Ritratti: i grandi innovatori del passato

The | Edge omaggia le storie di grandiosi personaggi storici, uomini e donne del passato, pionieri e pioniere dell’innovazione, che attraverso la diffusione del loro sapere e delle loro scoperte in ambito scientifico e tecnologico, hanno contribuito a rivoluzionare l’umanità.

Genetic data: the risks and regulatory innovations to protect us

Introduction

Our DNA is the biological unit that determines the fundamental information defining our appearance, origins, and the diseases we may be susceptible to, among many other aspects of our individuality. Given the wealth of information and potential uses associated with data derived from our genetic heritage, genetic data is of extreme interest to research centers and companies. The same can be said of malefactors and hackers that are always ready to take possession of these data to sell them to the highest bidder.  The first way to avoid falling victim to criminal actions aimed at our genetic data is to understand what these data are, their importance, and the means at our disposal to try to prevent and protect ourselves.  The purpose of this article is to provide a brief insight into the landscape of genetic data, investigating the risks associated with their improper use and some of the criminal episodes that have recently involved private companies collecting DNA tests. By delving into the laws and tools available today, we will try to understand what entities might be able to provide us with adequate support to protect our genetic data in the future. 

DNA, Genetic Data, and the Risk of Hacker Attacks

Our genetic make-up consists of more than 3 billion pairs of nitrogenous bases, more than 99% of which are the same in every human being. How these bases combine in sequence is what provides the information for the creation and maintenance of our organism. We are still unaware of the role that many genes play within our organism, as well as how each of these relates to the others. While it is true that in the medical field the potential in this regard is unprecedented, it is also necessary to consider that an improper use of genetic data could lead to abuses that we are still unable to imagine. Given the relevance and quantity of information that can be extracted and interpreted from DNA, interest in data relating to our genetic heritage has been growing steadily since the early 2000s, and its application potential is growing by the day. Just as it helps security agencies identify criminals, it also enables research centers or pharmaceutical companies to develop personalized and optimized drugs for all kinds of diseases. Recent events have in fact highlighted how genetic data held not only by companies, but also by universities or research institutes, represent a gold mine for hackers and criminals who, once they have obtained the data of individuals, sell it at a high price to anyone wishing to buy it. In the autumn of 2023, the company 23andMe, one of the biggest names in the field of at-home DNA testing, fell victim to a hack involving the personal data of 6.9 million of their customers. In a post published by the hacker, known as Golem, he announced that the data would be offered for sale in the form of packages with various price ranges: $1,000 for data packages of up to 100 people, $100,000 for data packages of 100,000 people1. This is just the latest case of DNA testing companies falling victim to what is called in the jargon, a ‘data breach’ i.e. “a security breach that results – accidentally or unlawfully – in the destruction, loss, modification, unauthorised disclosure of or access to personal data2. In 2018, My Heritage, another company of at-home DNA testing, was the victim of a loss of email data and passwords of more than 92 million users. Despite the fact that the set of risks related to the misuse of genetic data and the set of measures needed to ensure their security are still unclear, privacy protection legislation, and in particular that adopted in the European Union, have begun to prepare a set of fundamental rules to protect all personal data, including genetic data. 

Law and protection of genetic data

The GDPR, or General Data Protection Regulation3, is the legislation adopted by the European Union to protect the right to the protection of individuals’ personal data and thus guarantee its free movement. If in fact genetic data are the target of hacker attacks, at the same time their circulation and sharing is fundamental to the development of scientific and medical research aimed at new discoveries and new solutions to improve people’s lives.  According to the legislation, genetic data are “personal data relating to the hereditary or acquired genetic characteristics of a natural person that provide unambiguous information about that person’s physiology or health4. In order to be able to make use of genetic data, a special set of rules must be complied with and, given the particular sensitivity of this data, the security measures required of companies and research centres entail very significant burdens. In order to be able to make use of our genetic data, whether for commercial or research purposes, it is good to know that it is first of all essential to have our consent. This is in fact the indispensable basis for carrying out analyses or other activities on our genetic heritage. Moreover, even once consent has been obtained, the organisations that make use of our data will always be obliged to grant us a series of indispensable rights defined by law. According to the GDPR, in fact, everyone will always be able to exercise over this data:  

  • The right to ask which of his or her personal data are being processed and the criterion behind such processing; 
  • The right to the deletion of this data;
  • The right to modify the data if they are inaccurate or out of date;
  • The right to object to the processing of one’s own data for specific purposes;
  • The right to withdraw consent;
  • The right to portability, better known as the right to receive one’s own data in electronic form, also for the purpose of transferring it to others.

Even with all the precautions we can put in place, there is still a risk that those with whom we have shared our data will suffer a breach and end up victims of hacker attacks, as happened in the case of 23andMe. In such cases, it is always the European Union legislation that comes to our rescue. According to the GDPR, in fact, anyone who has suffered material or immaterial damage as a result of a breach of data protection rules, such as in the case of a data breach, will always be able to exercise his or her right to compensation, either by turning to the company that was the victim of the breach or to a national court. This set of rights represents a great step forward for the protection of our personal data, yet to date there are still major stumbling blocks to the effective possibility of exercising them. It is for this reason that the European Union has established with the Data Governance Act5 the data intermediaries, a new kind of entities that interpose themselves between us, our data and potential users to facilitate their sharing. Although still being defined and clarified, these new organizations could allow us to share our genetic data in an informed and responsible manner with those we deem trustworthy. At the same time data intermediaries are able to help us exercise our rights and possibly file claims should our data be attacked by criminal organizations. 

Conclusions

Genetic data are likely to form the basis of some of the greatest breakthroughs in personalized medicine and beyond. While their value might have seemed almost insignificant to us until yesterday, the growing interest of companies, research institutions and, above all, cyber-criminal organizations has led to the emergence of a series of public and private activities aimed at increasing their protection by the organizations and the level of awareness among people about the importance of sharing them responsibly and consciously. The GDPR has laid the foundations for a first regulatory substrate that provides us with the means to protect our genetic data, while obliging companies to adopt a series of measures to maximise the level of security against internal attacks and internal misuse. The introduction of new protection tools and new categories of subjects, such as data intermediaries in the Data Governance Act, now seems to be the fundamental step to allow scientific research to operate with the freedom it needs to  develop new solutions capable of improving our lives as well as our health. 


  1. J. Kleeman; DNA testing: What happens if your genetic data is hacked?; 12 February 2024; BBC Future; https://www.bbc.com/future/article/20240212-dna-testing-what-happens-if-your-genetic-data-is-hacked  ↩︎
  2. Garante per la Protezione dei Dati Personali; Data Breach – Violazioni di Dati; https://www.garanteprivacy.it/data-breach ↩︎
  3. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ↩︎
  4.  Art. 4, c. 1, n. 1, Regolamento (UE) 2016/679 ↩︎
  5. Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) ↩︎
Condividi Articolo