Genetic Future

Today's post is an in-depth analysis of the complex legal issues surrounding the treatment of genetic information gathered by a now-bankrupt personal genomics company. For those who get a little lost in the legal details, never fear! Tomorrow, in the final post in the series, Vorhaus and Moore will spell out exactly what these details mean for personal genomics customers.

---

Part II: Privacy Policies Through the Looking Glass of Bankruptcy Law

In part one, we discussed the importance of Privacy Policies and other legal agreements in determining how DTC genomics companies will treat their customers' information, including in the case of a bankruptcy sale. Unfortunately, but not surprisingly, we failed to find much in the way of concrete answers. In this part, we investigate how a bankruptcy court would be likely to evaluate the proposed sale of a company's genomic database, including in what scenarios it might be willing to set aside the company's own agreed upon Privacy Policies.

1. Section 363 and the Stalking Horse. Section 363 of the Bankruptcy Code authorizes the sale (typically in an auction) of the assets of a business in bankruptcy. Quick auctions under Section 363 are becoming increasingly common because they allow for the transfer of desirable assets free and clear of liens and other liabilities (while leaving undesirable assets out of the deal), and unlike traditional Chapter 11 reorganizations, do not require the longer and more expensive confirmation process designed to fully protect the rights of creditors. During the current economic crisis, Section 363 was used in the sale of Lehman Brothers to Barclays Capital, in the sale of Chrysler's valuable assets to Fiat and of General Motors to a new company backed by the U.S. Treasury. Section 363 auctions can also be lightning fast--Lehman Brothers' assets, which were valued at billions of dollars, were sold less than a week after its Chapter 11 filing--although 2 to 3 months is more common.

In a Section 363 transaction, the bankrupt company agrees in principle to sell its assets to a stalking horse buyer, and then, following bankruptcy court approval of the sale procedures, solicits bids in an attempt to solicit a more favorable purchase price. The stalking horse company is often not outbid and winds up acquiring the most valuable assets. As the G.M. example demonstrates, there is no requirement that the stalking horse be a private company. Just as The Wellcome Trust has been mentioned as a potential acquirer of some of deCODE Genetics' genomic database, a Federal agency such as the FDA or NIH could conceivably organize a bid for genomic assets it deemed important, assuming that it could muster the political and financial capital to proceed at the breakneck pace that can be required of Section 363 bankruptcy proceedings.

In response to a 2005 bankruptcy case (In re Toysmart.com LLC) in which a bankrupt toy company attempted to sell private customer data to its creditors in clear contravention of its own privacy policy, a new procedure was added to Section 363. The procedure requires the appointment of a Consumer Privacy Ombudsman (CPO) prior to the sale or lease of personally identifiable information from a bankrupt company when the proposed sale would be inconsistent with a company's present and disclosed policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the company.

2. How To Know If You'll Need a CPO. By law, the CPO procedure only applies when the proposed sale would be inconsistent with a company's present and disclosed policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the company. However, bankruptcy courts have also appointed a CPO to advise them on the transfer of the information when the bankrupt company's policy (like TruGenetics') does not discuss whether the data may be sold to another company.¹ Thus, if a DTC genomics company employs a policy that permits the transfer of information and other assets to third parties, the CPO procedure will not apply.

If the company's policies prohibit such a transfer or, as in the case of most DTC genomics companies, if they are unclear, the CPO procedure may be available to assist the bankruptcy court in evaluating the appropriateness of the proposed sale of personally identifiable information. But is genomic information personally identifiable information?

In order to qualify as personally identifiable information or PII, the information in question must satisfy two criteria. First, it must be provided by an individual to the debtor in connection with obtaining a product or a service from the debtor primarily for personal, family, or household purposes. Data submitted to a private genomics company for personal use (whether clinical or otherwise) would therefore qualify; data submitted for research purposes (which would arguably apply to the TruGenetics model, and possibly to certain services offered by 23andMe) would not satisfy this criteria.

Moreover, PII must contain, as at least part of the overall information content, one of the following specific pieces of information:

• Name
• Street Address
• Email Address
• Telephone Number; or
• Credit card number

As for something as seemingly personal as, say, a whole genome sequence, or perhaps just a record of 500,000 SNPs? That information, along with any other information concerning an identified individual that, if disclosed, will result in contacting or identifying such individual physically or electronically, constitutes PII if and only if it is identified with 1 or more of the items of information in the list above. Thus, while genomic information coupled directly with a name or other specified individual information would qualify as PII, de-identified genomic information, regardless of the practical possibility of later re-identification, would not qualify as PII and would not invoke the protections of the CPO procedure. It is unclear whether or not genomic information that was de-identified but capable of being re-identified through, for instance, coded identifiers, would be treated as PII.

Assuming that the presence of PII could be established, recall that the CPO procedure is only available when the proposed transfer would violate the company's applicable privacy policy. In the case of 23andMe, for example, its privacy policy permits transfers to an acquirer but requires that the acquiring entity agree to the material terms of its existing privacy policy. If the agreement with the stalking horse did not mandate agreement to all the terms of the privacy policy--for example, if it declined to agree that the data could be deleted upon request in order to avoid the possibility that a significant number of spooked former customers of 23andMe would demand that their information be removed from the database--the court would then have to determine whether such a provision was material in order to determine whether the proposed transfer violated the privacy policy, a process in which it would be likely to seek input from a CPO (although it could order changes in the asset purchase agreement on its own). Thus, as a practical matter, the CPO procedure is likely to be available in order to evaluating ambiguous DTC genomics privacy policies.

3. What Does the C in CPO Stand For, Again? Even if a CPO is appointed, it is the bankruptcy court that must ultimately evaluate and approve the proposed sale of assets. The role of the CPO, if appointed, is to provide information to the court, including with respect to the following:

• the debtor's privacy policy;
• the potential losses or gains of privacy to consumers if such sale or such lease is approved by the court;
• the potential costs or benefits to consumers if such sale or such lease is approved by the court; and
• the potential alternatives that would mitigate potential privacy losses or potential costs to consumers.

Keep in mind that the bankruptcy statute does not require the CPO to represent the interests of the consumers. In fact, the Consumer Privacy Ombudsman appears more in the role of an expert commentator than a consumer advocate.² Also, recall the speed at which auctions under Section 363 are conducted. Given the logistics and time entailed in first determining whether a CPO is warranted and, if so, locating and appointing a CPO, the CPO in most instances can be expected to have only a day or two to obtain the information he or she needs and digest it.³ With privacy issues as complex as those that would be presented in a DTC genomics company's bankruptcy, and in the absence of any guarantee the CPO will be someone familiar with the issues, there is scant hope of a sophisticated analysis.

A review of the cases in which a CPO has been appointed and filed a report reveals a clear pattern: the CPO supports the sale provided certain conditions were met, such as requiring that (1) the sales be made to qualified purchasers (those in the same business or that would operate the same business as the debtor), (2) the purchaser would serve as a successor-in-interest to the debtor's ... privacy policies and (3) customers be provided an opportunity to opt-in or opt-out of the proposed transfer.⁴ It appears to be highly unlikely that a CPO would recommend a transfer in which the buyer would not agree, going forward, to abide by the same privacy policy that governed the data prior to the transaction.

So bankruptcy law clearly sees the possibility that genomic data could be sold in violation of its privacy policy--since that is the situation that would trigger review by a CPO. But as we just noted, the actual cases in which CPO's have conducted such review indicates that, while a bankruptcy court may override a provision in a privacy policy that prohibits the transfer of data to a third party, the CPOs and courts do seem to be unwilling to override other provisions, but rather wish to make sure that the policy is otherwise enforced by the acquirer, and not used for any markedly different purpose than before.

4. The FTC and Other Considerations. Of course, even if the CPO were to recommend a transaction in which the data would no longer be subject to the same kind of restrictions present in the privacy policy when the data was gathered, the CPO's report is not binding on the court. Furthermore, in such a case--or in a case in which a CPO was not appointed because the information transferred did not qualify as PII--the FTC and state attorneys general could well decide to intervene. As the FTC website states:

A key part of the Commission's privacy program is making sure companies keep the promises they make to consumers about privacy, including the precautions they take to secure consumers' personal information. ... Using its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers' personal information.

However, because of the speed at which the typical Section 363 auction takes place, combined with the limited resources of the FTC, it cannot be assumed that the agency (or one or more state attorneys general) will get involved in every case in which private data will be transferred without appropriate authorization in a privacy policy. The field of DTC genomics is sufficiently prominent, however, that it seems unlikely that the FTC would fail to receive notice and, if necessary, review any proposed transfer that raised significant consumer privacy concerns.

So what does this all mean for the average DTC genomics customer? Tune in tomorrow when we attempt to put all the pieces together.  Subscribe to Genetic Future.

 Follow Daniel on Twitter.