Abstract
In the last decade, a wide variety of direct-to-consumer (DTC) genetic tests has become available that allow consumers to learn about their ancestry, genetic traits and propensity to genetic diseases. DTC genetic testing companies encourage consumers to share their data for research purposes. The reason is that these companies operate on two-sided business models, generating revenue primarily through selling genetic data to pharmaceuticals and research institutions. This chapter considers possible reasons for concern about consumers sharing their genetic data. It discusses various market failures that may arise in this two-sided market, ranging from information asymmetries to externalities and market power. This chapter asks whether the General Data Protection Regulation (GDPR) is able to mitigate these market failures, or whether specific laws for genetic data processing are in order. This chapter concludes that the broad research exemption in the GDPR leaves a regulatory vacuum for DTC genetic testing companies and biobanks alike.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 4 May 2016 OJ L 119/1.
- 2.
See M. Herper (Forbes, 2015), “Surprise! With $60 Million Genentech Deal, 23andMe Has A Business Plan”, www.forbes.com/sites/matthewherper/2018/07/25/23andme-gets-300-million-boost-from-glaxo-to-develop-new-drugs/#2fcdbc293213.
- 3.
Stoeklé et al. (2016), p. 3.
- 4.
Vayena et al. (2012).
- 5.
Stoeklé et al. (2016).
- 6.
Azencott (2018), p. 2.
- 7.
Mostert et al. (2016), p. 956.
- 8.
Article 9(2)(j) GDPR provides that sensitive personal data, including genetic data, can be processed without adhering to the strict consent requirements in Article 9(2)(a) GDPR for research purposes.
- 9.
Kalokairinou et al. (2018).
- 10.
Herper (Forbes, 2015).
- 11.
- 12.
§ 7 German Genetic Diagnostics Act (Gendiagnostikgesetz). However, the Act does not apply to genetic tests conducted for research purposes.
- 13.
On the available offers and pricing structures, see further Plöthner et al. (2017).
- 14.
See www.ancestry.com.
- 15.
A. Bluestein (FastCompany 2017), “After a Comeback, 23andMe Faces its Next Test”, www.fastcompany.com/40438376/after-a-comeback-23andme-faces-its-next-test; Geiger and Gross (2019), p. 12.
- 16.
Harris et al. (2013), p. 241.
- 17.
FastCompany (2017).
- 18.
- 19.
FastCompany (2017).
- 20.
FastCompany (2017).
- 21.
See e.g. The Washington Post, ‘Hunt for Golden State Killer led detectives to Hobby Lobby for DNA sample’, www.washingtonpost.com/news/post-nation/wp/2018/06/02/hunt-for-golden-state-killer-led-detectives-to-hobby-lobby-for-dna-sample/.
- 22.
Hogarth et al. (2008).
- 23.
Laestadius et al. (2017) find that DTC genetic testing companies do not consistently meet international transparency guidelines related to confidentiality, privacy, and secondary use of data.
- 24.
Quinn and Quinn (2018), pp. 1003–1004.
- 25.
- 26.
- 27.
Naveed et al. (2015), p. 6.
- 28.
Lindor (2012).
- 29.
Geiger and Gross (2019), p. 12.
- 30.
Stoeklé et al. (2016).
- 31.
Geiger and Gross (2019), p. 12.
- 32.
See further Weichert (2019), p. 152–3.
- 33.
Buiten (2018).
- 34.
Article 9 GDPR. Specifically, the GDPR refers to special categories of personal data.
- 35.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- 36.
- 37.
Art. 9 (2) (a) GDPR.
- 38.
Art. 9(2)(j) GDPR.
- 39.
Articles 2 no. 11; 5 (1) (b); 6 (1) (a) and 9 (2) (a) GDPR.
- 40.
Stemmer (2018), para. 74.
- 41.
Stemmer (2018), para. 78.
- 42.
On the scope of the research exemption, see further Werkmeister and Schwaab (2019).
- 43.
Germany has introduced such provision in its new privacy law.
- 44.
Article 17 (3) (d) GDPR.
- 45.
Article 14 (5) (b) GDPR.
- 46.
Article 89 (4) GDPR.
- 47.
- 48.
Pormeister (2017a), p. 140.
- 49.
- 50.
- 51.
Caulfield and Kaye (2009).
- 52.
- 53.
- 54.
Abbing (2015).
- 55.
Ruyter et al. (2010).
- 56.
- 57.
- 58.
Quinn and Quinn (2018), p. 1003.
- 59.
European Commission (2012), p. 13.
- 60.
- 61.
Thomas and Walport (2008).
- 62.
- 63.
Zika et al. (2010), p. 42.
- 64.
Albers MedR (2013), p. 483 seq.
- 65.
Taupitz and Schreiber (2016), p. 309.
- 66.
European Commission (2012), p. 34.
- 67.
Briceño Moraia et al. (2014), p. 190.
- 68.
European Commission (2012), p. 7.
- 69.
European Commission (2012), pp. 40 seqq. (with references to the corresponding legislation).
- 70.
Kaye (2011) p. 379.
- 71.
Caulfield and Kaye (2009).
- 72.
See further Kulynych and Greely (2017) on increasing information to patients on the use of their genomic data.
- 73.
References
Abbing HD (2015) EU cross-border healthcare and health law. Eur J Health Law 22:1–12
Albers M (2013) Rechtsrahmen und Rechtsprobleme bei Biobanken. MedR 31:783–791
Allen J, McNamara B (2011) Reconsidering the value of consent in biobank research. Bioethics 25:155–166
Azencott CA (2018) Machine learning and genomics: precision medicine versus patient privacy. Philos Trans R Soc A 376(2128):20170350. Available at https://doi.org/10.1098/rsta.2017.0350
Boddington P, Curren L, Kaye J et al (2011) Consent forms in genomics: the difference between law and practice. Eur J Health Law 18:491–519
Briceño Moraia L et al (2014) A comparative analysis of the requirements for the use of data in biobanks based in Finland, Germany, the Netherlands, Norway and the United Kingdom. Med Law Int 14(4):187–212
Buiten MC (2018) Regulating data giants: between competition law and data protection law. In: Mathis K (ed) New developments in competition law and economics, Series economic analysis of law in European legal scholarship. Springer
Casali PG (2014) Risks of the new EU Data protection regulation: an ESMO position paper endorsed by the European oncology community. Ann Oncol 25:1458–1461
Caulfield T, Kaye J (2009) Broad consent in biobanking: reflections on seemingly insurmountable dilemmas. Med Law Int 10:85–100
Eensaar R (2008) Estonia: Ups and downs of a biobank project. In: Gottweis H, Petersen A (eds) Biobanks: governance in comparative perspective. Routledge, New York, pp 56–70
European Commission DG for Research and Innovation, Gottweis H, Kaye J (2012) Biobanks for Europe: A Challenge for Governance. https://publications.europa.eu/en/publication-detail/-/publication/629eae10-53fc-4a52-adc2-210d4fcad8f2
Geiger S, Gross N (2019) A tidal wave of inevitable data? Assetization in the consumer genomics testing industry. Bus Soc, 0007650319826307
Geminn ChL (2018) Wissenschaftliche Forschung und Datenschutz Neuerungen durch die Datenschutz-Grundverordnung. Datenschutz und Datensicherheit
Gymrek M, McGuire AL, Golan D, Halperin E, Erlich Y (2013) Identifying personal genomes by surname inference. Science 339:321–324
Harris A, Wyatt S, Kelly SE (2013) The gift of spit (and the obligation to return it) how consumers of online genetic testing services participate in research. Inf Commun Soc 16(2):236–257
Heeney C, Hawkins N, de Vries J, Boddington P, Kaye J (2011) Assessing the privacy risks of data sharing in genomics. Public Health Genomics 14:17–25
Hogarth S et al (2008) The current landscape for direct-to-consumer genetic testing: legal, ethical, and policy issues. Ann Rev Genomics Hum Genet 9:161–182
Kalokairinou L, Howard HC, Slokenberga S, Fisher E, Flatscher-Thöni M, Hartlev M, van Hellemondt R et al (2018) Legislation of direct-to-consumer genetic testing in Europe: a fragmented regulatory landscape. J commun Genet 9(2):117–132
Kaye J (2011) From single biobanks to international networks: developing e-governance. Hum Genet 130:377–382
Kaye J (2012) The tension between data sharing and the protection of privacy in genomics research. Annu Rev Genomics Hum Genet 13:415–431
Knoppers BM, Zawati MH, Kirby ES (2012) Sampling populations of humans across the world: ELSI issues. Annu Rev Genomics Hum Genet 13:395–413
Kulynych J, Greely HT (2017) Clinical genomics, big data, and electronic medical records: reconciling patient rights with research when privacy and science collide. J Law Biosci 4(1):94–132
Laestadius LI, Rich JR, Auer PL (2017) All your data (effectively) belong to us: data practices among direct-to-consumer genetic testing firms. Genet Med 19(5):513
Laurie G, Postan E (2013) Rhetoric or reality: what is the legal status of the consent form in health-related research? Med Law Rev 21:371–414
Lindor NM (2012) Personal autonomy in the genomic era. In: Video Proceedings of Mayo Clinic Individualizing Medicine Conference
Mascalzoni D, Dove ES, Rubinstein Y et al (2014) International Charter of principles for sharing bio-specimens and data. Eur J Hum Genet 23:721–728
Master Z, Nelson E, Murdoch B, Caulfield T (2012) Biobanks, consent and claims of consensus. Nat Methods 9:885–888
McGuire AL, Beskow LM (2010) Informed consent in genomics and genetic research. Annu Rev Genomics Hum Genet 11:361–381
McGuire AL, Caulfield T, Cho MK (2008) Research ethics and the challenge of whole-genome sequencing. Nat Rev Genet 9:152–156
Mittelstadt BD, Floridi L (2015) The ethics of big data: current and foreseeable issues in biomedical contexts. Sci Eng Ethics; e-pub ahead of print 23 May 2015; https://doi.org/10.1007/s11948-015-9652-2
Mostert M, Bredenoord AL, Biesaart MC, van Delden JJ (2016) Big Data in medical research and EU data protection law: challenges to the consent or anonymise approach. Eur J Human Genet 24(7):956
Naveed M, Ayday E, Clayton EW, Fellay J, Gunter CA, Hubaux JP et al (2015) Privacy in the genomic era. ACM Comput Surv (CSUR) 48(1):6
Nuffield Council on Bioethics: The collection, linking and use of data in biomedical research and health care: ethical issues, 2015. Available at http://nuffieldbioethics.org/wp-content/uploads/Biological_and_health_data_web.pdf
O’Brien SJ (2009) Stewardship of human biospecimens, DNA, genotype, and clinical data in the GWAS era. Annu Rev Genomics Hum Genet 10:193–209
Pálsson G (2008) The rise and fall of a biobank: the case of Iceland. In: Gottweis H, Petersen A (eds) Biobanks: Governance in comparative perspective. Routledge, New York, pp 41–55
Pauly D (2018) Kommentierung zu Art. 89 DSGVO. In: Paal BP, Pauly D (eds) Datenschutzgrundverordnung Bundesdatenschutzgesetz
Petrini C (2010) ‘Broad’ consent, exceptions to consent and the question of using biological samples for research purposes different from the initial collection purpose. Soc Sci Med 70:217–220
Phillips AM (2016) Only a click away—DTC genetics for ancestry, health, love… and more: a view of the business and regulatory landscape. Appl Transl Genomics 8:16–22
Plöthner M, Klora M, Rudolph D, von der Schulenburg JMG (2017) Health-related genetic direct-to-consumer tests in the German setting: the available offer and the potential implications for a solidarily financed health-care system. Public health Genomics 20(4):203–217
Pormeister K (2017a) Genetic data and the research exemption: is the GDPR going too far?. International Data Privacy Law 7(2):137–146
Pormeister K (2017b) The GDPR and big data: leading the way for big genetic data?. In: Annual privacy forum. Springer, Cham, pp 3–18
Quinn P, Quinn L, (2018) Big genetic data and its big data protection challenges. Comput Law Secur Rev 34(5):1000–1018
Rockwell KL (2017) Direct-to-consumer medical testing in the era of value-based care. J Am Med Assoc 317:2485–2486
Rodriguez LL, Brooks LD, Greenberg JH, Green ED (2013) Research ethics. The complexities of genomic identifiability. Science 339:275–276
Ruyter KW, LOuk K, Jorqui M, Kvalheim V, Cekanauskaite A, Townend D (2010) From research exemption to research norm: recognising an alternative to consent for large scale biobank research. Med Law Int 10:287–313
Schild HH (2019) Commentary to Article 4 GDPR. In: Brink S, Wolff HA (eds) BeckOK Datenschutzrecht. C.H. Beck Muenchen, para. 138
Schweighofer E et al (2017) Privacy Technology and Policy; Data Protection Working Party. Working document on genetic data. 12178/03/EN WP 91
Sethi N, Laurie G (2013) Delivering proportionate governance in the era of eHealth: making linkage and privacy work together. Med Law Int 13:168–204
Shabani M, Borry P (2018) Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation. Eur J Hum Genet 26(2):149
Steinsbekk KS, Kåre Myskja B, Solberg B (2013) Broad consent versus dynamic consent inbiobank research: is passive participation an ethical problem? Eur J Hum Genet 21:897–902
Stemmer (2018) Commentary to Article 7 GDPR. In: Brink S, Wolff HA (eds) BeckOK Datenschutzrecht. C.H. Beck Muenchen, para. 74
Stoeklé H-C, Mamzer-Bruneel M-F, Vogt G, Hervé C (2016) 23andMe: a new two-sided data-banking market model. BMC Med Ethics 17:19
Taupitz J, Schreiber M (2016) Biobanken - zwischen Forschungs- und Spenderinteressen. Bundesgesundheitsbl Gesundheitsforsch Gesundheitssch 59(3):1–7
Tene O, Polonetsky J (2012) Privacy in the age of big data: a time for big decisions. Stanford Law Rev 64:63–69
Thomas R, Walport M (2008) Data sharing review (UK) http://www.justice.gov.uk/reviews/docs/data-sharing-review-report.pdf
Vayena E, Gourna E, Streuli J, Hafen E, Prainsack B (2012) Experiences of early users of direct-to-consumer genomics in Switzerland: an exploratory study. Public Health Genomics 15:352–362
Vossenkuhl C (2013) Der Schutz genetischer Daten. Unter besonderer Berücksichtigung des Gendiagnostikgesetzes. Schriftenreihe Medizinrecht, Springer, Heidelberg
Wang S, Jiang X, Singh S, Marmor R, Bonomi L, Fox D, Dow M, Ohno-Machado L (2017) Genome privacy: challenges, technical approaches to mitigate risk, and ethical considerations in the United States. Ann N Y Acad Sci 1387(1):73–83
Weichert T (2019) Genetische Genealogie und Datenschutz. Datenschutz und Datensicherheit-DuD 43(3):149–153
Werkmeister C, Schwaab M (2019) Auswirkungen und Reichweite des datenschutzrechtlichen Forschungsprivilegs. Computer und Recht 35(2):85–90
West SM (2019) Data capitalism: redefining the logics of surveillance and privacy. Bus Soc 58:20–41
Zika E, Paci D, Schulte T, Braun A, RijKers-Defrasne A, Deschênes M, Fortier I, Laage-Hellman J, Scerri CA, Ibarreta D (2010) Biobanks in Europe: prospects for harmonisation and networking. http://ftp.jrc.es/EURdoc/JRC57831.pdf
Acknowledgement
The author gratefully acknowledges financial support from Deutsche Forschungsgemeinschaft (DFG) through CRC TR 224.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Buiten, M.C. (2021). ‘Your DNA Is One Click Away’: The GDPR and Direct-to-Consumer Genetic Testing. In: Mathis, K., Tor, A. (eds) Consumer Law and Economics. Economic Analysis of Law in European Legal Scholarship, vol 9. Springer, Cham. https://doi.org/10.1007/978-3-030-49028-7_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-49028-7_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-49027-0
Online ISBN: 978-3-030-49028-7
eBook Packages: Law and CriminologyLaw and Criminology (R0)