Scholar: Federal privacy law needed for sensitive consumer data when companies go bankrupt

CHAMPAIGN, Ill. — Recreational genetic testing companies hold some of the largest repositories of consumer DNA in the world, but what happens to all that personal information when the company goes belly up? It would most likely be sold to a successor company that customers might not want to entrust with their genetic data, says a new paper co-written by a University of Illinois Urbana-Champaign expert in big data for health care.

Although the Genetic Information Nondiscrimination Act prohibits the discriminatory use of genetic information by employers with 15 or more employees and health insurers, it doesn’t apply to uses by other parties, such as life or long-term care insurance — and it doesn’t stop direct-to-consumer genetic-testing companies like 23andMe from selling customers’ data due to financial exigencies, says Sara Gerke, the Richard W. & Marie L. Corman Scholar at the College of Law.

“Companies like 23andMe are sitting on a massive treasure trove of personal information because when people initially signed up, they thought, ‘Well, I’m getting something out of this transaction’ without thinking about the possibility that the company would ever go bankrupt at some point in the future and potentially offload their dataset,” she said. “That’s just one example, but we are in a world awash in big data, and it’s not a problem that’s limited to 23andMe.”

Gerke’s co-authors are Melissa B. Jacoby of the University of North Carolina at Chapel Hill and I. Glenn Cohen of Harvard Law School.

Recreational genetic testing companies collect large amounts of sensitive customer data, including saliva samples, genetic information and self-reported information such as disease conditions, family history and health-related information — but that doesn’t mean people are covered by the stringent requirements of the Health Insurance Portability and Accountability Act, Gerke said.

“From a legal standpoint, people interact with such companies as ‘consumers,’ not ‘patients,’ and very few protections exist for customers,” she said. “They typically don’t fall under HIPAA because the law has a very narrow scope. It came into effect at a time when we went to the doctor’s office for traditional in-patient office visits. But does HIPAA apply to other direct-to-consumer health care products and services that we buy online? For the most part it doesn’t, and in the process, consumers have essentially handed over sensitive, private and often very valuable personal information to these tech companies thinking that they’ll remain under lock and key forever.”

The issue also applies to other companies that accumulate personal health data such as fitness trackers, Gerke noted.

“I think we’ll see more and more companies that are sitting on these massive stockpiles of sensitive personal data go bankrupt, and then we’ll have the same problem all over again,” she said. “We just don’t have a proper mechanism in place to protect people’s personal data.”

Gerke said it’s a “structural problem” in the U.S. legal system that relies mainly on privacy policies to protect customers’ data and also treats such data as a valuable asset.

“Congress could step in and shield consumers from having their data repackaged as a result of corporate changes,” she said.

Moreover, the U.S. doesn’t have a comprehensive federal privacy law, compared to other jurisdictions like the European Union and its General Data Protection Regulation.

“The EU, by contrast, has the GDPR that applies to the processing of all personal data, including health data and other sensitive data such as genetic data,” said Gerke, also a professor at the European Union Center at Illinois. “So if direct-to-consumer genetic testing companies like 23andMe possess any type of personal data from individuals in the EU, it’s protected. The individual has rights and control over their data. If they want, they can request that companies delete their data.”

Although the U.S. doesn’t have a federal privacy law, a handful of states have enacted their own privacy laws, “which ultimately makes it more difficult in general for companies to comply with due to the patchwork nature of the state laws,” Gerke said.

The state of Illinois, for example, has the Genetic Information Privacy Act, Gerke noted.

“There are only a few states that have enacted comprehensive privacy laws, and the state of Illinois is really unique when it comes to genetic data thanks to the Illinois GIPA, which is probably one of the strictest when it comes to genetic information,” she said. “If a direct-to-consumer genetic testing company decides to share their data with a health or life insurance company, they would need written consent from the individual.”

Clearly, the remedy is to implement adequate data protection at the federal level, Gerke said.

“The ideal option would be to have a federal privacy law similar to the EU or at least amend HIPAA and GINA by expanding their scope,” she said. “Even if nothing happens at the federal level, hopefully consumers will now be more proactive and guarded about their data privacy given the headlines generated by the 23andMe bankruptcy.”

The paper was published by the New England Journal of Medicine.