From an article by Ancestry’s Chief Privacy Officer, Eric Heath, published in the Ancestry Blog:
“Your privacy is important to us. That’s why we want to share our position on a recent event where a Florida judge issued a search warrant to allow law enforcement to search all of GEDmatch, an open data personal genomics database. Following the issuance of the search warrant, GEDmatch opened its database of nearly one million users — beyond those who had consented to such access — within 24 hours. Ancestry believes that GEDmatch could have done more to protect the privacy of its users, by pushing back on the warrant or even challenging it in court. Their failure to do so is highly irresponsible, and deeply concerning to all of us here at Ancestry. GEDmatch’s actions stand in stark contrast to our values and commitment to our customers.
“We want to be clear – protecting our customers’ privacy and being good stewards of their data is our highest priority. Not only will we not share customer information with law enforcement unless compelled to by valid legal process, such as a court order or search warrant, we will also always advocate for our customers’ privacy and seek to narrow the scope of any compelled disclosure, or even eliminate it entirely. You can find more information on our privacy philosophy here.”
There is a lot more information available in the article at: https://blogs.ancestry.com/ancestry/2019/11/08/your-privacy-is-our-top-priority/.
10 Comments
😀
Sent from my iPhone
>
LikeLike
If there are any EU citizens whose data has been released by GedMatch without the individuals prior consent, then GedMatch could be charged with breach of GDPR which on conviction could result in a maximum fine of €20million or up to 4% of GedMatch’s worldwide turnover, whichever is the greater.
LikeLike
I think it is the Orlando Police Department who are in breach of GDPR. GEDmatch were merely complying with the search warrant.
LikeLike
Under the EU law, it is the keeper of the data who is legally liable for any breaches. They are also required to notify the relavent Information Commissioner of any breach within 72 hours of any incident.
LikeLike
I think this is a somewhat grey legal area. It is a difficult for a small company to fight a search warrant and they are legally obliged to comply. It is the OPD and the judge who are responsible for the breach. They should not be authorising the release of data from EU citizens to US law enforcement agencies unless explicit consent has been obtained. In Europe law enforcement are covered by the Law Enforcement Directive and much of GDPR doesn’t apply to them. However, the Law Enforcement Directive is silent on transfer of data outside the EU. With the potentially catastrophic implications of the transfer of data to the US, such as the grave possibility that the DNA data from an EU citizen could be instrumental in the resolution of a case which resulted in the death penalty, I would have thought that it should be possible for EU regulators to take some action. We will have to wait and see.
LikeLike
KISS principle! If an EU citizen has concerns – don’t upload your raw DNA to GedMatch – save them and yourselves your sleepless nights.
As to the rest, 23andMe and Ancestry posted to their own blogs – didn’t cost them anything I suspect.
Enough already with the fear mongering. If you want 100% privacy get off your cell phones, computers of all types and hunker down in your home – just remember not to talk to anyone as I doubt anyone can be really trusted not to tell your secrets to someone they know.
May you all have a great weekend, get out and enjoy – there are no Do Overs in life!
LikeLike
I find this amusing. Here are two Goliaths posting what can only be a “marketing” response to the Florida case. Any company who can afford a “Chief Privacy Officer” (Ancestry: $757 million revenue) and a “Chief Legal and Regulatory Officer” (23andME: $474 million revenue) can afford to pay lots of attorneys to challenge the Florida judge’s ruling. But two guys who, along with five volunteers, run a website on a shoestring can’t afford to get tied up in a prolonged court battle. Even 23andME admits that GEDmatch is “…a small publicly accessible DNA and genealogy research site.”
Ancestry and 23andMe gets “good” publicity at the expense of “bad” publicity for GEDmatch. Rather than encouraging GEDmatch to defend the warrant (in other words, give them some money to defend it), they instead want to point fingers at GEDmatch rather than at the judge who issued the order in the first place. It sure appears to me that Ancestry and 23andMe would love to see GEDmatch disappear.
For all of you out there who think that GEDmatch is a huge corporation with deep pockets, I’d suggest you search the web and find out more about them. Or better yet, subscribe to their service for $10 and help them build a defense fund. However, you might want to check out what Ancestry and 23andMe charge first.
(I am also going to post this on the 23andME article.)
LikeLike
How right you are! Points well taken.
LikeLike
Privacy maybe, but what about using your DNA with out your permission for their own purpose?
LikeLike
“You hereby release AncestryDNA from any and all claims, liens, demands, actions or suits in connection with the User Provided Content, including, without limitation, any and all liability for any use or nonuse of your User Provided Content, claims for defamation, invasion of privacy, right of publicity, emotional distress or economic loss. This license continues even if you stop using the Website or the Service.”
All this verbiage plus a whole lot more that is contained In Ancestry’s Terms and Conditions says that you really are the one who is on the hook if someone sues for “invasion of privacy.” You use Ancestry, you will forever be liable if someone sues over the use of you DNA. Maybe Ancestry will help defend you, but then again, maybe not.
LikeLike