Thursday, August 9, 2018

Consumer Genetic Testing Companies' New Policies for Law Enforcement Requests

Direct-to-consumer genetic testing companies now have "best practices" for privacy that they have pledged to follow. The impetus may have been the arrest in “the Golden State Killer case [made] by comparing DNA from crime scenes with genetic data that the suspect’s relatives had submitted to the testing company GEDmatch” and the agreement between 23andMe to “share user data, with permission, with GlaxoSmithKline after the pharmaceutical giant invested US$300 million.” 1/

The best practices document from the Future of Privacy Forum does not address the constitutional limits on subpoenas or court orders seeking genetic information from the companies. With respect to law enforcement, it merely states that "Genetic Data may be disclosed to law enforcement entities without Consumer consent when required by valid legal process" and that "[w]hen possible, companies will attempt to notify Consumers on the occurrence of personal information releases to law enforcement requests." 2/

23andMe maintains that it does "not provide information to law enforcement unless ... required to comply with a valid subpoena or court order." Another webpage states that it "will not provide information to law enforcement or regulatory authorities unless required by law to comply with a valid court order, subpoena, or search warrant for genetic or Personal Information (visit our Transparency Report)." (Emphasis deleted). But how does 23andMe decide which instruments are valid? The Transparency Report promises that
[W]e use all practical legal and administrative resources to resist such requests. In the event we are required by law to make a disclosure, we will notify you in advance, unless doing so would violate the law or a court order. To learn more about how 23andMe handles law enforcement requests for user information, please see our Guide for Law Enforcement
Does using "all practical legal ... resources" mean that the company will try to quash all subpoenas for samples or genetic data as unreasonable or oppressive (the standard under, for example, Federal Rule of Criminal Procedure 17(c)(2))? That seems doubtful. The "Guide for Law Enforcement" states that
23andMe requires valid legal process in order to consider producing information about our users. 23andMe will only review inquiries as defined in 18 USC § 2703(c)(2) related to to [sic] a valid trial, grand jury or administrative subpoena, warrant, or order. .... 23andMe will only consider inquiries from a government agency with proper jurisdiction. ... 23andMe will assess whether or not it is required by law to comply with the request, based on whether 23andMe is subject to personal jurisdiction in the requesting entity, the validity of the method of service, the relevance of the requested data, the specificity of the request, and other factors.
This explanation does not indicate that the company will make Fourth Amendment arguments on the consumer's behalf against compliance with formally "valid legal process." Nor could it under the long-established doctrine that limits the invocation of Fourth Amendment rights to the party whose rights are at stake. Although the company can complain that a subpoena is vague or overbroad or requires it to do too much work to produce the information, it cannot refuse to comply on the ground that a warrantless search without probable cause violates some Fourth Amendment right of the consumer. 3/

What the company will do (usually) is notify the customer who sent in the DNA sample so that he or she can contest the subpoena:
If 23andMe is required by law to comply with a valid court order, subpoena, or search warrant for genetic or personal information, we will notify the affected individual(s) through the contact information they have provided to us before we disclose this information to law enforcement, unless doing so would violate the law or a court order. We will give them a reasonable period of time to move to quash the subpoena before we answer it.

If law enforcement officials prevent this disclosure by submitting a Delayed Notice Order (DNO) pursuant to 18 U.S.C. § 2705(b) or equivalent state statute that is signed by a judge, we will delay notifying the user until the order expires. 23andMe retains sole discretion to not notify the user if doing so would create a risk of death or serious physical injury to an identifiable individual or group of individuals, and if we are legally permitted to do so. Under these circumstances, we will notify users of the law enforcement request once the emergency situation expires.
In other words, even if the companies do not want to work hand in glove with law enforcement, consumers who order tests cannot expect the new procedures to raise the individuals' constitutional objections to law enforcement demands for genetic samples or data (to the extent that there are any).

  1. Genetic Privacy, 560 Nature 146-147 (2018), doi: 10.1038/d41586-018-05888-2
  2. Future of Privacy Forum, Privacy Best Practices for Consumer Genetic Testing Services, July 2018, at 8. Accompanying footnotes discuss statutory protections for data used in federally funded studies or held by certain medical providers.
  3. Unlike search warrants, subpoenas do not normally require probable cause, and ordinarily, they are not "searches" within the meaning of the Fourth Amendment. In Carpenter v. United States, No. 16–402, 2018 WL 3073916 (U.S. June 22, 2018), however, a sharply divided Court carved out an exception for "the rare case where the suspect has a legitimate privacy interest in records held by a third party." Whether a subpoena for a DNA sample or SNP array data produced and held by companies like 23andMe falls into this category is an intriguing question. Bank records and records of numbers dialed from a home telephone do not, but "a detailed log of a person's movements over several years [or even over a six-day period]" do. One Justice in Carpenter suggested that a search warrant based on probable cause would be required for a DNA sample held by a direct-to-consumer testing company. But even if that is a second "rare case," the opinions in Carpenter did not discuss the standing of the company to raise the personal right of its customers.