A Global Network of DNA Databanks

October 12, 2018

The United States is not the lone country captivated by the promise of familial DNA matching through government databanks and commercial ancestry websites. The idea has transfixed police and anti-terrorism agencies around the world.  

A global consensus, however, is forming around balancing the needs of the individual while providing appropriate safeguards around law enforcement’s access to and collection and sharing of DNA information from commercial and government databanks within and across borders. 

“I think a majority of individuals around the world value both personal and group privacy and public safety and don’t see them as zero-sum,” says Edward S. Dove, a lecturer in risk and regulation at the University of Edinburgh School of Law. “Neither privacy nor safety are absolute values — both are subject to exceptions, and depending on the society, both values are calibrated to different levels to reflect that society’s culture.”  

The first government DNA database was set up by the United Kingdom in 1995, followed quickly by New Zealand and France. Today, some 60 countries operate national DNA databases worldwide, and another 34 countries are expanding or establishing databanks, according to the GeneWatch, an international nonprofit advocacy group working to protect genetic information. Interpol, the international police-collaboration agency, operates the DNA Gateway and G8/Interpol Search Request Network that contain DNA profiles shared by 49 countries. 

Moreover, most of the large U.S. commercial ancestry sites, such as Ancestry and 23andMe, have operations that extend around the globe and compete with hundreds of local commercial DNA databanks in countries from Germany to Brazil.  

Nowhere are the rules governing access to DNA more stringent than in Europe where protection of personal data is a fundamental human right in European Union law, delineated under Articles 7 and 8 of the EU Charter of Fundamental Rights. Those shields were fortified in May 2018 when the EU’s General Data Protection Regulation (GDPR) took effect.  

“Under the GDPR, companies processing personal information, and certainly anything in this special category of data, are required to disclose how they’re using information and who they’re sharing it with,” says Donna McPartland, counsel in the privacy, cybersecurity, and data protection group at Arent Fox LLP. “Whereas in the United States, that isn’t a requirement. In the EU, you also have to get specific consent from people to share their information.”  

The GDPR, combined with the EU’s Law Enforcement Directive, ensures strict data protection for individuals in the government and commercial sectors, putting measures in place that aim to both respect citizens’ private lives and also give police the tools to properly investigate and solve crimes. 

The United Nations Special Rapporteur on the right to privacy has noted that DNA databases can raise human rights concerns, including “potential misuse for government surveillance, including identification of relatives and non-paternity, and the risk of miscarriages of justice.” Collection of DNA without the subject’s full informed consent can only be justified in limited circumstances, such as for serious crimes and when prescribed by law.  

Those concerns have gained traction in places like China, which is seeking to collect 100 million DNA records for its national database by 2020. Human rights activists say the government is indiscriminately gathering samples, absent any arrest or conviction. 

The possibilities of overreach are significant, say privacy experts. In October 2017, Kuwait’s Constitutional Court struck down its 2015 DNA law deemed far too broad. It required that all citizens, residents, and visitors provide DNA samples to authorities. Kuwait was the only country requiring compulsory DNA testing.