The new frontier of health care is here, but will DNA privacy be lost?
In February, 23andMe, a company best known for its genealogy testing kits, announced plans to go public through a novel merger funding mechanism called a SPAC, or special purpose acquisition corp.
The merger is with VG Acquisition Corp., a Richard Branson-backed company, and Branson is pouring $25 million into the merger, as is 23andMe co-founder Anne Wojcicki. Once the merger is complete, the merged23andMe is expected to have an estimated valuation of around $3.5 billion.
At that point, 23andMe will be well-equipped to venture beyond genealogy kits and into the new frontier of personalized health care, using a patient’s DNA as the basis for therapeutics or preventive medicine. It won’t be alone. In December, rival Ancestry was acquired in a $4.7 billion deal by private equity firm Blackstone Group Inc. When the deal was first announced, Ancestry’s then-CEO, Margo Georgiadis, said in a press release that it would allow the company to bring to life “our long-term vision of personalized preventive health.”
Advocates are concerned about the privacy of data collected by genetic testing companies; what control consumers have over their DNA data once it’s been submitted to 23andMe and other genetic testing firms; and what recourse consumers have if companies’ assurances of privacy prove unreliable.
“Data is the new oil,” says Catherine Arcabascio, a professor at Nova Southeastern University’s Shepard Broad College of Law in Fort Lauderdale, Florida. “I don’t know of any other information that one would hold so dear as their genetic code.”
Big Pharma wants to get its hands on some of this data. GlaxoSmithKline took a $300 million equity stake in 23andMe in 2018 to “focus on research and development of innovative new medicines and potential cures, using human genetics as the basis for discovery.”
“The question is one of consent, and the problem is consumers are not likely reading every detail of the terms of service,” Arcabascio says. “They’re treating DNA the same as a toaster oven. You have the terms of service, and you’re just clicking through.” She says it is difficult to ascertain what the privacy risks truly are when the industry is only in its infancy.
Arcabascio speculates on whether a law that would protect consumers’ DNA privacy is possible. “Eleven million people have already given up their DNA, and that gives you pause,” she says. “I don’t know how much you could do to protect people who have already consented.”
Will there be meaningful informed consent for consumers?
Favoring some sort of regulation is Katie Hasson, the program director on genetic justice at the Center for Genetics and Society in Berkeley, California.
Hasson says terms-of-service agreements are inadequate for consumers trying to protect their genetic privacy. “How many people are being asked to agree to terms of service every day?” she asks. “And once you make the privacy decision for yourself, you’re also making it for family members, and you may not even know you have these family members.”
According to 23andMe’s website, more than 80% of their customers agree to allow the company to use their data for research purposes. However, Hasson wonders whether customers really know what they’re agreeing to.
Congress previously has regulated big data involving medical records by passing the Health Insurance Portability and Accountability Act of 1996. However, genetic testing is said to be beyond HIPAA’s scope since it is not applicable to direct-to-consumer testing, Hasson points out.
It would not be surprising to find that regulation of genetic testing services will lag behind their development, as happened with Big Tech. “We’re just not tackling the privacy issue,” says Jen King, privacy and data policy fellow for the Stanford University Institute for Human-Centered Artificial Intelligence. “There’s a big public appetite for acting on a range of privacy issues, and a lack of action on the part of legislatures in getting them passed.”
King notes that the California Consumer Privacy Act, which uses an informed consent model to allow consumers to choose with whom they share their data, exempts certain HIPAA-covered information. But she points out that there’s a lot of health-related data that isn’t covered by HIPAA, including direct-to-consumer genetic testing and data collected from health and fitness apps, for instance.
Whether the CCPA and a similar Virginia law would affect companies such as 23andMe and their efforts to expand their individualized health care offerings would depend on what data is covered by HIPAA.
“What we’re seeing is that many companies are simply using IP-filtering or otherwise asking you to verify that you are a California resident before processing any CCPA requests. What I’ve observed so far is that companies do not seem eager to extend California rights to non-California customers,” King says. She also says she is unaware of any state that has passed a genetic privacy law such as the Genetic Information Privacy Act, which was vetoed by California Gov. Gavin Newsom in September.
When contacted by the ABA Journal, 23andMe did not make anyone available for an interview, but it issued a statement on privacy: “All of our research is still very much opt-in and choice-based and still overseen by our independent institutional review board, which ensures we are conducting research in accordance with all legal and ethical guidelines. As stated in our privacy statement, in the event that 23andMe goes through a business transition such as a merger or acquisition by another company, customer information would remain subject to the promises made in any preexisting privacy statement.” The statement also points out that consumers are free to withdraw their consent at any time, and it states that sensitive information is encrypted, with access limited to authorized personnel only.
This story was originally published in the June/July 2021 issue of the ABA Journal under the headline: “23 and You: The new frontier of health care is here, but will DNA privacy be lost?”
CorrectionPrint and initial online versions of "23 and You," June/July, page 24, featured a quote incorrectly describing 23andMe's service agreements.
The Journal regrets the error.
Print and initial online versions of “23 and You,” June-July, should have clarified that Margo Georgiadis was Ancestry’s CEO at the time of its acquisition. She is not Ancestry’s current CEO.