Transparency and Relevancy of Direct-To-Consumer Genetic Testing Privacy and Consent Policies in the EU
Xengie Doan and Fatma Dogan participated in the WOPA, ESR 9 and 8 respectively. Xengie is working on collective dynamic consent for genetic data and was interesting in exploring the WOPA topic to better understand the current state of publicly available information from popular direct-to-consumer genetic test companies. Of the information given, how transparent are the data processing activities, the communication about risks and benefits (including collective implications, e.g. risks and benefits also affect family members), and was it framed in a way that enabled potential customers to know their rights? These rights are
granted by the company policies, and by EU regulations such as the GDPR. While these companies may be global or serve multiple countries, for EU countries or residents they must respect EU regulations. This coincides with Fatma’s legal expertise and interest in health data sharing in the EU. This WOPA is related to the LeADS crossroads, inspired by concepts such as trust and transparency, user empowerment, and more. However, it is not directly related to any previous work with the crossroads SOTAs. This work contributes to a better understanding of how such companies operate, what information they deem important to share (for legal and customer empowerment reasons), and we offer suggestions for more user-centred, collective, and transparent policies.
Abstract of the Working Paper
The direct-to-consumer (DTC) genetic testing market in Europe is expected to grow to more than 2.7 billion USD by 2032. Though the service offers ancestry and wellness information from one’s own home, it comes with privacy issues such as the non-transparent sharing of highly sensitive data with third parties. While the GDPR states transparency requirements, in practice they may be confusing to follow and fail to upload the goals of transparency – for individuals to understand their data processing and exercise their rights in a user-centered manner. Thus, we examined six large DTC genetic companies’ public privacy and consent policies and identified information flows using a contextual integrity approach to answer our research questions 1) How vague, confusing, or complete are information flows?; 2) How aligned with GDPR transparency requirements are existing information flows?; 3) How relevant is the information to users?; 4) What risk/benefit information is available? This study identified 59 public information flows regarding genetic data and found that 69% were vague and 37% were confusing regarding transfers of genetic data, consequently GDPR transparency requirements may not be met. Additionally, companies lack public user-relevant information, such as the shared risks of sharing genetic data. We then discuss user-centered and contextual privacy suggestions to enhance the transparency of public privacy and consent policies and suggest the use of such a contextual integrity analysis as a governance practice to assess internal practices.