Civil Liberties Concerns
The Privacy Authority has found that such an “organized complex of data,” even if not connected on the World Wide Web to other police services nor interactive with other archives, “makes a databank,” and “its particular nature draws our attention to the adoption by the RIS of further measures and precautions for the protection of the profiles and samples stored by that special branch of Carabinieri.” A call for clear rules on how the database will be used has been voiced by Francesco Pizzetti.33
In July 2007 the authority sent the RIS a series of recommendations on data management to be adopted within six months, but to date this has not occurred. The initiative of the authority was probably triggered by an inspection revealing that there were no clear rules on who had access to the database for consultation. There is a need to adopt a series of controls to ensure the integrity of the data, the traceability of biological samples, privacy constraints, and measures granting access to the data banks (after identification). Also needed are guidelines on how long the biological samples and the genetic profiles derived from them should be kept in storage. As of the fall of 2009 there were no clear procedures for requesting the removal of DNA either for investigation or for research (patients are not always informed of the fact that samples of their tissues are stored for research well beyond the period covering their hospitalization). According to provisions of the legislation, the data are to be expunged in case a person is exonerated of any charges. Within the European Union, Italy has the longest criminal trials, and therefore, even with this provision, DNA samples and profiles might remain in the data bank longer than in many other countries.34
According to Francesco Pizzetti, “A law regulating such matters is absolutely necessary, but such a law may be considered unreliable without a national debate on the implications of a database of this kind and the concept of the forcible taking of a DNA sample.” He argued that the information we get from the media often exaggerates the public safety benefits provided by a national DNA data bank.35
The need for security has always been emphasized by politicians continuously looking for approval, and the media have influenced public opinion about the importance of and need for a DNA data bank. Giuseppe Novelli, professor of medical genetics at Rome, agrees, stating: “I wouldn’t be against it myself, provided my DNA was stored in a secure place with the maximum guarantee, not as happens today, when it may be stored in different places without a guarantee of security, and, above all, without my knowing where it is kept.”36
The international standards that have been established for the operation of DNA data banks, according to Amedeo Santosuosso, law professor at the University of Pavia, would not allow for “Italian-style” management of DNA data banks. As Andrea Monti, a legal expert in biocomputer science, has stated, “Even considering the amount of money involved in this project, I think that the risk of an Italian style [management] may still be possible. Rules are not enough; if the system gets positive results it will be thanks to the dedication of some rara avis who is at the helm in the public administration.”37
The international nongovernmental organization European Digital Rights (EDRI), founded in June 2002 to defend civil rights in the information society, outlined the lack of safeguards in the Italian forensic DNA databank legislation. According to the EDRI, there are no security measures against unauthorized access to the forensic DNA data; there is no properly established “chain of custody” in the handling of biological evidence; law-enforcement officers can access the national database without prior authorization from a prosecutor or judge; and no one is clearly identified to order the destruction of biological samples and forensic DNA profiles. The EDRI also faults the new law for excluding perpetrators of white-collar crimes from having their DNA profiled and placed on the national database.38
Italian criminal justice authorities initiated the use of forensic DNA profiling and established DNA databases well in advance of legislative authority and controls. With its legislated mandate to protect the privacy of genetic data, Italy’s Privacy Authority issued opinions on civil liberties protections regarding the collection and retention of DNA profiles by the police. The legal foundations for the creation of the Italian national DNA database, which grew out of the Prüm Convention, were established in civil law by the passage of Law No. 85 in June 2009. Many civil liberties issues remain contested, including the adequacy of existing safeguards to prevent unauthorized access to the database and to track the chain of custody of crime-scene biological evidence, the inclusion of DNA profiles from arrestees and juveniles in the database, and the placement of burden on exonerated or acquitted individuals to petition to have their DNA reports expunged.
Part III
Critical Perspectives: Balancing Personal Liberty, Social Equity, and Security
Chapter 14
Privacy and Genetic Surveillance
The privacy and dignity of our citizens is being whittled away by sometimes imperceptible steps. Taken individually, each step may be of little consequence. But when viewed as a whole, there begins to emerge a society quite unlike any we have seen—a society in which government may intrude into the secret regions of man’s life at will.
—Justice William O. Douglas, Osborn v. United States1
It is difficult to imagine information more personal or more private than a person’s genetic makeup.
—Senator Edward Kennedy 2
Personal privacy is highly valued in most modern democratic societies, although there is a broad spectrum in the ways in which privacy is interpreted and protected among different countries. While generally thought of as simply the “right to be left alone,” the concept of privacy is highly complex, involving a number of overlapping personal interests. These include having control over our personal information and decision making and an ability to exclude others from our personal things and places. In the United States privacy protection has a long and complex history. Our government was founded on the principle that privacy—as well as related notions of dignity, due process, and liberty—serves as a check on the abuse of state power. These values are found not only in the Fourth Amendment’s prohibition of unreasonable searches and seizures but also in the Fifth Amendment’s guarantees of due process, equal protection, and freedom from self-incrimination, in the Sixth Amendment’s right to counsel, and in the Eighth Amendment’s ban on cruel and unusual punishment. At the same time, the Constitution does not explicitly mention the word “privacy,” and it is routinely debated whether a general right of privacy is guaranteed by the Constitution.
Today “privacy law” in the United States does not consist of a single statute but instead is a complex array of protections that are dispersed among multiple sources, including constitutions, statutes, regulations, and common law. Statutory privacy protections evolved in direct response to technological development. Anita Allen notes, “The word privacy scarcely existed in the law before 1890, when new technologies contributed to an explosion of interest in privacy among intellectuals and lawyers.” Specifically, developments in printing and photography sparked considerable concern that “privacy would be lost in a world of unchecked curiosity, gossip, and publicity.”3 These concerns prompted two lawyers, Samuel Warren and Louis Brandeis, to publish a highly influential Harvard Law Review article that outlined their concept for a new “right to privacy” and served as a pillar for virtually all U.S. law and policy in the realm of privacy that was to come.4 Over the next few decades notions of “privacy” and a “right to privacy” became fixtures of the legal apparatus as a number of state courts—many of them drawing directly from Warren and Brandeis’s work—began to recognize a common-law privacy right and state legislators began to pass privacy-protection legislation. By comparison, it was not until 1965 that the U.S. Supreme Court expressly recognized a constitutional right of privacy in the landmark decision Griswold v. Connecticut.5
The fragmentation and ambiguities of privacy law have rendered the rig
ht to privacy somewhat vulnerable to the ebb and flow of historical conditions. Perceived threats to our civil order, in particular, have resulted in weakening privacy, as well as other civil liberties protections. Until recently we were able to assume that listening devices would not be secretly planted in our homes or on our telephone lines without a court warrant. That expectation has shifted after 9/11 through the enactment of the 2002 Homeland Security Act. That law gives the executive branch powers to execute warrantless wiretaps that invade the privacy of people whom it judges are a high security risk. Under the Terrorist Surveillance Program the U.S. National Security Agency is authorized by executive order to monitor phone calls and other communications involving a party believed to be outside the United States, even if the recipient of the call is on American soil. The Protect America Act of 2007 (signed into law on August 5, 2007) amended the Foreign Intelligence Surveillance Act of 1978 to give congressional standing to warrantless federal wiretapping.
Just as the notion of “privacy” is rich in ambiguity, so too do notions of “genetic privacy” shift in different contexts. Although it is well established in law and policy that people’s expectation of privacy regarding their genome is not a frivolous concern, the standards for the way in which genetic privacy is treated vary widely from one context to the next. Broad public acknowledgment of the sensitivity, vastness, and potential misuses of genetic information ensured Congress’s ultimate passage of the Genetic Information and Nondiscrimination Act (GINA) in 2008. This act provides certain baseline protections to help ensure that employers and health insurance companies cannot request, have access to, and make decisions on the basis of information in a person’s genetic code. Similar and in some cases more comprehensive protections have been passed by most state legislatures.
Although the notion that an employer or insurance company should not have access to our genetic information has been codified as law, law enforcement’s authority to collect DNA has ballooned over the last decade. Most recently people merely arrested by federal authorities and in select states, whether ultimately convicted or not, have been having their DNA routinely collected and permanently retained. Also, as discussed in chapter 6, law-enforcement officials are increasingly collecting DNA from individuals surreptitiously, the presumption being that if a person has “abandoned” his or her DNA, they have the right to collect it, analyze it, and perhaps use it as evidence against that person, all without a search warrant or the person’s knowledge or consent. Protection of DNA information in the criminal justice context appears to be operating under a different set of principles than that of health or employment. Can we retain an expectation of privacy in our DNA in health and employment contexts and lose that expectation when our DNA becomes an object of interest in the criminal justice community? If we are moving toward a double standard of privacy, one for medicine and another for forensics, we should know why, whether, and under what circumstances it is justifiable.
This chapter considers these and other questions about our privacy interests in our DNA. We begin with a discussion of what is so private about our DNA, including an analysis of the often-heard debate between civil libertarians and law enforcement over whether DNA is different from a fingerprint. We then discuss the role of the Fourth Amendment in protecting our privacy in our DNA. We trace the direction of the law in this area and identify some of the important questions that are likely to be addressed in the coming decade. Finally, we conclude with a discussion of the particular hurdles for privacy advocates in protecting our genetic information in the law-enforcement context.
Genetic Privacy
The history and meaning of “genetic privacy” are in many ways parallel to those of “privacy” more generally. Just as the quest for privacy arose out of technological innovation at the turn of the nineteenth century, so too did concerns about “genetic privacy” stem from scientific and technological development—in this case the rise of molecular biology and computer science. A proliferation of DNA data banking and an increasing ability to extract information from DNA encouraged a shift in medical and behavioral research to focus more on genetic factors. Tissue repositories, such as newborns’ blood spots, that had been initially established back in the 1960s became gold mines of genetic information as genetic techniques evolved during the last decade of the twentieth century. The completion of the draft human genome sequence in 2000 brought questions of genetic privacy front and center as biotechnology companies sought to stake claims on genetic resources through the patenting of human genes and further proliferation of privately held DNA data banks.
What is our privacy interest in our DNA? Privacy experts generally distinguish four privacy concerns pertaining to DNA. First, there is physical privacy or bodily privacy. This comes into play at the point of DNA collection, whether it occurs for purposes of genetic testing, medical research, or criminal investigation. DNA can be collected by taking blood, either by a pinprick of the finger or a venal draw. The collection of blood is generally viewed as a highly intrusive process in the medical or research arena, where genetic information generally cannot be collected without the informed consent of the individual providing the sample. In the law-enforcement context DNA collection can occur voluntarily, forcibly, or surreptitiously. Surreptitious collection does not trigger physical privacy per se, since the DNA is collected off objects that are no longer on the person. When DNA was first introduced into forensic evidence around 1986, blood samples were the main source. More recently, in the law-enforcement context, DNA has been collected through use of a buccal swab. This method of collection is generally considered less intrusive than methods that involve the taking of blood.
Second, genetic privacy refers to informational privacy. Information contained within our genome is considered highly sensitive because it can reveal a vast amount of information about us. The organization JUSTICE has described genetic information as “the most intimate medical data an individual may possess.”6 Genetic testing is currently available for over 1,700 diseases and abnormalities, with about 1,400 available in clinical settings, and this number continues to increase every year (see figure 14.1).7
Some genetic polymorphisms correlate directly with disease states, providing information about an individual’s current health status. But others are predictive—they correlate with a statistical predisposition to disease of familial disease patterns, providing information about the possibility that an individual may develop a disease over the course of his or her lifetime (see box 14.1). The fact that DNA contains information about an individual’s future health risks is the primary reason why some health law experts believe that DNA information is uniquely sensitive. George Annas has analogized DNA information to “a probabilistic, coded ‘future diary.’ . . . As the code is broken, DNA reveals information about an individual’s probable risks of suffering from specific medical conditions in the future.”8
In addition to providing medical information, genetic tests may reveal environmental and drug sensitivities as the field of pharmacogenetics advances. DNA sequence information may also contain information about behavioral traits, such as a propensity to violence or substance addiction, criminal tendencies, or sexual orientation.
Of course, our genetic status does not determine our medical future or our behavioral traits. That this information is probabilistic, not deterministic, makes the prospects that it might be released to third parties particularly dangerous. Concerns that this information could be used to discriminate against individuals seeking insurance and employment or to stigmatize individuals and families abound. There is some basis to this concern: in the 1970s several insurance companies and employers discriminated against individuals who were sickle-cell carriers, even though they would never develop the disease.9 More recently a lawsuit filed by the U.S. Equal Employment Opportunity Commission (EEOC) against the Burlington Northern Santa Fe Railway Company revealed that the company was conducting genetic testing of its employees who had filed claims for work-related inj
uries based on carpal tunnel syndrome without their knowledge or consent. The company was asking those employees to provide a blood sample that was then tested for a rare genetic condition that had been associated with an increased risk of developing carpal tunnel syndrome. At least one worker was threatened with possible termination for failing to submit to a blood test. The case was settled quickly, with the company agreeing to all of the terms sought by the EEOC.10
FIGURE 14.1. Growth of genetic testing, 1993–2008. Source: GeneTests database (2008), www.genetests.org. Copyright University of Washington, Seattle.
BOX 14.1 James Watson’s Genetic Privacy
At age 79 Nobel laureate James Watson donated his DNA for sequencing and eventual public access to the 3 billion base pairs that made up his genetic code. The codiscoverer of the chemical and physical structure of DNA had one restriction. Watson expressed his expectation of privacy regarding one segment of his genome, which he believed might reveal whether he has a predisposition to Alzheimer’s disease. One of his grandmothers contracted Alzheimer’s, and Watson figures that his chances are about one in four. The relevant sequence, Watson stated, should be kept secret from others and from himself.
Source: D. R. Nyholt, Chang-En Yu, and P. M. Visscher, “On Jim Watson’s APOE Status: Genetic Information Is Hard to Hide” [letter], European Journal of Human Genetics 17 (2009): 147–149.
What is perhaps unique about genetic information is that it both links us to and distinguishes us from all other human beings. As we discussed in chapter 1, our genetic code is thought to be unique—no two individuals, save perhaps identical twins, have the same DNA. At the same time, our genetic code is shared; it is part of our common heritage, passed on from one generation to the next. In this sense our precise genetic code is unique to each of us, but much of the information it reveals is likely to be shared by our relatives or entire groups of people. For example, if a woman undergoes genetic testing for BRCA1 and BRCA2, the two genes that have been associated with hereditary forms of breast and ovarian cancer, the results of this test have implications not only for that individual woman but for all her close relatives.
Genetic Justice Page 28