Sensitive Genetic Data at 'Mercy' of Weak Rules, Say Georgetown Academics
The 23andMe bankruptcy earlier this year showed that U.S. policymakers must “close the governance cracks” around genetic data privacy, academics from the Georgetown University McCourt School of Public Policy said in a Tech Policy Press op-ed Tuesday. “The inherently sensitive and identifying nature of genomic data is currently at the mercy of a weak regulatory framework.”
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
“The collapse of 23andMe is more than a business story about a failing biotechnology company -- it is a reckoning for how the US government regulates the most intimate form of personal data: DNA,” wrote the McCourt School’s visiting fellow Zeena Nisar and master’s program students Gregory Shelby and Amr Yakout. The direct-to-consumer genetic testing company came under scrutiny earlier this year when it declared bankruptcy, and it was unclear what would happen to users’ sensitive data (see 2507300063).
Genomic data is uniquely sensitive, said the Georgetown academics. “Unlike a password or credit card, DNA cannot be reset or replaced. It is immutable, embedded in the body itself. It reveals disease predispositions, ancestry, and familial relationships. When sold or breached, exposure is permanent.” In addition, genomic data is “inherently identifiable,” they wrote.
“These risks are magnified by the absence of a comprehensive federal framework,” as HIPAA doesn’t apply to direct-to-consumer genetic testing companies like 23andMe, the academics said. “This regulatory vacuum allows firms like 23andMe to govern user data through company-written terms of service that are often ill-suited for scenarios such as corporate transitions.”
Mergers, acquisitions and bankruptcies make “accountability questions … especially fraught,” they added. “When a genetic database is treated as a transferable asset, customer data may be acquired by companies with entirely different incentives, with no guaranteed mechanism to revoke consent.”
Some state legislatures are responding to the 23andMe bankruptcy. Earlier this month, the Pennsylvania House unanimously passed a genetic data privacy bill (see 2512160065). Other states that passed genetic privacy laws this year include Texas, Florida and Indiana, while Montana updated its 2023 law (see 2508080054). However, Nevada Gov. Joe Lombardo (R) in June vetoed a Democratic bill on the subject (see 2506110024).
In addition, the U.S. Senate has expressed interest in the issue (see 507250042). Privacy experts predicted that fallout from 23andMe would likely lead to more privacy regulation and enforcement due to significant public awareness of the event (see 2504100033).