After a huge data breach at 23andMe, which exposed the genetic heritage of millions of people, French data protection agency CNIL is now reminding citizens that it’s illegal to purchase genetic tests for “recreational” uses. Users that ignore the warning risk a fine of €3,750, with the sellers risking much more.
In its latest statement, CNIL (Commission Nationale Informatique & Libertés) “calls for vigilance” regarding genetic tests online. CNIL reminds citizens that casual genetic testing is actually illegal in the country.
“Today, in France, genetic tests can only be carried out as part of a judicial investigation, for medical care, or for research purposes. Except in these very specific cases, the consent of the person must be obtained,” CNIL said.
The watchdog added that the particular sensitivity of health data and genetic data has led European legislators to prohibit the processing of this data in principle except in the aforementioned cases.
The laws “very strictly regulate the carrying out of genetic analyses and prohibit in France the carrying out of “recreational” genetic tests, even with the consent of the person concerned,” CNIL warns.
Residents of France who purchase genetic tests online can be punished with a fine of €3,750. Carrying out a genetic test outside the medical and scientific fields is also prohibited and punishable by a fine of €15,000 and one year in prison.
However, these fines pale in comparison to those that may be imposed when data breaches occur.
“When, following an inspection or complaints, breaches of the GDPR or the Data Protection Act are noted, the CNIL may adopt corrective measures against the targeted organization. For example, it can impose a fine of up to 20 million euros or 4% of the company's annual global turnover,” the statement reads.
CNIL also warns that corrective measures may apply to non-French companies marketing genetic tests if their offers are linked to individuals within the European Union.
“Unlike a password, it is not possible to change your DNA”
Without mentioning the company name, CNIL hints that millions of people were exposed in a data security incident at 23andMe.
DNA testing “poses a real risk of data compromise, as demonstrated by the massive data breach in December at a leading genetic testing company. Whether it is an accident or a malicious act, highly sensitive data therefore risks becoming accessible to third parties,” CNIL said.
French authority claims that the companies marketing DNA tests provide few guarantees on their quality and the security of samples and data (analysis techniques, storage methods, etc.). The conditions and other documents are often vague regarding data protection and transfer to third parties.
“It has already been observed that the companies in question enter into partnerships with other organizations that reuse the samples, particularly for research purposes,” the statement reads.
CNIL also warns that disclosure of the data may lead to discrimination on ethnic origin, health, and other basis.
The watchdog admits that genetic tests sold in kits on the internet, described as “recreational,” particularly for genealogical purposes, became very popular. However, a spit of saliva may have very serious consequences and reveal personal secrets such as adoption, birth by gamete donation, parentage, genetic predispositions to certain diseases.
Together with genetic data, testing companies collect identity data and contact details, send questionaries to collect information about relationships (marital or family), dates on life events (marriages, deaths), food tastes, the ability to perform certain gestures (moving the ears, eyebrows), photographs and other data.
Your email address will not be published. Required fields are markedmarked