London-based Privacy International (PI), a human rights group that serves as a watchdog on surveillance and privacy invasions by governments and corporations, has filed a complaint with the UK Information Commissioner's Office. The complaint questions Ancestry.com's new DNA services.
Privacy International believes that Ancestry.com's new DNA service should be stopped immediately until the company clearly defines the service and describes how it is being handled. Privacy International states that questions must be answered satisfactorily before people can have confidence in this new service. Until then, P.I. believes the service presents a number of substantial dangers for customers.
The formal complaint centers on Ancestry.com's offers to test and publicize the DNA of its customers. Privacy International believes "that the practice substantially violates UK Data Protection law" as well as the European Union Data Protection Directive.
I read the complaint, and my (non-lawyer) interpretation is that Privacy International has very few specific complaints. In fact, it is the lack of information that is raising questions. Specifically, P.I. wants to know more about the process of "complimentary storage of samples submitted for DNA testing." The privacy advocates seek to suspend the new DNA service until Ancestry.com explains to government regulators how the entire process works. At this time, Privacy International is not claiming there is a problem, but only that there is a POSSIBILITY of a problem.
For instance, the Ancestry.com web site states, "Ancestry.com will provide complimentary storage of samples submitted for DNA testing." Privacy International then asks:
Will the samples and related data be stored indefinitely?
Will Ancestry.com or Ancestry.uk.com customers be given a right to opt out of storage of their genetic material?
The complaint also asks questions about the contractual relationship(s) of The Generations Network, Sorenson Genomics, and the Church of Jesus Christ of Latter-day Saints. While the various words on the Ancestry.com web site seem to address U.S. laws, the complaint claims that the web site pays no attention to the European Union Data Protection Directive and related national laws in the U.K. and Europe. Since The Generations Network now operates offices and web sites in the European Union (Ancestry.com.uk, Ancestry.it, Ancestry.de, Ancestry.se, etc.), the company must comply with all laws in all jurisdictions where it operates.
Finally, the complaint questions ownership of the data. The genetic and genealogical information held by Ancestry.com/The Generations Network might be considered a transferable asset. Does that mean that the company owns the information, or do the individuals own their own information? Can that information be transferred to other companies or to government agencies?
NOTE: The web site clearly states, "Ancestry.com will not share your testing results with other organizations without your consent." However, the words "other organizations" are not clearly defined. Obviously, Ancestry.com must share the data with Sorenson Genomics, the company that does the actual testing. Ancestry.com does not own its own DNA testing lab; Sorenson Genomics and its employees perform that function. Does Sorenson constitute an "other organization?" What are the constraints placed on Sorenson Genomics? Is that organization free to share or sell the data? What happens if either company is bought out by a third party, as has happened often to Ancestry.com? Do the rights and restrictions flow to the new owners, and can the new owners sell the information?
What if the U.S. Government asks for the information? The Ancestry.com web site does say that disclosure may occur "as required by law." Whose laws? Will private DNA information of Ancestry.com customers in Canada, England, Australia, and elsewhere be given to the U.S. Government upon request?
Again, the complaint filed by Privacy International does not claim there is a problem. The complaint simply states that there are questions that need to be answered, and the answers need to be carefully examined by appropriate governmental agencies in the European Union and probably wherever else The Generations Network conducts business.
You can read the original compliant, filed on 22 October 2007, at http://www.privacyinternational.org/issues/compliance/ancestry_complaint.pdf.
Privacy International has also posted some background information about why the complaint was filed at http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-557923.
Interesting questions! Who "owns" your DNA information? Is genetic and genealogical data held by Ancestry.com a transferable asset? Do you know if your personal information is being protected to your satisfaction and to the satisfaction of the laws in your country?
The questions being raised are excellent ones, and deserve answers. DNA is among the most personal of data, and could be subjected to all kinds of abuses if not handled properly. Privacy policies of a company can change at their whim, and all bets are of if a company is sold, merges, or liquidated. Remember that you can't change your DNA (and particularly the samples) or other biometric identifiers if it gets compromised.
Posted by: Infinite Ancestors | February 20, 2008 at 03:00 PM
Sounds to me like Privacy International has some very valid questions. I, for one, would like to see the responses.
Posted by: Sandy in Texas | February 21, 2008 at 08:08 PM
Now I know why I have not returned my Ancestry.com DNA Kit.
Posted by: Jimmy | February 21, 2008 at 10:10 PM
Ancestry is not the only company that offers this service. What are the policies of those other companies? Is DNA stored? Are the results stored? Definitely Ancestry needs to address these issues, but I also wonder about the other companies that offer this service.
Posted by: Linda | February 22, 2008 at 01:38 AM
I feel that these are very valid questions that require very specific answers, especially in light of the fact that once you post information anywhere on Ancestry, it grants them license to use it in any way they see fit, whether that be charging a fee to see it, or re-packaging it and re-selling it. Will the same hold true for their DNA service?
Posted by: Dee | February 22, 2008 at 05:46 AM
The fact that "Ancestry.com will not share your testing results with other organizations without your consent." is a worthless promise. They can change their Privacy Policy at will, and the consumer has no recourse. I no longer do business with Amazon.com for that very reason. They changed their business model (and their Privacy Policy) and then shared all of my buying habits with their business partners. A hollow promise!
Posted by: BR in Maine | February 22, 2008 at 06:08 AM
I work in pharma and I can tell you the EU laws and regs are something that Ancestry and the other services need to look at very carefully. As a business we have had to revamp the way we carry out clinical trials and collect subject data. Ancestry would be wise to respond in a complete and public manner.
Posted by: Jim | February 22, 2008 at 08:54 AM
To address some of the concerns, UK residents are afforded protections (DNA included) by the Human Tissue Act 2004:
http://www.opsi.gov.uk/acts/acts2004/ukpga_20040030_en_1
The US has similar legislation pending in Congress, the Genetic Information and Non-Discrimination Act (GINA), but this bill is currently being stalled by a “hold” placed on it by Oklahoma Senator Tom Coburn:
http://www.isogg.org/savegina.htm
The privacy issue probably has not arisen before because the other companies have addressed these issues on their sites. You can view links to the companies along with DNA storage terms at:
http://www.isogg.org/ydnachart.htm
Posted by: Katherine | February 22, 2008 at 11:35 AM
One aspect of this which has not received enough attention is the possibility that the government could simply ask for some or all of the information collected, in the name of "national security" and Ancestry.com just forks it over. This has already happened with millions of airline passenger records. It also happened with records of many millions of Americans'phone calls. Given that corporate America has a lousy record of even waiting for a court order or of respecting American's privacy, what is to say that Ancestry.com won't follow suit? Which is why I have no intention of having my DNA tested lest it fall into the hands of an entity which has no rights to it.
Posted by: Fred | February 22, 2008 at 12:22 PM
What right does Privacy International have to interfere with the contractual relationship between an individual and The Generation Network? If they think there is something the consumer should know, they should inform, not bar the consumer from entering into agreements.
Posted by: Gary Mokotoff | February 22, 2008 at 12:24 PM
I remember asking myself similar questions when the original Ancestry DNA announcement was made.
I can't believe it took a UK based company to bring these privacy questions to light. Good for them...and good for us -- hopefully.
Posted by: N. Atkinson | February 22, 2008 at 12:58 PM
Note: to those worried about this issue ...
Observe the way the DNA test sample was collected AND submitted to almost ALL of the genetic genealogy testing facilities out there ... who's to say positively 100% whom the test sample came from ? ? ?
I would be willing to bet, the percentages are very high, that the one who mailed in the test sample is "not" the testing participant ... nor is the contact info for the person the test sample came from :)
Lots of us are tracking down participants, to be tested, to further our own curiosities of genetic genealogy ... and that person supplying the test sample, isn't always as interested in this research as you or I might be "/ as long as the test sample came from the correct participant of the lineage you are researching, who cares if the identity of the testing participant is actually known :)
Besides ... in the USA, the government would not subpoena the actual sample from another source with this kind of doubt ... the courts would throw it out, as second hand evidence with "no" verifiable proof as to whom the test sample came from :)
Why would your insurance company / local law enforcement and/or the vary government you live under ... be interested in pursuing this avenue ? ? ? when [1] they can easily get a court order to get their own test sample directly from the individual in question ... [2] your insurance company has access to any medical records on you from the past ... read the fine print the next time you sign any type of medical forms :)
Kenny -
hdpth-DNA
Posted by: Kenny Hedgpeth | February 22, 2008 at 03:41 PM
Privacy issues are "hot button" of late and with good reason in some cases with Big Brother looming over our heads. I am no fan of the two companies in question here - there are ones - like FTDNA - which I have checked and found to be quite reputable. Nevertheless, it has occurred that they might be bought out one day, and then what?
Well, to tell the truth, if/when Big Brother or Big Business wants a DNA or other bodily sample, they will not be running around to labs all over the country. They will simply demand what they want. You will have the right to say no, but there will be a price....no job, no insurance, no mortgage, etc.
As with any technology, there is potential for abuse. Employers, insurance companies and other businesses - like banks (mortgages)with whom we might want to do business long-term - might well make our lives miserable after a DNA test....but they will get it the easy way.
I am no cheer leader for either of the comanies referenced. But there are reputable companies in the business - the challenge becomes to ferret them out. So, as with any technology, genetics or genogenetics can be used for good or evil.
I just changed banks because a Credit Card I used and all other services resulted in a new "privacy policy" sent with my last statement. It allows them to "data mine" - to gather info about where, when and what I shop for (right down to brand) and then to give it to other companies in their group, co-venturers and to anyone they sell out to in future. They also reserved the right to transfer it offshore at which point privacy would be protected by the laws of the other jurisdiction.
They put in a negative option knowing people normally don't read that stuff - if you don't say no - it means yes; if you use their services, it means yes. Like hell - I pulled my accounts. I was advised to call so they could tell me which services they would no longer provide me were I to withhold permission - a problem for me because they do have great rates on car insurance.
But in checking for a new bank, I found others doing the same thing....and reporting it in the smallest typeface you have ever seen. The only one that doesn't - I'm moving there, but they pay almost no interest.
I deal with FTDNA - they are highly reputable - but I'll be honest, I have concerns about what happens if they are bought out. Privacy is a thing of the past - with the anti-terrorism and no-fly rules, they can tap anyone, any time, anywhere. There is no place to hide. Some people say they have nothing to hide. Data can be tampered with and it is plain stupid not to be concerned.
I don't worry too much about DNA for one reason - if big brother wants it, he won't go to Utah or a lab at a University in Phoenix to get it, you'll be forced to take the test to get insurance, a job or whatever.
I didn't know Ancestry was in the DNA Business. It could make it a harder sell. I have been trying to get a research lab to test certain members of the family for medical reasons, and they won't touch us - ironic huh???
I'm glad someone is keeping and eye on these things. I very much appreciate it!!! All we can do is try to keep them honest, and I do. I'm pleased there are others of like mind.
All the best,
Jim
Posted by: Jim Roache | February 22, 2008 at 07:59 PM
I recently ordered a mtDNA test on a relative with the intention of doint a full autosomal test at a later date, and wanted a company that would store the information. I was told that they could do that with mtDNA, but that after the autosomal, there would be nothing left of the sample for any further tests. Therefore the issue of storage of material seems a minimal risk. Further, the kinds of tests the we are doing for genealogy yeild such broad and general results that they are unsuitable for forensic or medical research according to the companies that do both kinds of testing. I fail to see an issue here other than general public paranoia brought on my other kinds of irresponsible actions by various gov't agencies...real or otherwise. A huge percentage of us doing this kind of research are too old to care anyway and are researching people long gone. Only Y and mtDNA are passed on consistently, and even Y has mutations. The rest changes from sibling to sibling, generation to generation. So what is the big deal? Misunderstanging of the kind of testing and information available from it I think. Too many CSI type programs on the telly!
Posted by: Jane | February 22, 2008 at 10:12 PM
Yes, this is "nasty". The government is already far to much into our personal business. But if you're not doing anything wrong, why worry?
Posted by: another Jane | February 25, 2008 at 09:08 PM
My God!!
I'm pretty much the most libertarian person I know (and that's saying something, seeing as how I spent the last 15 years of my life living in the "People's Republic of Massachusetts).
And I think this issue is entirely nuts. As an attorney (admittedly unfamiliar with **international** privacy law), I can't begin to understand how Ancestry is invading anyone's privacy, or could possibly do so. The people who participate are not only volunteers -- they actually pay for the privilege! If they aren't concerned about their privacy, why is it your job to protect them from themselves??
I agree, the privacy policies may be problematical in the long-run, but until I decide to give Ancestry my DNA and my money, that's not my problem.
Stop telling others what are and are not good risks for them! If you really care that much....fine: publicize what you believe to be the potential risks.
But to actually file suit because their rules aren't clear enough for your personal taste is offensive.
In the US, I don't even see how a court could grant you standing to sue; you simply have no legal interest in these policies.
Posted by: Dan | March 01, 2008 at 10:50 PM
As I understand it (and I am NOT an attorney), Privacy International did not file suit. They filed a complaint.
- Dick Eastman
Posted by: Dick Eastman | March 02, 2008 at 12:34 AM
Interesing and worthwhile subject. I am particularly uncomfortable since I did the DNA testing as a result of their promise that it would break down brick walls. This is only true if you have gone back 50 generations! I got no good results and found no connections.
I confronted Ancesry's DNA people about misleading the public and not referencing their results in lay terms. TheY were condescending and not helpful in any way!!! so I had them cancel the service but was unable to get my money back. KEEP ASKING QUESTIONS! kEEP THEM ACCOUNTABLE!!!!!!!!!!!!!!!!!!!!!!!
Posted by: Betty | March 03, 2008 at 07:46 AM
Does anyone have further information about this complaint? I am having concerns about the sharing of storage of genetic informaton/material.
Posted by: Scott Kendall | March 16, 2009 at 02:22 PM