If you've given your DNA to a DNA database, US police may now have access to it

In the past week, news has spread of a Florida judge’s decision to grant a warrant allowing police to search one of the world’s largest online DNA databases, for leads in a criminal case.

The warrant reportedly approved the search of open source genealogy database GEDMatch. An estimated 1.3 million users have uploaded their DNA data onto it, without knowing it would be accessible by law enforcement.

A decision of this kind raises concern and sets a new precedent for law enforcement’s access to online DNA databases. Should Australian users of online genealogy services be concerned?

Why is this a big deal?

GEDmatch lets users upload their raw genetic data, obtained from companies such as Ancestry or 23andMe, to be matched with relatives who have also uploaded their data.

Law enforcement’s capacity to use GEDmatch to solve crimes became prominent in April last year, when it was used to solve the Golden State Killer case. After this raised significant public concern around privacy issues, GEDmatch updated its terms and conditions in May.

Under the new terms, law enforcement agencies can only access user data in cases where users have consented to use by law enforcement, with only 185,000 people opting in so far.

Read more: No, Mr Dutton, DNA testing ISIS brides won't tell you who's an Australian citizen

The terms of the warrant granted in Florida, however, allowed access to the full database - including individuals who had not opted in. This directly overrides explicit user consent.

GEDmatch reportedly complied with the search warrant within 24 hours of it being granted.

Aussies are also at risk

GEDMatch is small fry compared with ancestry database giants Ancestry (more than 15 million individuals) and 23andMe (more than 10 million individuals), both of which have DNA data belonging to Australians.

Australians who wish to have ancestry DNA testing have to use US-based online companies. Thus, many Australians have data in databases such as Ancestry, 23andMe and GEDMatch. The granting of a warrant to search these databases by US courts means those searches could include Australian individuals’ data.

Ancestry and 23andMe both have policies saying they don’t provide access to their databases without valid court-mandated processes.

Each company produces a transparency report (see here and here) which includes all requests for customer data that have been received and complied with. Currently, that number is low. But it remains to be seen how each would respond to a court-ordered search warrant.

Furthermore, while Australia currently doesn’t have it’s own genetic database (and no plans have been announced), the federal government’s commitment of A$500 million to the Genomics Health Futures Mission indicates a growing interest in the power of genomics for health.

If Australia wants to remain internationally competitive, a national genetics project is a natural next step.

We need DNA privacy legislation

In Australia, courts can approve warrants that intrude into private information, and entities can only protect data to the extent that it’s protected by law.

Thus, the privacy policies of companies and organisations that hold genetic data (and other types of private data) usually include a statement saying the data will not be shared without consent “except as required by law”.

The Australian Information Commissioner can also allow breaches of privacy in the public interest.

Read more: What does DNA sound like? Using music to unlock the secrets of genetic code

It has been more than two decades since Senator Natasha Stott-Despoja proposed the Genetic Privacy and Non-Discrimination Bill.

Although Australia has a patchwork of laws that protect citizens’ genetic data to an extent, we still have no specific genetic data protection legislation. A broader legal framework dealing directly with the protection of genetic information is now required.

Australian politicians have previously shown willingness to use genetic information for government purposes. As genetic advances strengthen the promise of personalised medicine, Australian academics continue to call for urgent genetic data protection legislation. This is important to ensure public trust in genetic privacy is maintained.

Ongoing concerns around genetic discrimination, and other ethical concerns, warrant an urgent policy response regarding the protection of genetic data.

What are other countries doing?

Globally, several DNA databases have amassed genetic datasets of more than 1 million individuals, including for research purposes and healthcare improvement.

Few databases outside the US have yet to reach the numbers needed to be useful for identification purposes.

However, many countries, particularly in Europe, have started establishing government-funded national databases of gene donor data, including Sweden and Estonia.

The Estonian Biobank is one of the most advanced national DNA databases. It has more than 200,000 donor samples.

With a population of around 1.3 million people, the biobank represents around 15% of the entire country’s population. And Estonian legislation currently prohibits the use of donor samples for law enforcement.

Read more: From the crime scene to the courtroom: the journey of a DNA sample

In contrast, the UK Biobank, doesn’t have specific legislation controlling its operation. It only allows law enforcement agencies access if forced to do so by the courts, leaving open the possibility of access under a court-ordered warrant.

The biobank currently has samples from around 500,000 individuals, but plans to collect at least 1 million more in future.

In Australia, accessing DNA testing is now easier than ever. But those accessing it through US-based companies, or uploading their data to US-based databases, should be aware of the potential uses of their genetic information.

And as we moves into an era of genomic medicine, urgent policy attention is required from the Australian government to ensure public trust in genomics is maintained.