Ever since I signed up for a genealogy research site, it’s been sending me emails flogging its DNA analysis kit.

But there’s no way I will do a DNA ancestry test. Nor the ones offering medical risk analysis or revealing how Neanderthal I am.

I’ve written about this issue before. But the arrival of a major Christmas marketing push for these tests irritated me into posting on Twitter this week, warning people to avoid them.

To my surprise, that tweet has become one of my most retweeted ever. It struck a nerve with many people, while also sparking some scepticism. Replies in favour of DNA kits typically stated that the companies offering such tests have fail-safe privacy and security policies.

Some highlighted that if DNA information was sold to researchers, it would be a good thing that would benefit humanity. Others added that we have little to worry about in Europe because GDPR shields us.

This is mostly wrong, and myopic.

For comparison, consider all the continuing alarms over social media and search sites. Sure, a decade ago a platform to connect up and share posts and pictures with friends (back before they became “Friends”), or a site for “free” web searches, seemed innocent and fun, too.

Fast-forward and we have the executives of such companies being grilled by national legislatures in multiple countries about data protection and privacy lapses (setting aside actual threats to democracy).

We can also conclude from same that while GDPR has imposed needed data privacy safeguards, it isn’t surefire protection, especially when data (as it does) moves outside the EU. And creating regulations isn’t the same as guaranteeing compliance, especially when companies are themselves sometimes unsure of how to comply, or are actively seeking ways to duck compliance. Or are just ignoring GDPR.

Digital Rights Ireland director Antoin O Lachtnain says that when it comes to DNA, GDPR “provides legal protections. But the problem is that those protections may not be practically effective.”

Valuable DNA

Let’s be clear: DNA companies offer you cheap DNA analysis not because they want to help you find your ancestors and living relatives, or your precise ethnicity, or your possible risk for developing various medical conditions, but for the same reasons Google offers you free searches, or Facebook a free social media universe. Once you opt in to sharing your data, you are the product.

Or in this case, your incredibly revealing, valuable DNA, which most DNA test companies sell on to a variety of undisclosed third parties, private companies with no obligation to reveal what they do with those databases.

How valuable is your DNA? Well, pharma company GlaxoSmithKline signed a $300 million deal with DNA test company 23andme this year, for access to those databases. A medtech company owned by Alphabet, the parent company of Google, has a major deal to get DNA data from ancestry.com.

And, of course, we had the announcement this week of a project from a new company, Genomics Medicine Ireland, to gather DNA from 400,000 people in Ireland to research new medical treatments. Announcements tended to focus on the 600 proposed jobs the company would bring, not on the private acquisition of DNA from a significant proportion of the Irish population.

Such research has created ongoing controversy in Iceland over its ethics and the notion of “presumed consent” for the company, DeCode, that was acquired by Amgen, and is also involved with the Genomics Medicine Ireland project.

The availability of consumer DNA databases for private research for profit concerns many medical ethicists and researchers. Last summer the New England Journal of Medicine called for more oversight, stating: “Our current regulatory approach to privacy in direct-to-consumer genealogic testing has permitted the creation of a Wild West environment.”

While DNA analysis companies state they protect and anonymise DNA, researchers have already shown years ago that it is not difficult to reconnect an individual to a DNA sample.

Hacking concerns

Your DNA is also vulnerable in many other ways . DNA databases are vulnerable to hacking, of course (until last summer, 23andme was providing third parties access to its DNA databases through … an app interface).

And those private company terms of agreement don’t mean much. They can be changed by a company at any time, and past terms become void when a company is sold. Law enforcement may also make undisclosed requests for your data.

And the entire sector is poorly regulated, especially with regard to how your stored data might be used in the future, in what O’Lachtnain calls “the grey area between ‘research’ and ‘profiling’.”

DNA results might be used for denial of health insurance coverage, for example.

And although some companies – including ancestry.com and 23andme – say you can delete your DNA at any time, the process is difficult and is actually impossible if you agreed to allow your data be used for medical research.

That’s why I will say it again. Don’t do DNA testing. Don’t buy kits as presents.

Just don’t.