I’ve already written about legal traps of genetic ancestry testing. Now it’s time to get more specific, I’ll take a look at a contract for genetic testing which is to be executed between you and a company that provides such services. Is it really worth it? I don’t think so, but you make your own decision.
YOU WILL GIVE THE COMPANY MORE THAN JUST GENETIC DATA
To begin with, let’s make sure if you are fully aware of what data a company that shall test your DNA to discover who were your ancestors will collect from you and process. Besides your DNA sample, of course. First of all, such a company will know at least:
1) Your name,
2) Year of your birth,
3) In which country you currently live,
4) Your e-mail address,
5) Your credit card or bank account number depending on how you pay for the DNA test,
6) IP address of your computer,
7) The company will learn what operating system you use on your computer,
8) If you use a mobile device to log in to your account created for you by a company then they will also find out what operating system you use on it,
9) Which company is your internet provider,
That’s a lot of a very personal knowledge about you. Data, “ordinary” personal data but also super sensitive personal data – a sample of your DNA. It is worth choosing wisely, who you entrust such knowledge to and what can be done with it. And here I get back to a concrete example. Take a closer look at the contract on genetic testing of so much recommended by Spidersweb Ancestry.com.
Of course, the first contact with their website is pleasant. The company explains beautifully how simple it all is. You pay and they’ll send you a DNA kit. Then you send back the sample, and they’ll test it. The results, i. e. the genetic profile of your ancestors, can be collected only by you after logging into your account created at Ancestry. com
Ordering the service is easy, although it can be done only in English. At the very bottom of the order form you will find two inconspicuous links to the documents titled “Terms and Conditions” and “Privacy Statement“. By placing and paying for your order you have of course entered into a contract on genetic testing with Ancestry.com . The most important thing is that the Terms and Conditions and the Privacy Statement are part of your contract with the company. Therefore it is a very good reason to have a closer look at both documents, don’t you think?
CONTRACT ON GENETIC TESTING OR “SMELLS LIKE ORACLE”
Both documents have 39 pages in total and of course they are available only in English. Naturally, it is not a plain, simple English but its far more complex version soaking with legal jargon.
Besides, when you read it, you’ll find out that both documents contain links to other documents (also in English, of course). On top of that, the wording of “Terms and Conditions” (T&C) as well as “Privacy Statement” (PS) is often very ambiguous – at least from my perspective.
However it is precisely T&C that states the terms of service delivered to you by Ancestry.com. While PS is a document describing what rights you have with respect to the data you provide to the company and how the company protects your privacy.
In general, it reminds me a lot of Oracle’s strategy on licensing when renewing Java. I’ve written about this strategy and the perils of Oracle’s audits in my post on Java licensing and preparation to Oracle’s audits. It looks very similar to me here, only in a better package.
CONTRACT ON GENETIC TESTING: ARE YOU PROTECTED BY GDPR?
This “better package” is not due to the goodwill of the company but rather to EU regulations.
I have already written about the basic requirements of the EU General Personal Data Protection Regulation (GDPR), which also applies to non-EU companies such as Ancestry.
Unfortunately, if you are based outside of European Union then GDPR will not protect you. You must rely fully on T&C and PS content unless there are any legal regulations in your country which guarantee an additional protection of your personal data.
HOW DOES THE COMPANY PROTECT YOUR GENETIC DATA?
Of course Ancestry is aware of GDPR , so even though they are a US company, they still ensure in T&S and PS that they fully comply with GDPR and EU consumer protection regulations.
In accordance with Article 27 of GDPR, Ancestry has also appointed its legal representative in the EU and this is their company registered in Ireland.
However, the Data Collector of your personal data, in a sense of GDPR , is still a company from US and it is them who ensure your data is protected and processed in accordance with GDPR.
Of course you know that your genetic data is a very specific type of personal data which requires higher standards of protection in light of GDPR. Ancestry is to make sure of that but you won’t know the details. However you will learn from T&C and PS that the company will not necessarily test your genetic profile alone. They will use laboratories other subcontractors and collaborators to do this and to deliver the service they were contracted for.
It is true that one reads in T&C and PS that the security of data processing will be ensured at the highest level at all times. But let’s be honest. You need to take this declaration for granted with no tangible evidence.
The reality is that until the security of Ancestry’s personal data processing is checked by an external audit and/or inspection, it will be difficult to tell whether this protection is sufficient.
And now the question is to what extent would such an inspection by a Data Protection Authority from any EU country be actually effective?
Remember that officials would have to control a company based outside of EU. According to GDPR, it is possible, but what would it like in practice and what real effect the possible fine would have on the company ?
Good question, isn’t it?
FAITH ABOVE ALL, BECAUSE YOUR DNA SAMPLE WILL NEVER RETURN
Your faith in security of your personal data must be strong hence the DNA sample you sent to the company will never return to you. The question of how this fits within GDPR provisions and the right to be forgotten is left open. In addition, please note that the Company can assign its rights and obligations under T&S (including those relating to the protection of your personal data, genetic data) to anyone, even without your permission. So you have absolutely no control over who gets full access to your personal data after such an assignment.
CONTRACT ON GENETIC TESTING: GOVERNING LAW AND JURISDICTION
If you read in T&C, you will find that by paying for the service of creating your genetic profile you have agreed this contract is interpreted in accordance with Irish laws. As long as you’re a client based outside of the United States. And it is only the Irish courts that will settle any disputes under the contract. This is not the best of news if you are not Irish. The cost of legal service and will be considerable, not to mention that you probably have no idea about Irish law or civil court procedure.
THE GENETIC SEARCH FOR ANCESTORS : IS IT WORTH IT?
In my opinion, absolutely not. At least not under these or similar conditions. The risk is too high in relation to potential profits. You’ll learn the genetic profile of your ancestors and find out where you come from but in the meantime, you’ll serve someone your full genetic profile and other personal data on a silver platter.
And all this without any real control over how your data will be protected and who will actually have access to it.
Think about it.