Navigating Genetic Data Privacy and Law Enforcement Access

Nearly all newborns in the United States automatically provide their genetic information at birth through mandatory health screening programs. With a prick of the needle, hospital staff collect blood samples from the newborn’s heel and test for a range of genetic and metabolic disorders. After the screening is complete, the residual blood samples often remain in storage for years, typically for quality assurance and research purposes.

Hospitals’ retention of newborn blood samples has created a rich trove of genetic information for secondary uses. For example, researchers can tap into this national repository of genetic materials to conduct medical and pathology studies.

In addition, law enforcement officials have shown increasing interest in using genetic information provided through the newborn screening programs for criminal investigations. For example, in 2022, a lawsuit filed in New Jersey revealed that local police had subpoenaed a newborn blood sample to investigate a cold case from 1996. And in 2018, California police used newborn screening data to solve the Golden State Killer case.

Regulating law enforcement’s use of genetic data has proved challenging. In 1994, the DNA Identification Act directed the Federal Bureau of Investigations (FBI) to establish a national system for coordinating forensic DNA databases across states. In response to this directive, the FBI launched the Combined DNA Index System (CODIS), which serves as a central repository for states and agencies to collect, maintain, and share legally obtained genetic profiles. Moreover, the system allows participating forensic laboratories to compare DNA profiles and match crime scene evidence with past cases. But CODIS does not allow states to collect or store the genetic profiles of individuals with no prior involvement in the criminal justice process.

In contrast to CODIS, few restrictions exist on law enforcement’s ability to use DNA profiles obtained from consumer genealogical databases, such as 23andMe, in criminal investigations. Although CODIS contains only noncoding regions of a person’s DNA—which provide limited information about physical traits—commercial genealogical profiles analyze a person’s entire genome. By accessing commercial genealogical data, law enforcement can determine an individual’s gender, race, disease predispositions, and a range of other identifying details.

In response to the rise in law enforcement use of commercial genetic profiles, Maryland and Montana became the first two states to limit law enforcement officials’ use of forensic genealogy. The Montana law requires government investigators to obtain a search warrant before accessing any consumer DNA databases unless users waive their right to privacy.

Although allowing law enforcement officials access to consumer genetic databases can aid criminal investigations, advocates for enhanced regulatory oversight warn that the lack of privacy protections could undermine public trust, open the door for misuse, and ultimately harm citizens’ autonomy.

In this week’s Saturday Seminar, scholars survey the regulatory landscape of genetic data privacy.

• In a recent article in the Journal of Law and the Biosciences, Jennifer Wagner of Penn State Law School and several coauthors explain how the Public Health Exception (PHE) to the Health Insurance Portability and Accountability Act Privacy Rule allows health care providers to share genetic risk information with at-risk relatives without the patient’s permission. Wagner and her team note that although medical information generally may not be shared without patient consent, the PHE authorizes some disclosures by authorized entities. The authors conclude that despite the potential of the PHE to improve individual patient outcomes through early detection, PHE is not currently a viable pathway for genetic testing programs due to ethical and privacy concerns, such as disruption to family relationships.
• In an article in the Texas Law Review, Natalie Ram of the University of Maryland Carey School of Law argues against law enforcement access to newborn genetic screening samples and related data. The recent rise in law enforcement officials’ use of such sensitive resources is concerning, Ram opines. She contends that permitting law enforcement to access newborn screening data without clear guidelines undermines ethical principles, risks eroding public trust, and may violate constitutional protections. Ram urges states to adopt clear, consistent policies prohibiting law enforcement access to this data to uphold the privacy rights of newborns and preserve the integrity—and vital public health benefits—of newborn genetic screening programs.
• In an article in Fordham Law Review, Valerie Gutmann Koch of the University of Houston Law Center discusses potential regulatory solutions to non-negligent medical harms. She notes that genetic tests are classified by the FDA as either in vitro devices or laboratory-developed devices (LDTs), the latter having been designed, produced, and used in a single laboratory. Koch explains that the FDA often exercises enforcement discretion over safety and efficacy tests performed on LDTs, but holds them to a lower standard of accuracy and reliability than other medical devices. She proposes more “appropriately tailored” FDA oversight that could be implemented to standardize evidence and data collection of LDTs such as genetic tests. These more narrowly tailored regulations, Koch concludes, will ensure reliable test results and avoid unnecessary medical interventions.
• In an article in University of California, Davis Law Review, Donna M. Gitter of Baruch College examines recent developments in state legislation aimed at protecting genetic privacy through property rights. Gitter highlights Florida’s Protecting DNA Privacy Act, which designates genetic information as “exclusive property” and is enforced through criminal penalties. Gitter argues that the rise of direct-to-consumer (DTC) genetic testing makes property rights a useful tool for protecting privacy rights, as DTC testing often allows third parties to access private genetic information without consent. Gitter concludes that states legislatures should strengthen statutory protection of genetic information by providing plaintiffs with a private right of action, increasing maximum damages, and using clear legislative language to avoid ambiguity.
• In a recent article in Michigan Law Review, Nila Bala of University of California, Davis School of Law argues for more robust protection of children’s DNA data. Bala points out that children occupy a vulnerable position due to their relative inability to protect their own data. Moreover, Bala notes, parental consent is insufficient for guarding children’s DNA data due to potential conflicts of interest between parents and their children. To solve this problem, Bala suggests looking to property law, which separates parent and child interests. Bala argues that the law should treat parents as fiduciaries of their children’s genetic information, moving away from a framework of ownership.
• In a student note in the Drexel Law Review, recent Drexel University Thomas R. Kline School of Law graduate Kevin Gilligan discusses the increasing popularity of DTC genetic testing and the resulting concerns for data privacy. Gilligan observes that the majority of customers consent to have their data used by third parties. Gilligan argues, however, that these customers may not be fully aware of the scope of their consent. In light of this reality, Gilligan suggests adopting strict liability for data privacy breaches to induce genetic testing companies to engage in optimal levels of data protection. Gilligan concludes that the Federal Trade Commission should censure companies that breach data confidentiality in the DTC testing industry.