London-based Privacy International (PI), a human rights group that serves as a watchdog on surveillance and privacy invasions by governments and corporations, has filed a complaint with the UK Information Commissioner's Office. The complaint questions Ancestry.com's new DNA services.
Privacy International believes that Ancestry.com's new DNA service should be stopped immediately until the company clearly defines the service and describes how it is being handled. Privacy International states that questions must be answered satisfactorily before people can have confidence in this new service. Until then, P.I. believes the service presents a number of substantial dangers for customers.
The formal complaint centers on Ancestry.com's offers to test and publicize the DNA of its customers. Privacy International believes "that the practice substantially violates UK Data Protection law" as well as the European Union Data Protection Directive.
I read the complaint, and my (non-lawyer) interpretation is that Privacy International has very few specific complaints. In fact, it is the lack of information that is raising questions. Specifically, P.I. wants to know more about the process of "complimentary storage of samples submitted for DNA testing." The privacy advocates seek to suspend the new DNA service until Ancestry.com explains to government regulators how the entire process works. At this time, Privacy International is not claiming there is a problem, but only that there is a POSSIBILITY of a problem.
For instance, the Ancestry.com web site states, "Ancestry.com will provide complimentary storage of samples submitted for DNA testing." Privacy International then asks:
Will the samples and related data be stored indefinitely?
Will Ancestry.com or Ancestry.uk.com customers be given a right to opt out of storage of their genetic material?
The complaint also asks questions about the contractual relationship(s) of The Generations Network, Sorenson Genomics, and the Church of Jesus Christ of Latter-day Saints. While the various words on the Ancestry.com web site seem to address U.S. laws, the complaint claims that the web site pays no attention to the European Union Data Protection Directive and related national laws in the U.K. and Europe. Since The Generations Network now operates offices and web sites in the European Union (Ancestry.com.uk, Ancestry.it, Ancestry.de, Ancestry.se, etc.), the company must comply with all laws in all jurisdictions where it operates.
Finally, the complaint questions ownership of the data. The genetic and genealogical information held by Ancestry.com/The Generations Network might be considered a transferable asset. Does that mean that the company owns the information, or do the individuals own their own information? Can that information be transferred to other companies or to government agencies?
NOTE: The web site clearly states, "Ancestry.com will not share your testing results with other organizations without your consent." However, the words "other organizations" are not clearly defined. Obviously, Ancestry.com must share the data with Sorenson Genomics, the company that does the actual testing. Ancestry.com does not own its own DNA testing lab; Sorenson Genomics and its employees perform that function. Does Sorenson constitute an "other organization?" What are the constraints placed on Sorenson Genomics? Is that organization free to share or sell the data? What happens if either company is bought out by a third party, as has happened often to Ancestry.com? Do the rights and restrictions flow to the new owners, and can the new owners sell the information?
What if the U.S. Government asks for the information? The Ancestry.com web site does say that disclosure may occur "as required by law." Whose laws? Will private DNA information of Ancestry.com customers in Canada, England, Australia, and elsewhere be given to the U.S. Government upon request?
Again, the complaint filed by Privacy International does not claim there is a problem. The complaint simply states that there are questions that need to be answered, and the answers need to be carefully examined by appropriate governmental agencies in the European Union and probably wherever else The Generations Network conducts business.
You can read the original compliant, filed on 22 October 2007, at http://www.privacyinternational.org/issues/compliance/ancestry_complaint.pdf.
Privacy International has also posted some background information about why the complaint was filed at http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-557923.
Interesting questions! Who "owns" your DNA information? Is genetic and genealogical data held by Ancestry.com a transferable asset? Do you know if your personal information is being protected to your satisfaction and to the satisfaction of the laws in your country?
