Researchers in the last century have made huge strides in the biological sciences. From the discovery of the double helix of deoxyribonucleic acid (DNA) in 1953, to the completion of the Human Genome Project by the National Human Genome Research Institute fifty years later, researchers have continued to make significant technological and scientific breakthroughs. Genetic testing, a medical test that can determine whether a person has, may develop or can pass on a genetic condition, is one of these breakthroughs. Despite the benefits of widespread access to genetic testing, concerns about the legality of sharing genetic information have arisen in light of the recent arrest of a notorious Californian serial rapist and murderer.
What are Genetic Testing Services?
Traditionally, genetic testing was done through healthcare providers These providers would determine which DNA tests to order and interpret the results to assess whether their patient had a genetic condition, was at risk to develop a genetic condition, or might pass on a genetic condition. In the early 2000s, direct-to-consumer genetic testing services hit the market. These services are advertised directly to consumers and can be ordered without the request of a healthcare practitioner. Genetic testing services gather information regarding predictions about health, information about common traits, and clues about the user’s ancestry using a sample of the consumer’s DNA. Examples of direct-to-consumer genetic testing services include Ancestry and 23andme, Inc. Direct-to-consumer genetic testing services are currently sparsely regulated.
One common type of direct-to-consumer genetic testing service comes in the form of ancestry, or genealogy, testing. Genetic ancestry testing allows consumers to use the results of their DNA tests to reveal the consumer’s ethnic backgrounds and link to family members that also provided their DNA to the service. One such service is GEDmatch, which analyzes results of genealogy testing conducted by other services to uncover potential relatives who have used a variety of other genetic testing services.
What Does This Have to Do with the Law?
The Golden State Killer, also known as the East Area Rapist and the Original Night Stalker, raped more than 50 women and murdered 12 men and women between 1976 and 1986. The rapes and murders went unsolved for decades until investigators input DNA data recovered from some of the victims into GEDmatch using a fake profile and without a court order. The results did not uncover the suspect but led investigators to a list of potential relatives of the suspect that had uploaded their own DNA data into the database. From there, investigators narrowed down the search to suspect Joseph James DeAngelo, whose DNA they later matched to the samples taken from the victims.
Is that Legal?
Opinions are split on the legality of such an action. Because direct-to-consumer genetic testing services are relatively new, few statutes and little case law dictate what the genetic data processed through such services can and cannot be used for. Aside from the Genetic Information Nondiscrimination Act (GINA), which prohibits discrimination by health insurers and employers on the basis of information acquired by genetic testing, there are few explicit restrictions on the use of genetic data. From a privacy perspective, experts in DNA searches and cybersecurity are concerned about the ethical implications of this type of policing, noting that anybody who uploads their genetic information to the Internet could compromise both their own privacy, as well as the privacy of all their blood relatives.
Both Ancestry and 23andme claim on their websites that they do not provide genetic data from their customers to anyone, including law enforcement, without permission unless required by court order. GEDmatch, however, makes no such promises, and allows “anyone with an internet connection” and log in information to search the website for genealogy matches. In fact, individuals were warned not to upload their DNA data onto the website if they are concerned about non-genealogical uses of the data in a message from GEDmatch to its users on April 27, 2018.
Growing concerns about privacy in the wake of technological advancement have surfaced in the last several years. In general, the courts have occasionally been willing to grant expanded privacy rights in view of new technological advancements. For example, the United States Supreme Court has held in favor of granting more privacy protection to individuals under the Fourth Amendment with respect to warrantless search and seizure of cell phone records. Additionally, Facebook has been under pressure for the last several years due to a variety of privacy protection concerns, the latest of which lead to the certification of a class challenging the legality of using facial recognition software on the platform.
Despite the lack of authority on the issue of data privacy in relation to direct-to-consumer genetic testing services specifically, in recent years the United States Supreme Court has begun to address how to balance the ease of genetic testing with growing privacy concerns. For example, in 2012 the United States Supreme Court in Maryland v. King held that taking a DNA sample of a suspect in custody without a court order is a reasonable police booking procedure, akin to identification techniques such as fingerprinting and photographing, that does not violate the suspect’s Fourth Amendment rights. The Court concluded that the intrusion on the suspect’s privacy in Maryland v. King was reasonable in its scope and manner of execution after balancing “the privacy-related and the law-enforcement-related concerns,” despite the fact that the suspect had been taken into custody on grounds unrelated to those he ultimately was charged with. Illinois v. McArthur, 531 U.S. 326, 331 (2001). Justice Scalia, in his dissent, vehemently disagreed with the five-justice majority, stating that collecting DNA samples from suspects without express authority to do so unreasonably limits the privacy of the suspect.
There are notable differences between Maryland v. King and DeAngelo’s case. The police took the DNA sample from the suspect in Maryland v. King while he was in police custody during the course of his booking, and that sample was matched to a sample taken from the victim and stored in the law enforcement’s DNA database. Alternatively, law enforcement in DeAngelo’s case uploaded DNA acquired from his victims and uploaded it, without DeAngelo’s permission, to a public database, where they gained enough information to find DeAngelo after locating one of his distant family members. That said, DeAngelo’s counsel may argue that uploading DeAngelo’s DNA to a public website without his permission is not a reasonable intrusion into his privacy under the Maryland v. King balancing test. Should DeAngelo’s counsel make arguments relating to privacy concerns, the court’s decision regarding these arguments could revolutionize the way law enforcement analyzes DNA.
As of the date of this publication, no arguments have been filed in response to the complaints filed against Joseph James DeAngelo. That said, DeAngelo’s counsel may argue that the uploading his DNA onto GEDmatch without a court order unreasonably infringes upon his right to privacy. Considering the current trend towards increased privacy protection, DeAngelo’s counsel may succeed in a request for the court to throw out evidence that stemmed from the upload of his DNA onto GEDmatch.