Direct-to-Consumer DNA Testing_ How protected is the genetic data you’re submitting to these websites

In 2019, a survey found that one-in-seven US adults had submitted their DNA to a mail-in service, with the majority doing so to find out more about their family origins. And with the $14.8 billion genetic testing market set to grow by 11.6 percent over the next six years, it’s likely many more will be swabbing the inside of their cheeks to find out if they’re the ancestor of a Viking, have family roots in a far exotic land, or have more close relatives than they first thought.

But while the idea of DNA testing may conjure up some romantic sentiments, there are some huge privacy concerns surrounding the use of these websites. Our latest research found that the majority of countries fail to protect genetic data used in DNA testing through precise legislation, the majority of websites offering such services navigate loopholes by suggesting the results cannot be construed as medical advice, and the most popular websites often operate in jurisdictions that lack data privacy standards.

So where in the world are DNA tests most popular? Which countries best protect your genetic data? And how comprehensive are the privacy policies of the most popular genetic testing websites?

To find out, our researchers looked at the top 50 countries by GDP to find out what legislation surrounding direct-to-consumer genetic testing there is (if any), how well protected genetic data is within the country, and what additional protections (e.g. the requirement of genetic counseling) there are.

Key findings:

  • France and Israel strictly prohibit the use of direct-to-consumer (DTC) DNA testing websites (but are unable to regulate those that operate from abroad)
  • Only 18 countries (aside from the above) have some regulations for DTC DNA tests, but they tend to relate solely to health-based tests
  • 10 countries fail to protect genetic data in basic legislation
  • The majority of countries do require some kind of consent for DNA data processing
  • Every country gives law enforcement the right to request access to the databases (the majority require some judicial oversight)
  • Most countries fail to provide specific data retention requirements for genetic data
  • No country requires health professionals and genetic counseling for all types of genetic tests (14 require health professional oversight for health-based tests and 10 require genetic counseling for health-based tests)

What privacy risks do at-home DNA tests pose?

Before we explore the above map and where DNA testing is largely unregulated or safeguarded, it’s important to understand what privacy risks these at-home tests pose.

For example, some DNA testing websites give law enforcement access to their databases–sometimes without warrants or judicial orders. Giving police access to this type of data may help in the capture of prolific serial killers (as was the case with the Golden State Killer) but it also poses a huge risk to users’ data. This is especially true when the procedures involved aren’t clear. Despite some websites stating that they will only hand over data to police with the correct warrants, there are questions over how the police use the databases themselves. In the Golden State Killer case, police are said to have used an old DNA sample to create various profiles on genealogy websites–without a warrant.

A Reuters investigation also found that the BGI Group’s prenatal test results were being shared with China’s military in a bid to improve “population quality.”

Not only that, but online DNA tests may circumnavigate potential blocks for those searching for biological connections. Parents may have privacy rights that conceal their identity through “closed” adoptions in the country they reside in, but a genealogy site outside of this area may link their biological child to them or a close relative, thus enabling the adopted child to track them down.

Plus, as we’ve already noted, many of these websites avoid stricter healthcare or medical regulations by marketing themselves as a service so any results cannot be construed as medical advice. For example, in the US, DNA testing companies don’t have to comply with HIPAA privacy requirements because they don’t classify themselves as medical services.

To remove the potential complications involved in such websites, some countries have strict regulations in place that essentially prohibit direct-to-consumer genetic testing. This is the case for France and Israel in particular. Nevertheless, this doesn’t prevent customers from seeking tests from abroad.

However, even in Israel where these kinds of tests are technically illegal, things aren’t clear-cut, highlighting just how complex and full of gray areas the DTC genetic testing legislation and regulation is. In Israel, genetic tests may only be carried out with a doctor’s prescription or via a court order. But one of the world’s biggest genealogy websites–MyHeritage–operates its head office from there, even though its DNA kits aren’t available to Israelis.

In Portugal, Article 27 of Law No. 12/2005 on the protection and confidentiality of genetic information, explicitly states, “The promotion, advertising or offering, made directly to the public, of genetic tests directly or indirectly related to health is prohibited.” But a number of DNA testing websites are freely available within the country–including Portugal-based websites, such as https://www.codigoadn.pt/. However, this is due to the law attributing responsibility to the government to regulate genetic tests and how they are made available in Portugal. To date, these regulations haven’t been introduced, meaning that while DTC genetic tests are essentially prohibited, there is no enforcement to prevent them.

Essentially, no country can adequately safeguard citizens’ genetic data from these websites as they are often located outside of their jurisdiction. That’s why it tends to fall on the user to do their homework and ensure the website they’re entrusting this intimate data with is upholding robust data privacy procedures.

That being said, even websites with transparent privacy policies can’t guarantee the safety of your data from hackers. Recent breaches of DNA data include a data breach of 2.1 million customers that had used a genetic service acquired by the DNA Diagnostics Center (DDC) and a huge breach of 92 million usernames and hashed passwords from MyHeritage in 2018.

Which countries don’t protect the genetic data uploaded to DNA-testing websites?

As we have already noted above, France and Israel have the strictest laws in place and, therefore, don’t allow their citizens to submit DNA profiles to websites of such nature (in their country). This is why they’ve been given full marks (16/16) as no website within these countries could operate and carry out these types of tests legally.

All countries have been scored out of 16.

According to our findings, the countries with the worst protections for genetic data uploaded to DNA testing websites are:

  1. Iran – 0/18: Iran fails to score any points due to its lack of legislation, which includes having no data protection law. This means there are no regulations surrounding the collection, use, disclosure, or retention of this sensitive data.
  2. Iraq and the US – 1/18: Iraq and the US only manage one point because of their general laws that require judicial oversight for police access to private data (in most cases). As neither of them has adequate data protection laws, genetic data collection is open to abuse. Even though some US states do have adequate laws to regulate DTC genetic tests (e.g. Arizona, California, and Utah), the lack of federal law (including no data protection law) means there is no countrywide regulation.
  3. India and Indonesia – 3/18: Both India and Indonesia fail to protect genetic data in their legislation. However, separate regulations (e.g. the Information Technology Rules in India and the Electronic Communications law in Indonesia) may offer some protection, albeit inadequate.
  4. Bangladesh, Saudi Arabia, and Thailand – 4/18: Bangladesh’s Digital Security Act does cover DNA data and requires explicit consent for processing. But other gray areas, e.g. warrantless access for law enforcement in many cases, leave huge question marks over the safety of this type of data. It’s a similar story in Saudi Arabia and Thailand where protections will increase in March 2022 and June 2022 (respectively) with the implementation of their new data protection laws.
  5. China, the United Arab Emirates, and Vietnam – 5/18: China does regulate the use of genetic data but only in the cases of safeguarding public health, national security, and social public interests. Its new data protection law also offers some protection but the invasive practices of law enforcement do encroach on privacy. Widespread surveillance practices in the UAE and Vietnam also jeopardize genetic data safety despite websites having to adhere to some data protection regulations (e.g. needing consent to collect and share the data).

Which countries protect the genetic data uploaded to DNA-testing websites?

By heavily restricting genetic testing, France and Israel may be seen to best protect citizens’ genetic data from service-based DNA-testing websites with inadequate privacy protections. And by having specific laws surrounding some use of genetic tests (for health-based analysis), Austria, Australia, Belgium, Canada, the Czech Republic, Finland, Germany, Italy, the Netherlands, Norway, Portugal, Singapore, Spain, South Korea, Sweden, Switzerland, and Turkey do provide some protection.

For example, Australia does allow DTC genetic testing within its own borders while having good protections. It prohibits genetic testing unless specifically approved by the Therapeutic Goods Administration (TGA) and under the supervision of health professionals. It also has specific requirements around the use of such data, including the need for consent and for warrants for police to access (in the majority of cases–urgent crimes may give warrantless access initially). Australia doesn’t have provisions for genetic counseling, however.

However, as we know, many services are offered from abroad, so there is little they can do to ensure citizens’ DNA data is 100 percent safe. Plus, as they so heavily restrict websites within their own jurisdiction, this perhaps gives rise to more orders from abroad. Experts also suggest that because of the heavy regulations in Australia, DTC providers within the country struggle to compete with the costs of websites from outside the country.

Perhaps more worrying still is the fact that a lot of the DNA testing websites that are most popular are based in the United States, where privacy safeguards are at their worst.

Where in the world are DNA tests most popular?

Based on the number of searches for DNA tests or genetic testing (including in local languages), online DNA tests are most popular in the countries below.

Please note: Data was unavailable for China and Iran.

Nordic countries most favor genetic testing services. Over 1,000 searches per 100,000 users annually are conducted in Sweden, Denmark, and Norway, with the Finns also conducting 770 searches per 100,000 users.

Interestingly, Norway is one of the countries with specific legislation surrounding genetic testing. Medical genetic testing can only take place in institutions approved by the Board of Health and in hospital departments. However, Norway’s most popular genetic testing website for its keyword search volume is DNA-Teste Norge.

This Norway-based company has no privacy policy listed on its website and features no consent warnings or advice when adding tests into your basket. The only thing our researchers found was within the Terms of Sale, which simply states that things are processed in line with the Data Protection Act. Even though all tests are shipped to a US-based laboratory (thus helping the website evade the strict policies in place within the country), this website fails to provide even basic privacy protections that would be required from an online service-based business.

DNA-Teste Norge wasn’t the only website to fail in offering basic protections, either. Italy’s (https://dnacenter.it/), South Africa’s (https://dnatest.co.za/), Peru’s (https://www.genetics.pe/) and Turkey’s (http://www.dnagentesti.com/) most popular websites all lack a clear privacy policy on their website. A number of other websites also lack clear procedures or clarity within their privacy policies.

This highlights how imperative it is for users to look into these DNA testing websites to ensure their data will be adequately protected.

How to protect your DNA data when using an online genetic testing website

Our study demonstrates just how vulnerable your DNA data is when uploading to a genetic testing website, even if you live within a country that has some safeguards surrounding their use. Therefore, to ensure your DNA data is in the safest possible hands, you should:

  • Read the privacy policy: As tempting as it is to just click “Accept” when you’re heading to the checkout with your DNA kit, reading the privacy policy is a must if you’re going to find out the company’s data protection protocols (or lack of).
  • Make sure you’re giving informed consent: When giving your consent to the website to use your DNA data make sure you’ve been informed about exactly what this entails. What will they do with your data? Who will they share your data with? Can your data be used for research purposes? Do you have the right to withdraw your consent at any time?
  • Check what access third parties have to your data: Often, you’ll have to consent to the website using your data for research purposes. Check what this involves, e.g. whether your data is anonymized in the process, and that the data-sharing doesn’t go beyond this. Some websites state that they will not share your data with insurance companies or employers, which is important.
  • See if they give warrantless access to law enforcement: Some websites, after cases like the Golden State Killer, now explicitly state in their privacy policies that they will not share your data with law enforcement unless they have clear judicial authority to do so. Many also feature transparency reports so you can see how many times they’ve shared data with police. For example, 23andMe has received eight requests to access data relating to 11 accounts from US law enforcement since 2015.
  • Look for a data retention period and make sure you have a right to delete: A lot of countries fail to have specific retention periods for genetic data (or data in general) so look to make sure there isn’t a huge data retention period specified by the company. It’s also worth making sure they clarify that you have the right to request that your data be deleted at any time. This may not include data used in research purposes up until that point.
  • See if genetic counseling is offered along with your results: Although not a protection, per se, genetic counseling is often highly recommended when undergoing tests to see if your family is affected by or at risk of certain genetic disorders. Genetic counseling helps you process the implications of the findings. A number of countries require mandatory genetic counseling when undergoing these types of tests (for health reasons), e.g. Austria, France, Germany, Israel, Norway, Portugal, Singapore, and Switzerland.

Methodology and scoring

Our study focused on the top 50 countries by GDP to find out where direct-to-consumer (DTC) genetic tests were regulated by legislation. Our focus was on online-based websites that offer genetic testing for health and wellbeing/lifestyle services to see what protections are offered for all types of tests.

Specific Legislation for Direct-to-Customer DNA Testing

2 = Yes. All types of genetic/DNA testing is covered in the legislation.
1 = Some types of genetic/DNA testing is covered in the legislation, e.g. health-based tests.
0 = Genetic testing isn’t covered by legislation.

Is Genetic Data Covered in the Country’s Data Protection Act?

2 = Yes. It is specifically defined in the act (and/or there is specific legislation governing genetic testing).
1 = Although it isn’t specifically defined, biometrics or sensitive data rules are likely to apply.
0 = Not covered in the act or no data protection act in place.

Is Informed Consent Required When Processing Genetic Data?

2 = Yes. Explicit, informed consent is required at all times.
1 = Informed consent required in most cases but there may be some loopholes. Or, consent generally required but “informed” or “explicit” consent isn’t.
0 = No law to govern the requirement for informed consent.

Can Data be Shared with Third Parties?

2 = Only with consent.
1 = Consent is generally required but instances where data is being shared without.
0 = No requirements for consent.

Do Police Have Access to the Data?

2 = No access.
1 = Access with a warrant or judicial oversight.
0 = Access without a warrant.

Countries have been scored based on the legal requirements of the country. However, while warrants may generally be required, this doesn’t prevent companies from handing over data voluntarily (as per their privacy guidelines).

Data Storage Period

2 = Specific, defined data storage period for genetic data.
1 = No defined period but requirements for deletion when the data is no longer necessary for the purpose it has been collected.
0 = No data storage periods/deletions specified.

Involvement of Health Professionals in Genetic Testing?

2 = Yes.
1 = For some tests, e.g. health-based tests.
0 = No requirements.

Provisions for Genetic Counseling?

2 = Yes. Anyone undergoing genetic testing must receive genetic counseling.
1 = Some genetic tests require mandatory genetic counseling.
0 = No requirements.

Sources

For a full breakdown of legislation by country and for all sources, request access to this sheet here.

Data researcher: Rebecca Moody