The announcement by 23andMe, a company that sells home DNA testing kits, that it has sold the rights to a promising new anti-inflammatory drug to a Spanish pharmaceutical company is cause for celebration. The collected health data of 23andMe’s millions of customers have potentially produced a medical advance – the first of its kind. But a few weeks later the same company announced that it was laying off workers amid a shrinking market that its CEO put down to the public’s concerns about privacy.
These two developments are linked, because the most intimate data we can provide about ourselves – our genetic make-up – is already being harvested for ends we aren’t aware of and can’t always control. Some of them, such as better medicines, are desirable, but some of them should worry us.
Launched in Silicon Valley in 2007, 23andMe offers genetic tests “direct-to-consumer” (DTC) – that is, independently of any healthcare system. The company collects genetic information about people, as well as information about their health, behaviour and much more besides. This allows it to identify links between certain genes and, say, a disease, and then – through its therapeutics division – to develop drugs that interfere with the action of disease-causing genes.
Companies such as 23andMe have proliferated over the past decade, feeding people’s hunger to know who and where they come from, and what diseases their genes might predispose them to. Over that time, it has gradually become clear that the main source of revenue for at least some of these companies comes from selling the data on to third parties.
Some DTC companies, such as 23andMe, are transparent about the sharing of data. When you sign its contract, you are asked if you consent to your data being used for research, and roughly 80% of 23andMe’s customers do. Other companies are less forthcoming. A 2016 survey showed that only a third of the 86 companies then offering genetic testing services online explained to customers how their data would be used.
The trouble is, a health tech company is not a doctor. It doesn’t take the Hippocratic oath, and the patient – or customer – is not the person whose wellbeing it is most concerned about. It is not obliged to talk you through its terms and conditions, and it could change these at any time – though in some jurisdictions this may void your consent. You can also withdraw your consent at any time, but that withdrawal generally takes time to come into effect, and in the meantime your data may have been passed on – after which it is harder to get it back. Erasing it entirely is harder still.
And what rights do the customers have over the product developed from their data? DTC companies are far from the only ones collecting sensitive data about you. National health systems, health insurers and, increasingly, social media providers are too. It’s already being used in research designed to improve our health and wellbeing, and there is a legitimate question to be asked about compensation. 23andMe, for example, asks its customers to waive all claims to a share of the profits arising from such research. But given those profits could be substantial – as evidenced by the interest of big pharma – shouldn’t the company be paying us for our data, rather than charging us to be tested? There are echoes of Henrietta Lacks here, the African-American woman whose cells became a workhorse of biomedical research after she underwent a biopsy in 1951, and who was never compensated (nor did she give her consent, but that was allowed under US law at the time).
The larger issue, though, is that with all of these databases there is ambiguity about who has access to them, and for what purposes. Besides pharmaceutical companies, others who might want such access include insurance companies, individuals involved in paternity or inheritance disputes, and law enforcement agencies. 23andMe states that it does not grant access to the police, but other companies – such as FamilyTreeDNA – boasts that it does. A suspect accused of being California’s notorious Golden State Killer was finally arrested in 2018 after investigators matched a DNA sample from a crime scene to the results of DTC testing uploaded on to a public genealogy site by a relative of his. Government-run biobanks have also granted access to police. This was how a conviction was secured against Swedish foreign minister Anna Lindh’s assassin in 2004. And experts speculate that in future, biological data could be used for identifying terrorist suspects, tracking military personnel, and the rationing of treatment in overstretched health systems.
National legislation varies widely across Europe, with respect to DTC genetic testing. France and Germany essentially ban it, unless done under medical supervision and consumers can be fined for ordering tests outside a clinical setting, while Luxembourg and Poland allow it with minimal restrictions – though, of course, any restrictions are difficult to police for tests bought online. The UK is somewhere in the middle, allowing the tests but insisting on informed consent. The European Union’s General Data Protection Regulation (GDPR), which came into effect in 2018, imposes strict requirements on secondary use of data, and it applies to any company in any jurisdiction that targets EU-based individuals for goods or services. Those individuals strip away their own GDPR protection, however, when they contact foreign companies that don’t explicitly target them. The UK recently signalled that it will not remain aligned with the GDPR after the Brexit transition period.
These are the privacy concerns that may be behind layoffs, not only at 23andMe, but also at other DTC companies, and that we need to resolve urgently to avoid the pitfalls of genetic testing while realizing its undoubted promise. In the meantime, we should all start reading the small print.