1. Who can access my DNA data?

That depends where you live and what DNA test you’ve taken — and it could change. In China, the government may have collected DNA data directly from you, and regulations enacted in July allow it, for reasons of national security or public interest, to access genetic data held by third parties. In European Union countries, in some cases your data can be shared without your consent if it’s first anonymized and the purpose is scientific research that’s in the public interest. In the U.S., results of tests taken in a medical setting can be shared if they’re anonymized. Commercial DNA testing companies in the U.S. are bound primarily by their own terms of service, which they are free to change at any time. Generally, these companies share anonymized individual data with contractors that help process it and, if you provide additional consent, with academic and drug-company researchers. They also often share aggregated data.

2. What is anonymized data?

You’ll often see the words “anonymized” or “de-identified” used in discussions about DNA data. This means that companies attempt to strip any potentially identifying information from your data set, such as your name and contact information. But your DNA is inherently identifying because it is code that’s unique to you. And that code doesn’t have to be stored with your name to be connected to it. Studies have shown that it’s possible to discover the identities of anonymous people who participate in genetic research by cross-referencing their birth date, sex and postal code, for instance, with publicly available information. Here’s what testing company 23andMe says on the subject: “In the event of a data breach it is possible that your data could be associated with your identity, which could be used against your interests.”

3. What are the risks?

Once your data is out in the wild, it can be hard to control how it’s used. A researcher could get sloppy or share it. A database could get hacked. That’s what happened at the Israel-based DNA tester MyHeritage in 2018, though the company said no genetic information was accessed in the breach. Another DNA testing company, Veritas, suffered a breach that exposed customer information in late 2019. The more your DNA data is shared, the greater the chances of it being exposed. 23andMe is blunt about this, warning customers: “We cannot guarantee the confidentiality and security of your information due to the inherent risks associated with storing and transmitting data electronically.”

4. How can DNA data be used today?

There are some legal restrictions. In Europe, genetic information is recognized explicitly under the General Data Protection Regulation, giving citizens broad rights to know what information a commercial or research organization has about them and request it be deleted, and creating safeguards governing how that data is stored and used. In the U.S., a 2008 law called the Genetic Information Nondiscrimination Act (GINA) aims to protect against discrimination by employers and some insurers on the basis of genetic information. A similar law in Canada is tied up in the courts. But gaps in GINA mean that providers of life, disability and long-term care insurance legally can compel you to share findings about your DNA and make decisions based on them, though there isn’t any evidence that this has happened yet.

5. How are authorities using it?

In China, an authoritarian country, officials have set about building a DNA database in order to surveil and suppress its population, especially Muslim minority ethnic groups in the western region of Xinjiang. According to a survey by Interpol, which facilities worldwide police cooperation, at the end of 2016, 69 countries maintained a national DNA database, which can help identify crime suspects and convict or clear them of charges. In the U.K., which has one of the oldest and biggest repositories, the data of an adult convict is retained indefinitely, while that of someone charged but not convicted of a crime is held for three to five years. In recent years, police in the U.S. have gone beyond their own databases to solve crimes based on consumer DNA test results.

6. How does that work?

Investigators have taken DNA from a crime scene, compared it to the DNA of people in a commercial database, then identified a suspect among their relatives. In 2018 California police used GEDmatch, a free service that allows genealogy hobbyists to upload their data from other companies to find more relatives, to identify a suspect in the case of the Golden State Killer, who preyed on the state in the 1970s and 1980s. Most commercial testing companies say they require a warrant to let police access customer data, and in 2019, GEDmatch changed its policy so that users had to opt-in to let police see their profiles. However, in November a Florida judge granted a warrant giving police access to GEDmatch’s entire database.

7. How will DNA data be used in the future?

Predicting how technologies will evolve is close to impossible. Who could have guessed our phones would become things we hardly ever talk on? Still, current events give us clues to the future. It’s easy to imagine companies using your DNA results to target ads to you after Unilever invited European consumers to take a genetic test to see whether they were likely to love or hate the yeast-extract spread Marmite. Drug companies might pitch you a treatment for a disease you didn’t know you had. Life insurers might use networks of relatedness to determine risk, sports teams might use it to draft picks, and jealous spouses might turn to DNA to see if their partners are cheating.

8. How can I keep my DNA data private?

It may be too late for that. Unlike most other digital data, you share your DNA with a bunch of other people. So if a third cousin you’ve never heard of puts his DNA out in the wild, yours is out there too. One recent study suggested that just 2% of people need to share their genetic information for virtually everyone to be identifiable. Since there is little hope in keeping our genetic information private, experts have begun calling for more regulations to ensure the data is not abused.

