a specific individual.” The bill was introduced in the Senate 26 October 2021 but has not yet been assigned to a committee.
______________________________  Bernie Monegain, “23andMe lands $300 million investment from GlaxoSmithKline,” Healthcare IT News, posted 25 July 2018 (https://www.healthcareitnews.com/news/23andme-lands-300-million-investment-glaxosmithkline | accessed 16 March 2022).  David Spiegel, “One of Google’s earliest genetic experiments, 23andMe, paid off — here’s what will make or break its future,” CNBC News, posted 25 January 2022 (https://www.cnbc.com/2022/01/25/how-one-of-googles-earliest-genetic-experiments-23andme-paid-off.html | accessed 16 March 2022).  David Lazarus, “Column: Why spend billions for Ancestry’s DNA data if you don’t plan to use it?” Los Angeles Times, posted 13 April 2021 (https://www.latimes.com/business/story/2021-04-13/column-blackstone-ancestry-genetic-privacy | accessed 16 March 2022). See also “Blackstone Completes Acquisition of Ancestry®, Leading Online Family History Business, for $4.7 Billion,” posted 4 December 2020 (https://www.blackstone.com/news/press/blackstone-completes-acquisition-of-ancestry-leading-online-family-history-business-for-4-7-billion/ | accessed 16 March 2022).  Company Facts, Ancestry (https://www.ancestry.com/corporate/about-ancestry/company-facts | accessed 16 March 2022).  The National Counterintelligence and Security Center, “Protecting Critical and Emerging U.S. Technologies from Foreign Threats,” October 2021 (https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/FINAL_NCSC_Emerging%20Technologies_Factsheet_10_22_2021.pdf | accessed 16 March 2022).  Julian E. Barnes, “U.S. Warns of Efforts by China to Collect Genetic Data,” New York Times, 22 October 2021 (https://www.nytimes.com/2021/10/22/us/politics/china-genetic-data-collection.html | accessed 16 March 2021).  Teny Sahakian, “China is collecting the world’s DNA and the reason is sinister: Gordon Chang,” Fox News, 4 December 2020 (https://www.foxnews.com/world/china-collecting-worlds-dna-sinister | accessed 16 March 2022).