Time to Get Serious about Privacy Policies: The Special Case of Genetic Privacy
| Date | 01 March 2014 |
| Author | Johnathon Liddicoat,Dianne Nicol,Meredith Hagger,Nola Ries |
| DOI | 10.22145/flr.42.1.7 |
| Published date | 01 March 2014 |
| Subject Matter | Article |
TIME TO GET SERIOUS ABOUT PRIVACY POLICIES: THE
SPECIAL CASE OF GENETIC PRIVACY
Dianne Nicol,* Meredith Hagger,** Nola Ries*** and Johnathon Liddicoat****
ABSTRACT
Genetic information is widely recognised as being particularly sensitive personal
information about an individua l and his or her family. This article presents an analysis
of the privacy policies of Australian companies that were offering direct-to-consumer
genetic testing services in 2012–13. The re sults of this analysis indicate that many of
these companies do not comply with the Privacy Act 1988 (Cth), and will need to
significantly reassess their privacy policies now that sign ificant new amendments to
the Act have come into force. Whilst the Privacy Commissioner has increased powers
under the new amendments, the extent to which these will mitigate the deficiencies of
the current regime in relation to privacy practice s of direct–to-consumer genetic testing
companies remains unclear. Accordingly, it may be argued that a privacy code f or the
direct-to-consumer genetic testing industry would provide clearer standards.
Alternatively it may be time to rethink whether a sui generis approach to protecting
genetic information is warranted.
INTRODUCTION
New technological developments are enhancing the capacity of businesses and
governments to collect personal infor mation about individuals. Prior to March 2014,
the Privacy Act 1988 (Cth) required private sector organisation s to comply with a set of
ten National Privacy Principles ('NPPs'), designed to ensure that the priva te sector had
adequate mechanisms in place to protect private information. Organisations were also
required to have privacy policies setting out how they managed personal information,
and industry sectors were encouraged to develop their own industry-specific privacy
_____________________________________________________________________________________
* Corresponding Author, PhD (Biology), LLM; Professor, Centre for Law and Genetics, Law
Faculty, University of Tasmania, Private Bag 89, Hobart, Tas 7001;
Dianne.Nicol@utas.edu.au.
** BA, LLB (Hons); Research Assistant, Centre for Law and Genetics, Law Faculty, University
of Tasmania.
*** MPA, LLM; Senior Lecturer, Faculty of Business and Law, University of Newcastle;
External Research Fellow, Health Law Institute, Faculty of Law, University of Alberta,
Canada.
**** BSc (Hons), LLB (Hons); Research Fellow, Centre for Law and Genetics, Law Faculty,
University of Tasmania. This project was funded by an Australian Research Council
discovery grant DP11010069. We thank Professors Don Chalmers and Margaret Otlowski
for their comments on an early draft of this paper and thank an anonymous reviewer for
detailed feedback.
2 Federal Law Review Volume 42
____________________________________________________________________________________
codes. Amendments to the Privacy Act came into force in M arch 2014 with the
commencement of the P rivacy Amendment (Enhancing Privacy Protection) Act 2 012 (Cth).
The NPPs have now been replaced by a new set of principles known as the Australian
Privacy Principles ('APPs'),
1
changes have also been made to the provisions relating to
privacy codes (now referred to as APP codes) and there are more stringent
requirements for privacy policies.
This article analyses the adequacy of this co-regulatory approach in the context of
genetic priva cy. Parliamentary and law reform inquiries have concluded that genetic
privacy should be protected through general privacy laws rather than sui generis
legislation,
2
whilst acknowledging that genetic information is particularly sensitive
and warrants special protection.
3
For instance, in Essentially Yours, the final report of an
inquiry into the protection of human genetic information, the Australian La w Reform
Commission ('ALRC') and Australian Health Ethics Committee ('AHEC')
recommended that the protection of genetic information should be accommodated
within existing regulatory frameworks.
4
However, it was recognised that some
amendments were needed to ensure that genetic privacy is adequately protected.
5
A number of changes were made to the Privacy Act as a result of the
recommendations in Essentially Yours. The most significant of these, in the co ntext of
genetic privacy, was an a mendment clarifying that genetic information constitutes a
form of 'health information'. Genetic information is now defined a s 'genetic
information about an individual in a form that is, or could be, predictive of the health
of the individual or a genetic relative of the individual' amongst other things.
6
Health
information, in turn, is a form of 'sensitive information' for the purposes of the Act, as
is genetic information about an individual t hat is not otherwise health information.
7
Sensitive information is given enhanced protection under the Act.
Since the release of Essentially Yours in 2003, advancements in genetic technology
have continued apace. Genetic tests, once the exclusive pro vince of the medical
practitioner in diagnosing a small number of conditions, have become routinely
available and can be ordered online by asympto matic individuals from companies
_____________________________________________________________________________________
1
Privacy Act 1988 (Cth) ('Privacy Act') sch 1, as amended by the Privacy Amendment
(Enhancing Privacy Protection) Act 2012 (Cth) ('Enhancing Privacy Protection Act') sch 1 cl 104.
2
It is interesting to note tha t the opposite approach has been taken in the United States in
respect of discrimination: see Genetic Information Nondiscrimination Act of 2008, Pub L No
110–233, 122 Stat 881 (2 008). See also Amy McGuire and Mary Anderlik Majumder, 'Two
Cheers for GINA?' (2009) 1(6) Genome Medicine 61; Jessica L Roberts, 'Preempting
Discrimination: Lessons from the Genetic Information Nondiscrimination Act ' (2010) 63
Vanderbilt Law Review 439; Mark Rothstein, 'GINA, the ADA, and Genetic Discrimination in
Employment' (2008) 36 Journal of Law, Medicine & Ethics 837.
3
See particularly Senate Legal and Constitutional Le gislation Committee, Provisions of the
Genetic Privacy and Non-Discrimination Bi ll 1998 (as introduced in the 38th Parliament) (1999);
Australian Law Reform Commission and Australian Health Ethics Committee, Essentially
Yours: The Protection of Human Genetic Information in Australia, Report No 96 (2003)
('Essentially Yours') vol 1, ch 3 [7.63]–[7.65].
4
Essentially Yours, above n 3, vol 1, ch 7.
5
Ibid vol 1, recommendations 7–1 to 7–7.
6
Privacy Act s 6.
7
Ibid.
2014 Time to Get Serious about Privacy Policies 3
____________________________________________________________________________________
located around the wor ld, without any direct involvement from the health care
profession. The rise of these direct-to-consumer genetic testing companies ('DTC
companies') has been accompanied by a significant body of literature voicing concerns
about the potential weaknesses in the regulatory framework for the industry.
Commentators are currently mulli ng over the consequences of a recent unexpected
turn of eve nts. On 22 November 2013, the US Food and Drug Administration ('FDA')
issued a warning letter to 23andme, the leading provider of DTC testing services in
that co untry, accusing the company of 'marketing the 23a ndMe Saliva Collection Kit
and Personal Genome Service ( 'PGS') without marketing clearance or approval in
violation of the Federal Food, Drug and Cosmetic Act ('FD&C Act')'
8
In response,
23andme ceased to offer health-related genetic reports and currently only offers
ancestry-related reports and raw genetic data,
9
taking its services outside the
regulatory framework for medical devices under the FD&C Act. Irrespective of the
types of genetic testing services offered by companies like 23andme, it remains the case
that one of the most prominent regulatory concerns is whether the current laws
adequately protect the privacy of genetic information.
10
There were no Australian companies offering DTC genetic tes ts in 2003.
11
Since
then, at least sixteen DTC companies have established offices in Australia and offer
genetic testing directly to the Australian public. In this article, t he authors consider the
adequacy of the privacy policies of these DTC co mpanies, and their compliance wit h
the Privacy Act, with particular focus on amendments t o the Act following
commencement of the Enhancing Privacy Protection Act.
_____________________________________________________________________________________
8
Letter from United States Food and Drug Administration to Ann Woj cicki, CEO 23andMe
Inc, 22 November 2013
<http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2013/ucm376296.ht
m>. This action on the part of the FDA attracted a great deal of popular media
commentary. See, eg, Larry Downes and Paul Nunes, Regulating 23andMe Won’t Stop the
New Age of Genetic Testing (1 January 2014) Wired
<http://www.wired.com/opinion/2014/01/the-fda-may-win-the-battle-this-holiday-
season-but-23andme-will-win-the-war>; Rahul Rekhi, 'A Government Ban on 23andMe’s
Genetic Testing Ignores Reality', The Guardian (online), 5 December 2013
<http://www.theguardian.com/commentisfree/2013/dec/04/23andme-consumer-
genomics-fda-ban-regulation>; Frida Polli, 'Why 23andme Deserves A Second Chance',
Forbes (online), 14 January 2014 <http://www.forbes.com/sites/fridapolli/
2014/01/14/why-23andme-deserves-a-second-chance/>; Ruth Macklin, 'The FDA and
23andMe: Regulating Direct-to-Consumer Genetic Tests', The Huffington Post (online), 17
December 2013 <http://www.huffingtonpost.com/ruth-
macklin/23andme_b_4447497.html>.
9
This limitation on the services offered by 23andme is readily appa rent from a visit to the
home page of the company’s website: <https://www.23andme.com/>.
10
See, eg, Cheryl Berg and Kelly Fr yer-Edwards, 'The Ethical Challenges of Direct-To-
Consumer Genetic Testing' (2008) 77 Journal of Business Ethics 17; Stuart Hogarth, Gail Javitt
and David Melzer, 'The Current Landscape for Direct-To-Consumer Genetic Testing: Legal,
Ethical, and Policy Issues' (2008) 9 Annual Review of Genomics and Human Genetics 161; Tim
Caulfield et al 'Direct-To-Consumer Genetic Testing: Good, Bad or Benign? (2009) 77(2)
Clinical Genetics 101; David Magnus, Mildred K Cho and Robert Cook-Deegan, 'Direct-To-
Consumer Genetic Tests: Beyond Medical Regulation?' (2009) 1 Genome Medicine 17.
11
Essentially Yours, above n 3, vol 1, 347.
To continue reading
Request your trial