By: Mary Kate O’Connell
When the Golden State Killer was apprehended in 2018 after decades of killing, raping, and burglarizing Californians, genetic genealogy was heralded as the best new forensic method for solving cold cases.[1] The identification of the Golden State Killer was in part due to the work of genealogist Barbara Rae-Venter, who uploaded crime scene evidence to GEDmatch, which allowed her to meticulously fill out branches of the Golden State Killer’s family tree using DNA that had been voluntary submitted to genetic testing companies such as Ancestry.com and 23andMe.[2] Once Venter had traced the Golden State Killer back to common ancestors in GEDmatch, she scoured through social media and public records to narrow down the results.[3] Since Venter’s identification of the Golden State Killer, more than fifty other “cold cases” have been solved using genetic genealogy.[4]
Many consider genetic genealogy as using technology and innovation to improve public safety.[5] Others view it as a serious infringement on individual privacy rights.[6] Regardless of the opinions on the topic, it is critical to note that genetic genealogy, also known as long-range familial searching, is largely unregulated in terms of privacy protections.[7] Both Ancestry.com and 23andMe’s privacy policy’s prohibit law enforcement from accessing or searching collected personal data and DNA.[8] However, this prohibition does not apply to GEDMatch, which serves as a larger database for users to upload their DNA for free from testing companies to locate a wider web of family members.[9] While law enforcement must obtain a search warrant to use the GEDMatch database, the same requirement does not apply to genealogists, private investigators, at home crime sleuths, or true crime fanatics, who, like Venter, may be partnering with law enforcement on specific “cold cases”.[10] Another privacy concern relates to the ability to trace and locate the DNA of those who did not submit their DNA to genetic databases, but whose DNA is in the databases because an immediate or near immediate relative voluntarily submitted their DNA.[11]
Although the “pro” of public safety may outweigh the “con” of privacy infringement when it comes to forensic genealogy methods, increased regulation of genetic genealogy is needed to protect individual’s right to privacy under the Fourth Amendment of the U.S. Constitution.[12] Currently, the main bodies of law protecting individuals from the exploitation of their genetic DNA include the U.S. Common Rule and the 21st Century Cures Act.[13] The U.S. Common Rule requires participants in clinical research trials to be informed of how their data might be shared before they give consent.[14] The 21st Century Cures Act restricts researchers from releasing any genetic data to law enforcement and makes such data inadmissible in court if it is unlawfully obtained or hacked.[15] Both of these regulations, however, fail to address the lack of privacy protections for genetic data voluntarily submitted to companies such as Ancestry.com, 23andMe, and GEDMatch.
The
European Union’s General Data Protection Regulation (“GDPR”) may serve as a
good example of the privacy regulation needed in the United States to protect
individuals’ genetic data.[16] Under the GDPR, genetic data is considered
personally identifying information (“PII”), and therefore the sharing or
transmission of such data requires strict adherence to informed consent and
those who exploit such data can be held liable for privacy violations.[17] To move towards a privacy regulation such as
GDPR, the United States must first reclassify DNA as PII.[18] Although it sounds
simple, such a reclassification is likely to be challenging to achieve as doing
so would create obstacles for law enforcement to perform routine detective work
involving DNA testing, which has proved to be the fastest and most effective
forensic method for investigating and solving a crime.[19] Until DNA is reclassified as PII, individuals
should remain cognizant of the potential long-term ramifications of voluntarily
submitting their saliva to genetic testing companies and avoid submitting it if
they have a secret to hide.[20]
[1] See Megan Molteni, What the Golden State Killer Tells Us About Forensic Genetics, Wired (Apr. 24, 2019, 4:00 am) https://www.wired.com/story/the-meteoric-rise-of-family-tree-forensics-to-fight-crimes/.
[2] See Heather Murphy, She Helped Crack the Golden State Killer Case. Here’s What She’s Going to Do Next, The New York Times (Aug. 29, 2018) https://www.nytimes.com/2018/08/29/science/barbara-rae-venter-gsk.html.
[3] Id.
[4] See Molteni, supra note 1.
[5] See Megan Molteni, The Future of Crime-Fighting is Family Tree Forensics, Wired (Dec. 26, 2018, 8:00 am) https://www.wired.com/story/the-future-of-crime-fighting-is-family-tree-forensics/.
[6] See Megan Molteni, The US Urgently Needs New Genetic Privacy Laws, Wired (May 1, 2019, 8:00 am) https://www.wired.com/story/the-us-urgently-needs-new-genetic-privacy-laws/.
[7] Id.
[8] See Ancestry, Your Privacy, https://www.ancestry.com/cs/legal/privacystatement (last updated Dec. 23, 2019); See also 23andMe, Privacy Highlights, https://www.23andme.com/about/privacy/ (last updated Jan. 1, 2020).
[9] See GEDMatch, https://www.gedmatch.com/login1.php (last visited Feb. 2, 2020).
[10] See Cassie Martin, Why a warrant to search GEDmatch’s genetic data has sparked privacy concerns, ScienceNews (Nov. 12, 2019, 4:07 pm) https://www.wired.com/story/genome-hackers-show-no-ones-dna-is-anonymous-anymore/.
[11] See Id.
[12] See U.S. Const. amend. IV.
[13] See Protection of Human Subjects, 49 C.F.R. § 11.101 2018; See also 21st Century Cures Act, Pub.L. No. 114 – 255, § 2036 (2016).
[14] See Protection of Human Subjects, 49 C.F.R. § 11.101 2018.
[15] See 21st Century Cures Act, Pub.L. No. 114 – 255, § 2036 (2016).
[16] See Regulation 2016/679 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC, 2016 O.J. L 119.
[17] See Id.
[18] See Molteni, supra note 6.
[19] See Id.