Guest post: what happens when a personal genomics company goes bankrupt (part 3)

In this final post of their three-part series, lawyers Daniel Vorhaus and Lawrence Moore of the superb blog Genomics Law Report analyse the legal repercussions of a personal genomics company going bankrupt. In part one of the series Vorhaus and Moore analysed the privacy policies of two representative personal genomics companies, while part two was a detailed examination of the complex legal issues surrounding the treatment of customer genetic data in the event of company bankruptcy.


In this final installment, Vorhaus and Moore bring it all together to explain the implications for personal genomics consumers.

Part III: What Does It All
Mean?

In part one, we discussed the importance of Privacy Policies and other legal agreements in determining how DTC genomics companies will treat their customers' information, including in the case of a bankruptcy sale. Unfortunately, but not surprisingly, we failed to find much in the way of concrete answers. In part two, we dug into the law to investigate how a bankruptcy court would be likely to evaluate the proposed sale of a company's genomic database, including in what scenarios it might be willing to set aside the company's own agreed upon Privacy Policies. In this final part, the threads come together as we ask--and attempt to answer--the only question that really matters for most readers: what does it all mean for the average DTC genomics customer?

If you're concerned that your DTC genomics provider of choice might be a candidate for bankruptcy the very first thing to do, of course,
is to consider whether the privacy of your genomic data is even important
to you. If you're applying for (or already enrolled in) the Personal Genome
Project
, for example,
chances are that you wouldn't much care if 23andMe went bankrupt and
decided to sell your information to a competitor, to a pharmaceutical
company or to anybody else.

But for the many customers
who, at least at present, consider the privacy and security of their
genomic data to be an important factor in choosing whether to purchase
the services offered by DTC genomic companies, there is simply no substitute
for reading to the bottom of the page. When you purchase a product
and utilize the corresponding services, including the website where
you view your genomic information, you are agreeing to the terms supplied
by that company.

As for what those terms say,
while it varies on a case-by-case basis and the terms are always subject
to change (and they do, in fact, change, often in response to developments
in either the law, the company's business model or both), the prediction
here is that if your DTC genomic company of choice goes belly up there
is a good chance that its assets, including its database of genomic
information, will be up for sale.

The good news is that, in all
likelihood, the sale would be restricted to another company that would
use the data for substantially the same purposes as the original company
and generally agree to abide by the same privacy protections as the
now-bankrupt company. Again, those provisions vary by company
but generally provide individuals with an ability to terminate their
involvement with the company and withdraw their information (to the
extent that it has not already been made available to third parties
for allowable research or other purposes) from the company's database.

Finally, as with just about
every aspect of genomics law, the most complete and accurate answer
is that time will tell. When the first DTC genomics bankruptcy
inevitably arrives it will help answer more definitively a host of important
questions, including whether and how a government agency might take
an interest in commercially acquired genomic data, whether genomic data
will be considered personally identifiably information under bankruptcy
law and how debtors, creditors, consumers and regulators will react
to the sale of large-scale genomic databases.

rss-icon-16x16.jpg Subscribe to Genetic Future.

More like this

By what right does such a company even retain a copy of its customers' personal data, once it has completed and delivered the report?

Private - there are plenty of reasons to do this. For instance, personal genomics companies are constantly updating their risk predictions as new data becomes available from further research; if customer data were discarded as soon as the initial report was generated, that wouldn't be possible.

Daniel's exactly right - there are plenty of reasons to retain the data, including not only updating interpretive analyses but also building and commercializing a database of consumer genomic data. The latter is the model that TruGenetics proposed and that 23andMe appears to be pursuing, at least in some fashion. It's a legitimate model - provided that it is pursued with proper disclosure and in compliance with other legal restrictions - although whether it is commercially viable remains to be decided.

It's also worth noting that not all companies purport to retain the data indefinitely and, moreover, most appear to permit customers to specifically request that their data be deleted by the company.

23andMe, for instance, allows customers to delete their account information by notifying the company, although information supplied to ongoing or completed research will not be effected. The section on "Account Deletion" concludes with the following: "For purposes of clarity, any user-generated content you contribute will not be deleted and your genetic information associated only by barcode may be retained at the laboratory," a statement which is, admittedly, somewhat short of clarifying.

Similarly, in deCODEme's Service Agreement, the company indicates that it will keep customer data available for one year and, thereafter, charge an annual fee for continued storage, adding that "if you do not choose to pay for this long-term storage, deCODE will cancel your account and delete your data..." Unfortunately, deCODE's various agreements (Privacy Policy, Terms of Use, and Service Agreement) contain several provisions discussion both voluntary and involuntary data deletion and transfer, and it's not at all clear how those provisions interact or which one ultimately govern.

As with the provisions governing the transfer and sale of data, the provisions of many of the DTC genomics companies that govern user-initiated removal of data could stand to be clarified.

- Dan

The underlying assumption here seems to be that once I give a company some personal information for some specific purpose, rights to those data are assigned to the company, and uses of them are subject to the (changeable) policies of the company or its successors, which policies may or may not at any given time give me input on how the data are used or stored, which input may or may not be heeded. This assumption seems very widespread in many industries, and of course it is further enshrined in service agreements to which we all click "I Accept", but personal genomics is an industry which I suspect will find itself facing unusually vehement scrutiny after a few horror stories.

tl;dr: what -Steve said.

@5:

The underlying assumption here seems to be that once I give a company some personal information for some specific purpose, rights to those data are assigned to the company, and uses of them are subject to the (changeable) policies of the company or its successors, which policies may or may not at any given time give me input on how the data are used or stored, which input may or may not be heeded.

I don't think this would be legal under EU law - where processing of "sensitive" data requires explicit consent, with very few exceptions. To the EU's credit, they did not (unlike HIPAA) define personal or sensitive data to be a narrow and restrictive range of obvious identifiers, but include:

all information relating to a personâs physical or mental
health or condition, sexual life, racial or ethnic origin, religious or political beliefs, trade union membership, or (alleged) crimes.

- this from the Medical Research Council's Personal Information in Medical Research Ethics Guide.

But, I guess if you spit in a pot and send it to the US for processing, then all bets are off?