In the second of three guest posts, lawyers Daniel Vorhaus and Lawrence Moore of the superb blog Genomics Law Report discuss the implications for personal genomics customers if their provider goes bankrupt. In part one of the series (posted yesterday), Vorhaus and Moore dissected the implications of the privacy policies of two personal genomics companies, TruGenetics and 23andMe.
Part II:
Privacy Policies Through the Looking Glass of Bankruptcy Law
In part one, we discussed the
importance of Privacy Policies and other legal agreements in determining
how DTC genomics companies will treat their customers' information,
including in the case of a bankruptcy sale. Unfortunately, but
not surprisingly, we failed to find much in the way of concrete answers.
In this part, we investigate how a bankruptcy court would be likely
to evaluate the proposed sale of a company's genomic database, including
in what scenarios it might be willing to set aside the company's own
agreed upon Privacy Policies.
1. Section 363 and the Stalking
Horse. Section
363 of the Bankruptcy
Code authorizes the sale (typically in an auction) of the assets of
a business in bankruptcy. Quick auctions under Section 363 are
becoming increasingly common because they allow for the transfer of
desirable assets free and clear of liens and other liabilities (while
leaving undesirable assets out of the deal), and unlike traditional
Chapter 11 reorganizations, do not require the longer and more expensive
confirmation process designed to fully protect the rights of creditors.
During the current economic crisis, Section
363 was used in
the sale of Lehman Brothers to Barclays Capital, in the sale of Chrysler's
valuable assets to Fiat and of General Motors to a new company backed
by the U.S. Treasury. Section 363 auctions can also be lightning
fast--Lehman Brothers' assets, which were valued at billions of dollars,
were sold less than a week after its Chapter 11 filing--although 2
to 3 months is more common.
In a Section 363 transaction,
the bankrupt company agrees in principle to sell its assets to a stalking
horse buyer, and then, following bankruptcy court approval of the
sale procedures, solicits bids in an attempt to solicit a more favorable
purchase price. The stalking horse company is often not outbid
and winds up acquiring the most valuable assets. As the G.M. example
demonstrates, there is no requirement that the stalking horse be a private
company. Just as The
Wellcome Trust
has been mentioned
as a potential acquirer
of some of deCODE
Genetics' genomic
database, a Federal agency such as the FDA or NIH could conceivably organize a bid for
genomic assets it deemed important, assuming that it could muster the
political and financial capital to proceed at the breakneck pace that
can be required of Section 363 bankruptcy proceedings.
In response to a 2005 bankruptcy
case (In re Toysmart.com LLC) in which a bankrupt toy company
attempted to sell private customer data to its creditors in clear contravention
of its own privacy policy, a new procedure was added to Section 363.
The procedure requires the appointment of a Consumer Privacy Ombudsman
(CPO) prior to the sale or lease of personally identifiable information
from a bankrupt company when the proposed sale would be inconsistent
with a company's present and disclosed policy prohibiting the transfer
of personally identifiable information about individuals to persons
that are not affiliated with the company.
2. How To Know If You'll
Need a CPO. By law, the CPO procedure only applies when the
proposed sale would be inconsistent with a company's present and disclosed
policy prohibiting the transfer of personally identifiable information
about individuals to persons that are not affiliated with the company.
However, bankruptcy courts have also appointed a CPO to advise them
on the transfer of the information when the bankrupt company's policy
(like TruGenetics') does not discuss whether the data
may be sold to another company.1 Thus, if a DTC genomics
company employs a policy that permits the transfer of information and
other assets to third parties, the CPO procedure will not apply.
If the company's policies
prohibit such a transfer or, as in the case of most DTC genomics companies,
if they are unclear, the CPO procedure may be available to assist the
bankruptcy court in evaluating the appropriateness of the proposed sale
of personally identifiable information. But is genomic information
personally identifiable information?
In order to qualify as personally
identifiable information
or PII, the information in question must satisfy two criteria.
First, it must be provided by an individual to the debtor in connection
with obtaining a product or a service from the debtor primarily for
personal, family, or household purposes. Data submitted to
a private genomics company for personal use (whether clinical or otherwise)
would therefore qualify; data submitted for research purposes (which
would arguably apply to the TruGenetics model, and possibly to certain services
offered by 23andMe)
would not satisfy this criteria.
Moreover, PII must contain,
as at least part of the overall information content, one of the following
specific pieces of information:
- Name
- Street Address
- Email Address
- Telephone Number;
or - Credit card number
As for something as seemingly
personal as, say, a whole genome sequence, or perhaps just a record
of 500,000 SNPs? That information, along with any other information
concerning an identified individual that, if disclosed, will result
in contacting or identifying such individual physically or electronically,
constitutes PII if and only if
it is identified with 1 or more of the items of information in
the list above. Thus, while genomic information coupled directly
with a name or other specified individual information would qualify
as PII, de-identified genomic information, regardless of the practical
possibility of later re-identification, would not qualify as PII and
would not invoke the protections of the CPO procedure. It is unclear
whether or not genomic information that was de-identified but capable
of being re-identified through, for instance, coded identifiers, would
be treated as PII.
Assuming that the presence
of PII could be established, recall that the CPO procedure is only available
when the proposed transfer would violate the company's applicable
privacy policy. In the case of 23andMe, for example, its privacy policy
permits transfers to an acquirer but requires that the acquiring entity
agree to the material terms of its existing privacy policy.
If the agreement with the stalking horse did not mandate agreement to
all the terms of the privacy policy--for example, if it declined
to agree that the data could be deleted upon request in order to avoid
the possibility that a significant number of spooked former customers
of 23andMe would demand that their information be removed from the database--the
court would then have to determine whether such a provision was material
in order to determine whether the proposed transfer violated the privacy
policy, a process in which it would be likely to seek input from a CPO
(although it could order changes in the asset purchase agreement on
its own). Thus, as a practical matter, the CPO procedure is likely
to be available in order to evaluating ambiguous DTC genomics privacy
policies.
3.
What Does the C in CPO Stand For, Again? Even if a CPO
is appointed, it is the bankruptcy court that must ultimately evaluate
and approve the proposed sale of assets. The role of the CPO,
if appointed, is to provide information to the court, including with
respect to the following:
- the debtor's privacy
policy; - the potential losses
or gains of privacy to consumers if such sale or such lease is approved
by the court; - the potential costs
or benefits to consumers if such sale or such lease is approved by the
court; and - the potential alternatives
that would mitigate potential privacy losses or potential costs to consumers.
Keep in mind that the bankruptcy
statute does not require the CPO to represent the interests of the consumers.
In fact, the Consumer Privacy Ombudsman appears more in the role
of an expert commentator than a consumer advocate.2
Also, recall the speed at which auctions under Section 363 are conducted.
Given the logistics and time entailed in first determining whether a
CPO is warranted and, if so, locating and appointing a CPO, the CPO
in most instances can be expected to have only a day or two to obtain
the information he or she needs and digest it.3
With privacy issues as complex as those that would be presented in a
DTC genomics company's bankruptcy, and in the absence of any guarantee
the CPO will be someone familiar with the issues, there is scant hope
of a sophisticated analysis.
A review of the cases in which
a CPO has been appointed and filed a report reveals a clear pattern:
the CPO supports the sale provided certain conditions were met, such
as requiring that (1) the sales be made to qualified purchasers (those
in the same business or that would operate the same business as the
debtor), (2) the purchaser would serve as a successor-in-interest to
the debtor's ... privacy policies and (3) customers be provided an
opportunity to opt-in or opt-out of the proposed transfer.4
It appears to be highly unlikely that a CPO would recommend a transfer
in which the buyer would not agree, going forward, to abide by the same
privacy policy that governed the data prior to the transaction.
So bankruptcy law clearly sees
the possibility that genomic data could be sold in violation of its
privacy policy--since that is the situation that would trigger review
by a CPO. But as we just noted, the actual cases in which CPO's
have conducted such review indicates that, while a bankruptcy court
may override a provision in a privacy policy that prohibits the transfer
of data to a third party, the CPOs and courts do seem to be unwilling
to override other provisions, but rather wish to make sure that the
policy is otherwise enforced by the acquirer, and not used for any markedly
different purpose than before.
4. The FTC and Other Considerations.
Of course, even if the CPO were to recommend a transaction in which
the data would no longer be subject to the same kind of restrictions
present in the privacy policy when the data was gathered, the CPO's
report is not binding on the court. Furthermore, in such a case--or
in a case in which a CPO was not appointed because the information transferred
did not qualify as PII--the FTC and state attorneys general could well
decide to intervene. As the FTC
website states:
A key part of the
Commission's privacy program is making sure companies keep the promises
they make to consumers about privacy, including the precautions they
take to secure consumers' personal information. ... Using its
authority under Section 5 of the FTC Act, which prohibits unfair or
deceptive practices, the Commission has brought a number of cases to
enforce the promises in privacy statements, including promises about
the security of consumers' personal information.
However, because of the speed
at which the typical Section 363 auction takes place, combined with
the limited resources of the FTC, it cannot be assumed that the agency
(or one or more state attorneys general) will get involved in every
case in which private data will be transferred without appropriate authorization
in a privacy policy. The field of DTC genomics is sufficiently
prominent, however, that it seems unlikely that the FTC would fail to
receive notice and, if necessary, review any proposed transfer that
raised significant consumer privacy concerns.
So what does this all mean for the average DTC genomics customer? Tune in tomorrow when we attempt to put all the pieces together.
- Log in to post comments
"bankruptcy law clearly sees the possibility that genomic data could be sold in violation of its privacy policy"
Assuming you actually have a good privacy policy. So in the end the answer is, have your genome sequenced, expose yourself to uncontrolled disclosure.
Sounds like the best place to keep this data safe is with an at home sequencer of with the legal protections of your medical records........
Thoughts?
-Steve
I can't wait for part 3 of this wonderful series. I have a few points to offer in the meantime..
First, 23andMe has been trying to get California and maybe other states to change state laws so that the company will not be subject to the same rules that apply to other labs. It's complicated legislation, hard to understand, and has changed. But it appears that the company wants special treatment. It's hard to say what the implications are since it's all in flux.
Second, the problem of bankruptcy by information companies can have more than one level. I did a report on Cloud Computing and Privacy for the World Privacy Fourm. http://www.worldprivacyforum.org/cloudprivacy.html. It speculated about the bankruptcy of cloud computing service providers.
So what happens when the cloud computing company providing service to a personal genomics company goes belly up on its own or at the same time as the genomics company. Of course, I don't know if any of the genomics companies use cloud services. But the possibility adds another layer of potential uncertainty and another source of claimants to the mix. Some cloud computing companies acquire rights to data stored with them. Cloud computing companies, like genomics companies, could be located anywhere in the world.
We can bring more players into this specualtive mix. Your PHR vendor joins with a personal genomics company to provide services using a cloud provider. Now we can speculate about three potential bankruptcies with different interests, policies, and rights everywhere you look.
Bob