Jane Tiller* says if you have given your DNA to a DNA database, US police may now have access to it.
In the past week, news has spread of a Florida judge’s decision to grant a warrant allowing police to search one of the world’s largest online DNA databases for leads in a criminal case.
The warrant reportedly approved the search of open source genealogy database GEDMatch.
An estimated 1.3 million users have uploaded their DNA data onto it, without knowing it would be accessible by law enforcement.
A decision of this kind raises concern and sets a new precedent for law enforcement’s access to online DNA databases.
Should Australian users of online genealogy services be concerned?
Why is this a big deal?
GEDmatch lets users upload their raw genetic data, obtained from companies such as Ancestry or 23andMe, to be matched with relatives who have also uploaded their data.
Law enforcement’s capacity to use GEDmatch to solve crimes became prominent in April last year, when it was used to solve the Golden State Killer case.
After this raised significant public concern around privacy issues, GEDmatch updated its terms and conditions in May.
Under the new terms, law enforcement agencies can only access user data in cases where users have consented to use by law enforcement, with only 185,000 people opting in so far.
The terms of the warrant granted in Florida, however, allowed access to the full database – including individuals who had not opted in.
This directly overrides explicit user consent.
GEDmatch reportedly complied with the search warrant within 24 hours of it being granted.
Aussies are also at risk
GEDMatch is small fry compared with ancestry database giants Ancestry (more than 15 million individuals) and 23andMe (more than 10 million individuals), both of which hold DNA data belonging to Australians.
Australians who wish to have ancestry DNA testing, currently have to use US-based online companies.
Thus, many Australians have data in databases such as Ancestry, 23andMe and GEDMatch.
The granting of a warrant to search these databases by US courts means those searches could include Australian individuals’ data.
Ancestry and 23andMe both have policies stating they don’t provide access to their databases without valid court-mandated processes.
Each company produces a transparency report that includes all requests for customer data that have been received and complied with.
Currently, that number is low.
But it remains to be seen how each would respond to a court-ordered search warrant.
Furthermore, while Australia currently doesn’t have its own genetic database (and no plans have been announced), the Federal Government’s commitment of A$500 million to the Genomics Health Futures Mission indicates a growing interest in the power of genomics for health.
If Australia wants to remain internationally competitive, a national genetics project is a natural next step.
We need DNA privacy legislation
In Australia, courts can approve warrants that intrude into private information and entities can only protect data to the extent that it’s protected by law.
Thus, the privacy policies of companies and organisations that hold genetic data (and other types of private data) usually include a statement saying the data will not be shared without consent “except as required by law”.
The Australian Information Commissioner can also allow breaches of privacy in the public interest.
It has been more than two decades since former Democrats Senator Natasha Stott-Despoja proposed the Genetic Privacy and Non-Discrimination Bill.
Although Australia has a patchwork of laws that protect citizens’ genetic data to an extent, we still have no specific genetic data protection legislation.
A broader legal framework dealing directly with the protection of genetic information is now required.
Australian politicians have previously shown willingness to use genetic information for Government purposes.
As genetic advances strengthen the promise of personalised medicine, Australian academics continue to call for urgent genetic data protection legislation.
This is important to ensure public trust in genetic privacy is maintained.
Ongoing concerns around genetic discrimination, and other ethical concerns, warrant an urgent policy response regarding the protection of genetic data.
What are other countries doing?
Globally, several DNA databases have amassed genetic datasets of more than 1 million individuals, including for research purposes and healthcare improvement.
Few databases outside the US have yet to reach the numbers needed to be useful for identification purposes.
However, many countries, particularly in Europe, have started establishing Government-funded national databases of gene donor data, including Sweden and Estonia.
The Estonian Biobank is one of the most advanced national DNA databases.
It has more than 200,000 donor samples.
With Estonia’s population of around 1.3 million people, the biobank represents around 15 per cent of the entire country’s population.
And Estonian legislation currently prohibits the use of donor samples for law enforcement.
In contrast, the UK Biobank doesn’t have specific legislation controlling its operation.
It only allows law enforcement agencies access if forced to do so by the courts, leaving open the possibility of access under a court-ordered warrant.
The biobank currently has samples from around 500,000 individuals but plans to collect at least 1 million more in future.
In Australia, accessing DNA testing is now easier than ever.
But those accessing it through US-based companies, or uploading their data to US-based databases, should be aware of the potential uses of their genetic information.
And as we move into an era of genomic medicine, urgent policy attention is required from the Australian Government to ensure public trust in genomics is maintained.
* Jane Tiller is Ethical, Legal and Social Adviser in Public Health Genomics at Monash University.
This article first appeared at theconversation.com