Justice and Due Process

What’s Next For Data Privacy?

Individual privacy is a fundamental principle protected both in the U.S. and Utah constitutions. It’s something to cherish and preserve throughout the changing times. Yet, courts have not been able to keep up with the developing technology so prevalent in modern day life. While our homes and physical property are often given the benefit of privacy, new and swiftly advancing technologies have often been left unprotected. In order to proactively protect our personal information in the digital age, legislators need to pass explicit laws to clarify what items and information deserve legal protections. 

In 2019, the Utah Legislature unanimously passed House Bill 57, a law to protect the information of Utahns that is stored with third party companies. Under the new law, the government must obtain a warrant before it can access data stored with or created by a third party provider such as Google, Dropbox, or Facebook, for example. Prior to the bill’s passage, law enforcement could simply approach these companies with an administrative subpoena, ordering them at will to hand over the information they desired. Such a system was—and outside of Utah, still is—ripe for abuse. 

HB 57 was a great starting place for the law to catch up on extending and explicitly applying constitutional protections to technology that the writers of the Constitution couldn’t have anticipated. (Some have suggested that existing 4th Amendment language is sufficient to apply to electronic data, but unfortunately the courts have not always agreed, thus necessitating a statutory remedy.) Even then, there are other areas of technology that still need protecting, and one of those areas is far too personal to wait on: DNA. 

In the past few years, companies like AncestryDNA and 23andMe have exploded with popularity for the services they offer. For just under $100, these companies provide kits that individuals can take home, submit their DNA via spitting into a tube, and then send it in to the company to process the DNA. The company uses the DNA data to provide unique information to the customer about their genealogical connections, and sometimes even their family medical history.  It sounds like an innocent way to learn about one’s heritage, but there are consequences to giving up some of the most sensitive, revealing information that applies not only to the customer, but their biological family members as well.

A person shares 50% of their DNA with their siblings and parents, 25% with grandparents, aunts and uncles, and 12.5% with first cousins, and so on. If a person has an identical twin, they share 100% of their DNA. This means that when a person submits their DNA to a company like 23andMe, they are not only giving their own information up, but their relatives as well. When submitting the DNA, the customer must agree to what it can and can’t be used for, and in some cases, they are asked to consent to allow the company to give their data to third party testing agencies and law enforcement. This puts a lot of power and responsibility in the hands of one individual customer while raising ethical questions about whether they should even be able to consent to something that impacts their relatives on such a personal level. 

Where do companies stand legally?

One investigation found that three popular DNA testing companies including African Ancestry, AncestryDNA, and 23andMe, all have policies written on legal matters, but they are all pretty weak. For example, 23andMe states they “will preserve and disclose any and all information to law enforcement agencies or others if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary.” AncestryDNA has a policy that they “may share your personal information if we believe it is reasonably necessary to comply with valid legal process” or “protect the security or integrity of the Services.” These policies are vague and subject to broad interpretations. 

Utah should recognize the sensitivity of the information these companies hold and create a statewide policy to uphold privacy by implementing a warrant requirement before law enforcement can access personal DNA data, whether or not the DNA is of the person suspected or a relative. This is the same concept that is applied under HB 57 to protect electronic information, and it should be applied to data that is arguably even more sensitive that what’s stored within our phones.